Latest Posts

Generating a Security Risk Report for SharePoint Online using PnP PowerShell

Posted on by Rishan Solutions

Loading

Security risks in SharePoint Online can lead to data leaks, unauthorized access, and compliance violations. By using PnP PowerShell, administrators can generate a Security Risk Report to:

Identify external sharing risks
Monitor site permissions
Track anonymous access
Detect unauthorized file access
Audit administrative privilege changes

This guide explains how to generate a detailed Security Risk Report for SharePoint Online using PnP PowerShell.

Step 1: Install & Update PnP PowerShell

Ensure you have PnP PowerShell installed:

Install-Module -Name PnP.PowerShell -Force -AllowClobber

If already installed, update it:

Update-Module -Name PnP.PowerShell

Step 2: Connect to SharePoint Online

Connect to SharePoint Online using PnP PowerShell:

Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive

For app-based authentication, use:

$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"

Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://yourtenant-admin.sharepoint.com"

Step 3: Collect Security Risk Data

1. Identify External Sharing Risks

Fetch sites with external sharing enabled:

$sites = Get-PnPTenantSite | Where-Object { $_.SharingCapability -ne "Disabled" }

$sites | Select-Object Url, SharingCapability | Format-Table -AutoSize

✔ Detects SharePoint sites allowing external sharing.

2. List Users with Full Control Permissions

Identify users with full admin rights on sites:

$allSites = Get-PnPTenantSite
$adminUsers = @()

foreach ($site in $allSites) {
    Connect-PnPOnline -Url $site.Url -Interactive
    $users = Get-PnPSiteCollectionAdmin
    foreach ($user in $users) {
        $adminUsers += [PSCustomObject]@{
            SiteUrl = $site.Url
            AdminUser = $user.Email
        }
    }
}

$adminUsers | Format-Table -AutoSize

✔ Lists users with Full Control across SharePoint sites.

3. Audit Anonymous Access Permissions

Find sites with anonymous access enabled:

$anonAccessSites = Get-PnPTenantSite | Where-Object { $_.SharingCapability -eq "ExternalUserAndGuestSharing" }

$anonAccessSites | Select-Object Url, SharingCapability | Format-Table -AutoSize

✔ Identifies publicly accessible SharePoint sites.

4. Track Unauthorized File Access

Monitor external users accessing sensitive files:

$startDate = (Get-Date).AddDays(-7).ToString("yyyy-MM-dd")
$endDate = (Get-Date).ToString("yyyy-MM-dd")

$unauthorizedAccess = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations "FileAccessed" -ResultSize 1000

$unauthorizedAccess | Where-Object { $_.UserIds -notmatch "yourdomain.com" } | Select-Object CreationDate, UserIds, ObjectId, ClientIP | Format-Table -AutoSize

✔ Lists external users accessing files without authorization.

5. Detect Privilege Escalation Attempts

Identify suspicious admin role assignments:

$startDate = (Get-Date).AddDays(-7).ToString("yyyy-MM-dd")
$endDate = (Get-Date).ToString("yyyy-MM-dd")

$privilegeEscalations = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations "AddedSiteCollectionAdmin" -ResultSize 1000

$privilegeEscalations | Select-Object CreationDate, UserIds, Operation, ObjectId, ClientIP | Format-Table -AutoSize

✔ Detects unauthorized admin role assignments.

Step 4: Generate the Security Risk Report

Export all collected security risk data into a CSV report:

$reportPath = "C:\Reports\SecurityRiskReport.csv"

$sites + $adminUsers + $anonAccessSites + $unauthorizedAccess + $privilegeEscalations | Export-Csv -Path $reportPath -NoTypeInformation

Write-Host "Security Risk Report saved at: $reportPath"

✔ Saves the Security Risk Report for review.

Step 5: Automate Report Generation & Email Notification

To send the report via email:

$smtpServer = "smtp.yourcompany.com"
$securityTeam = "security@yourcompany.com"
$subject = "SharePoint Security Risk Report"
$body = "The latest SharePoint Security Risk Report is attached."

Send-MailMessage -To $securityTeam -From "admin@yourcompany.com" -Subject $subject -Body $body -Attachments $reportPath -SmtpServer $smtpServer

✔ Sends risk report to the security team.

Step 6: Schedule Automated Report Execution

Save the script as GenerateSecurityRiskReport.ps1, then schedule it via Task Scheduler or Azure Automation.

Example Task Scheduler command:

powershell.exe -ExecutionPolicy Bypass -File "C:\Scripts\GenerateSecurityRiskReport.ps1"

✔ Ensures regular security audits without manual execution.

Step 7: Take Security Actions Based on the Report

Disable External Sharing for Risky Sites

Set-PnPTenantSite -Url "https://yourtenant.sharepoint.com/sites/riskySite" -SharingCapability Disabled

Blocks unauthorized external sharing.

Remove Unauthorized Site Collection Admins

Remove-PnPSiteCollectionAdmin -Owners "unauthorizeduser@external.com"

Prevents privilege escalation.

Revoke External User Access

Remove-PnPExternalUser -ExternalUser "user@external.com"

Ensures only authorized users can access SharePoint.

Leave a Reply

Your email address will not be published. Required fields are marked *