External sharing in OneDrive for Business allows users to share files and folders with people outside the organization. However, improper configuration may lead to security risks. Using PnP PowerShell, admins can:
✔ Enable or disable external sharing
✔ Set sharing policies (Anyone, New and Existing Guests, etc.)
✔ Restrict domain-based sharing
✔ Audit external sharing settings
This step-by-step guide will help you configure and manage OneDrive external sharing using PnP PowerShell.
Step 1: Install and Update PnP PowerShell
Ensure you have PnP PowerShell installed. Open PowerShell as Administrator and run:
Install-Module -Name PnP.PowerShell -Force -AllowClobber
To update:
Update-Module -Name PnP.PowerShell
Verify installation:
Get-Module -Name PnP.PowerShell -ListAvailable
Step 2: Connect to SharePoint Online (OneDrive Admin Center)
Since OneDrive for Business is part of SharePoint Online, connect to the SharePoint Admin Center:
$adminUrl = "https://yourtenant-admin.sharepoint.com"
Connect-PnPOnline -Url $adminUrl -Scopes "Sites.FullControl.All" -Interactive
For app-based authentication, use:
$clientId = "your-client-id"
$tenantId = "your-tenant-id"
$clientSecret = "your-client-secret"
Connect-PnPOnline -Url $adminUrl -ClientId $clientId -ClientSecret $clientSecret -Tenant $tenantId
Step 3: Retrieve Current External Sharing Settings
To check the current external sharing settings for OneDrive:
Get-PnPTenant | Select-Object -Property OneDriveForGuestsEnabled,SharingCapability,ShowEveryoneClaim
✔ OneDriveForGuestsEnabled → Is external sharing enabled?
✔ SharingCapability → Current sharing level (Disabled, Authenticated, Anonymous, Existing Guests)
✔ ShowEveryoneClaim → Is “Everyone” access enabled?
Step 4: Configure External Sharing in OneDrive
1. Enable External Sharing for OneDrive
To enable external sharing:
Set-PnPTenant -OneDriveForGuestsEnabled $true -SharingCapability ExternalUserAndGuestSharing
Write-Host "External sharing enabled for OneDrive."
SharingCapability options:
- Disabled → No external sharing
- ExistingExternalUserSharingOnly → Only existing guests can access
- ExternalUserAndGuestSharing → New guests allowed
- Anyone → Anyone with a link
2. Disable External Sharing for OneDrive
Set-PnPTenant -OneDriveForGuestsEnabled $false -SharingCapability Disabled
Write-Host "External sharing disabled for OneDrive."
Step 5: Configure Sharing Link Settings
To set the default link type for shared files:
Set-PnPTenant -DefaultSharingLinkType Internal
Write-Host "Default sharing link type set to Internal (No external sharing)."
✔ ViewOnly → Read-only access
✔ Edit → Can edit files
✔ Internal → No external sharing
To enable anonymous access links (Anyone links):
Set-PnPTenant -FileAnonymousLinkType Edit
Write-Host "Anonymous link sharing enabled with Edit permissions."
To disable anonymous links:
Set-PnPTenant -FileAnonymousLinkType Disabled
Write-Host "Anonymous link sharing disabled."
Step 6: Restrict Sharing to Specific Domains
To allow sharing only with specific domains:
Set-PnPTenant -SharingAllowedDomainList "trustedpartner.com, example.com" -SharingDomainRestrictionMode AllowList
Write-Host "External sharing restricted to trustedpartner.com and example.com."
To block certain domains:
Set-PnPTenant -SharingBlockedDomainList "competitor.com, untrusted.com" -SharingDomainRestrictionMode BlockList
Write-Host "External sharing blocked for competitor.com and untrusted.com."
Step 7: Enable External Sharing Audit Logging
To track external sharing activities, enable audit logging:
Set-PnPAuditing -OneDrive $true -LogFileAccess $true -LogSharingActions $true
Write-Host "Audit logging enabled for OneDrive external sharing."
Retrieve external sharing logs:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType SharePointSharingOperation
Step 8: Generate External Sharing Report
To export a report of all externally shared files in OneDrive:
$reportPath = "C:\Reports\OneDrive_ExternalSharing_Report.csv"
$oneDriveSites = Get-PnPTenantSite -IncludeOneDriveSites | Where-Object { $_.Url -like "*-my.sharepoint.com/personal/*" }
$sharingData = @()
foreach ($site in $oneDriveSites) {
Connect-PnPOnline -Url $site.Url -Interactive
$sharedItems = Get-PnPListItem -List "Documents" | Where-Object { $_.HasUniqueRoleAssignments }
foreach ($item in $sharedItems) {
$sharingData += [PSCustomObject]@{
SiteUrl = $site.Url
FileName = $item.FieldValues.FileLeafRef
FileUrl = $item.FieldValues.FileRef
SharedWith = ($item.RoleAssignments | Select-Object -ExpandProperty Member)
}
}
}
$sharingData | Export-Csv -Path $reportPath -NoTypeInformation
Write-Host "OneDrive external sharing report saved to $reportPath"
Step 9: Automate External Sharing Monitoring
1. Open Task Scheduler
- Click Start, search for Task Scheduler, and open it.
- Click Create Basic Task.
- Name it “OneDrive External Sharing Audit”.
2. Set Trigger
- Choose Weekly or another frequency.
- Set execution time.
3. Set Action
- Select Start a Program.
- In Program/Script, enter:
powershell.exe
- In Arguments, enter:
-File "C:\Scripts\OneDriveExternalSharingAudit.ps1"
- Click Finish.
This ensures regular monitoring of external sharing settings.