1. Introduction
Enforcing compliance policies in SharePoint Online ensures data protection, governance, and regulatory adherence. Using PnP PowerShell, organizations can:
Restrict external sharing
Apply retention policies to prevent data loss
Assign sensitivity labels for data classification
Audit compliance settings
Automate policy enforcement
2. Prerequisites
Before enforcing compliance policies, ensure:
- PnP PowerShell is installed
Install-Module -Name PnP.PowerShell -Scope CurrentUser -Force - You have SharePoint Admin or Global Admin permissions
- You have the SharePoint Admin Center URL of your tenant
3. Connecting to SharePoint Online
Before configuring compliance policies, connect to SharePoint Online:
$AdminURL = "https://yourtenant-admin.sharepoint.com"
Connect-PnPOnline -Url $AdminURL -Interactive
- Replace
"yourtenant"with your actual SharePoint tenant name. - This prompts you to log in using Microsoft 365 credentials.
4. Setting Up Compliance Policies
A. Enforcing External Sharing Restrictions
To prevent unauthorized external sharing, disable external sharing on all SharePoint sites:
$Sites = Get-PnPTenantSite | Where-Object { $_.SharingCapability -ne "Disabled" }
foreach ($Site in $Sites) {
Set-PnPTenantSite -Url $Site.Url -SharingCapability Disabled
Write-Host "External Sharing Disabled for $($Site.Url)"
}
This script disables external sharing for all SharePoint sites.
Allow External Sharing Only for Specific Sites
If external sharing is needed for specific sites, allow it only for existing external users:
$SiteURL = "https://yourtenant.sharepoint.com/sites/ExternalCollaboration"
Set-PnPTenantSite -Url $SiteURL -SharingCapability ExistingExternalUserSharingOnly
Write-Host "External sharing restricted to existing external users for $SiteURL"
Now, only pre-approved external users can access shared files.
B. Applying Retention Policies
Retention policies prevent accidental or malicious data deletion. Apply a 7-year retention policy to SharePoint libraries:
$SiteURL = "https://yourtenant.sharepoint.com/sites/Compliance"
Connect-PnPOnline -Url $SiteURL -Interactive
$List = Get-PnPList -Identity "Documents"
Set-PnPList -Identity $List.Id -EnableVersioning $true -EnableModeration $true -RetentionEnabled $true -RetentionPeriod 2555
Write-Host "Retention policy applied for 7 years on $($List.Title)"
Key Configurations:
- Enables versioning and approval workflows.
- Ensures files are retained for 7 years (2555 days) before deletion.
C. Configuring Sensitivity Labels
Sensitivity labels classify content based on confidentiality. Assign a sensitivity label to a document library:
$SiteURL = "https://yourtenant.sharepoint.com/sites/Security"
Connect-PnPOnline -Url $SiteURL -Interactive
$LibraryName = "ConfidentialDocs"
Set-PnPList -Identity $LibraryName -Classification "Highly Confidential"
Write-Host "Sensitivity label 'Highly Confidential' applied to $LibraryName"
This helps in restricting file sharing and enforcing encryption.
D. Restricting Access Based on Location
Prevent users from accessing SharePoint from untrusted locations:
Set-PnPTenant -IPAllowList @("192.168.1.0/24", "203.0.113.0/24") -BlockAllIPRangesExceptAllowed $true
Write-Host "Access restricted to approved IP addresses"
This ensures only users from trusted networks can access SharePoint.
5. Auditing Compliance Policies
A. Check External Sharing Settings for All Sites
To verify external sharing settings:
$SharingSettings = Get-PnPTenantSite | Select-Object Url, SharingCapability
$SharingSettings | Format-Table -AutoSize
This lists all SharePoint sites and their external sharing status.
B. Generate Compliance Report
To audit compliance settings and export them to CSV:
$ComplianceReport = @()
$Sites = Get-PnPTenantSite
foreach ($Site in $Sites) {
$ComplianceReport += [PSCustomObject]@{
SiteURL = $Site.Url
SharingStatus = $Site.SharingCapability
Sensitivity = (Get-PnPList -Identity "Documents").Classification
Retention = (Get-PnPList -Identity "Documents").RetentionEnabled
}
}
$ComplianceReport | Export-Csv -Path "C:\Reports\ComplianceReport.csv" -NoTypeInformation
Write-Host "Compliance Report Exported Successfully!"
The report includes:
External sharing status
Sensitivity label assigned
Retention policy enabled
6. Automating Compliance Policy Enforcement
To automate compliance enforcement, create a script (Enforce-Compliance.ps1) and schedule it using Task Scheduler.
Save the Script
$Sites = Get-PnPTenantSite
foreach ($Site in $Sites) {
# Disable external sharing
Set-PnPTenantSite -Url $Site.Url -SharingCapability Disabled
# Apply sensitivity label
Set-PnPList -Identity "Documents" -Classification "Confidential"
# Enable retention policy
Set-PnPList -Identity "Documents" -RetentionEnabled $true -RetentionPeriod 2555
}
Write-Host "Compliance Policies Enforced Successfully!"
Schedule the Task
- Open Task Scheduler.
- Click Create Basic Task.
- Choose a Trigger (e.g., weekly).
- Select Action > Start a Program.
- Set Program/Script to
powershell.exe. - In Add Arguments, enter:
-File "C:\Path\To\Enforce-Compliance.ps1" - Click Finish to enable automation.
Now, compliance policies are automatically enforced!