Configuring OneDrive External Sharing using PnP PowerShell

External sharing in OneDrive for Business allows users to share files and folders with people outside the organization. However, improper configuration may lead to security risks. Using PnP PowerShell, admins can:
✔ Enable or disable external sharing
✔ Set sharing policies (Anyone, New and Existing Guests, etc.)
✔ Restrict domain-based sharing
✔ Audit external sharing settings

This step-by-step guide will help you configure and manage OneDrive external sharing using PnP PowerShell.

Step 1: Install and Update PnP PowerShell

Ensure you have PnP PowerShell installed. Open PowerShell as Administrator and run:

Install-Module -Name PnP.PowerShell -Force -AllowClobber

To update:

Update-Module -Name PnP.PowerShell

Verify installation:

Get-Module -Name PnP.PowerShell -ListAvailable

Step 2: Connect to SharePoint Online (OneDrive Admin Center)

Since OneDrive for Business is part of SharePoint Online, connect to the SharePoint Admin Center:

$adminUrl = "https://yourtenant-admin.sharepoint.com"
Connect-PnPOnline -Url $adminUrl -Scopes "Sites.FullControl.All" -Interactive

For app-based authentication, use:

$clientId = "your-client-id"
$tenantId = "your-tenant-id"
$clientSecret = "your-client-secret"

Connect-PnPOnline -Url $adminUrl -ClientId $clientId -ClientSecret $clientSecret -Tenant $tenantId

Step 3: Retrieve Current External Sharing Settings

To check the current external sharing settings for OneDrive:

Get-PnPTenant | Select-Object -Property OneDriveForGuestsEnabled,SharingCapability,ShowEveryoneClaim

✔ OneDriveForGuestsEnabled → Is external sharing enabled?
✔ SharingCapability → Current sharing level (Disabled, Authenticated, Anonymous, Existing Guests)
✔ ShowEveryoneClaim → Is “Everyone” access enabled?

Step 4: Configure External Sharing in OneDrive

1. Enable External Sharing for OneDrive

To enable external sharing:

Set-PnPTenant -OneDriveForGuestsEnabled $true -SharingCapability ExternalUserAndGuestSharing
Write-Host "External sharing enabled for OneDrive."

SharingCapability options:

Disabled → No external sharing
ExistingExternalUserSharingOnly → Only existing guests can access
ExternalUserAndGuestSharing → New guests allowed
Anyone → Anyone with a link

2. Disable External Sharing for OneDrive

Set-PnPTenant -OneDriveForGuestsEnabled $false -SharingCapability Disabled
Write-Host "External sharing disabled for OneDrive."

Step 5: Configure Sharing Link Settings

To set the default link type for shared files:

Set-PnPTenant -DefaultSharingLinkType Internal
Write-Host "Default sharing link type set to Internal (No external sharing)."

✔ ViewOnly → Read-only access
✔ Edit → Can edit files
✔ Internal → No external sharing

To enable anonymous access links (Anyone links):

Set-PnPTenant -FileAnonymousLinkType Edit
Write-Host "Anonymous link sharing enabled with Edit permissions."

To disable anonymous links:

Set-PnPTenant -FileAnonymousLinkType Disabled
Write-Host "Anonymous link sharing disabled."

Step 6: Restrict Sharing to Specific Domains

To allow sharing only with specific domains:

Set-PnPTenant -SharingAllowedDomainList "trustedpartner.com, example.com" -SharingDomainRestrictionMode AllowList
Write-Host "External sharing restricted to trustedpartner.com and example.com."

To block certain domains:

Set-PnPTenant -SharingBlockedDomainList "competitor.com, untrusted.com" -SharingDomainRestrictionMode BlockList
Write-Host "External sharing blocked for competitor.com and untrusted.com."

Step 7: Enable External Sharing Audit Logging

To track external sharing activities, enable audit logging:

Set-PnPAuditing -OneDrive $true -LogFileAccess $true -LogSharingActions $true
Write-Host "Audit logging enabled for OneDrive external sharing."

Retrieve external sharing logs:

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType SharePointSharingOperation

Step 8: Generate External Sharing Report

To export a report of all externally shared files in OneDrive:

$reportPath = "C:\Reports\OneDrive_ExternalSharing_Report.csv"
$oneDriveSites = Get-PnPTenantSite -IncludeOneDriveSites | Where-Object { $_.Url -like "*-my.sharepoint.com/personal/*" }

$sharingData = @()

foreach ($site in $oneDriveSites) {
    Connect-PnPOnline -Url $site.Url -Interactive
    $sharedItems = Get-PnPListItem -List "Documents" | Where-Object { $_.HasUniqueRoleAssignments }

    foreach ($item in $sharedItems) {
        $sharingData += [PSCustomObject]@{
            SiteUrl     = $site.Url
            FileName    = $item.FieldValues.FileLeafRef
            FileUrl     = $item.FieldValues.FileRef
            SharedWith  = ($item.RoleAssignments | Select-Object -ExpandProperty Member)
        }
    }
}

$sharingData | Export-Csv -Path $reportPath -NoTypeInformation
Write-Host "OneDrive external sharing report saved to $reportPath"

Step 9: Automate External Sharing Monitoring

1. Open Task Scheduler

Click Start, search for Task Scheduler, and open it.
Click Create Basic Task.
Name it “OneDrive External Sharing Audit”.

2. Set Trigger

Choose Weekly or another frequency.
Set execution time.

3. Set Action

Select Start a Program.
In Program/Script, enter: powershell.exe
In Arguments, enter:-File "C:\Scripts\OneDriveExternalSharingAudit.ps1"
Click Finish.

This ensures regular monitoring of external sharing settings.