1. Introduction
Organizations using SharePoint Online must ensure compliance with security, privacy, and data retention regulations. PnP PowerShell helps generate compliance reports to:
✔ Monitor user permissions and access
✔ Track external sharing activity
✔ Audit Data Loss Prevention (DLP) policies
✔ Review retention policies and expired documents
✔ Log SharePoint activities for security audits
By automating compliance reporting, organizations can detect security risks, ensure regulatory compliance, and optimize data governance.
2. Prerequisites
Before generating compliance reports, ensure:
✅ PnP PowerShell is installed
Install-Module -Name PnP.PowerShell -Scope CurrentUser -Force
You have SharePoint Administrator or Compliance Administrator permissions
Retention, DLP, and security policies are configured in Microsoft Purview Compliance Center
PowerShell has access to Microsoft 365 audit logs
3. Connecting to SharePoint Online Using PnP PowerShell
To run compliance reports, first connect to your SharePoint Online tenant:
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
✔ This prompts for secure authentication.
4. Types of Compliance Reports
PnP PowerShell can generate various compliance-related reports, including:
✔ User Permissions Report – Who has access to what?
✔ External Sharing Report – Tracking externally shared files
✔ DLP Policy Report – Identifying sensitive data exposure
✔ Audit Logs Report – Reviewing user activities in SharePoint
✔ Retention Policies Report – Checking expired and retained files
Each report helps maintain compliance, security, and governance.
5. Generating Compliance Reports
A. Auditing User Permissions
To generate a report on who has access to SharePoint sites:
$Sites = Get-PnPTenantSite
$Report = @()
foreach ($Site in $Sites) {
Connect-PnPOnline -Url $Site.Url -Interactive
$Users = Get-PnPUser
foreach ($User in $Users) {
$Report += [PSCustomObject]@{
SiteURL = $Site.Url
User = $User.Email
Role = $User.Roles
}
}
}
$Report | Export-Csv -Path "C:\Reports\SharePointPermissions.csv" -NoTypeInformation
Write-Host "User permissions report generated successfully!"
✔ This report helps identify unauthorized access.
B. Monitoring External Sharing
To track files shared externally:
$SiteUrl = "https://yourtenant.sharepoint.com/sites/YourSite"
Connect-PnPOnline -Url $SiteUrl -Interactive
$SharedFiles = Get-PnPListItem -List "Documents" | Where-Object { $_["SharingStatus"] -eq "External" }
$SharedFiles | Select-Object FieldValues.FileLeafRef, FieldValues.FileRef, FieldValues.ModifiedBy | Export-Csv -Path "C:\Reports\ExternalSharing.csv" -NoTypeInformation
Write-Host "External sharing report generated successfully!"
✔ Identifies security risks from external sharing.
C. Checking Data Loss Prevention (DLP) Policies
To verify if DLP policies are correctly applied:
$DLPPolicies = Get-PnPTenantDlpPolicy
$DLPPolicies | Select-Object Name, Mode, LastModifiedTime | Export-Csv -Path "C:\Reports\DLPReport.csv" -NoTypeInformation
Write-Host "DLP policy report generated successfully!"
✔ Ensures sensitive data is protected.
D. Exporting SharePoint Audit Logs
To review who accessed or modified documents:
$StartDate = (Get-Date).AddDays(-30)
$EndDate = Get-Date
$AuditLogs = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -RecordType SharePointFileOperation -ResultSize 5000
$AuditLogs | Select-Object CreationDate, UserIds, Operations, ObjectId | Export-Csv -Path "C:\Reports\AuditLogs.csv" -NoTypeInformation
Write-Host "SharePoint audit log report generated successfully!"
✔ Helps detect suspicious activities.
E. Generating Retention Policy Reports
To check expired and retained files:
$RetentionFiles = Get-PnPListItem -List "Documents" | Where-Object { $_["RetentionLabel"] -ne $null }
$RetentionFiles | Select-Object FieldValues.Title, FieldValues.RetentionLabel, FieldValues.Modified | Export-Csv -Path "C:\Reports\RetentionPolicies.csv" -NoTypeInformation
Write-Host "Retention policy report generated successfully!"
✔ Ensures compliance with data retention policies.
6. Automating Compliance Report Generation
To schedule compliance reports daily:
1️⃣ Save your script as C:\Scripts\ComplianceReports.ps1
2️⃣ Open Task Scheduler
3️⃣ Click Create Basic Task
4️⃣ Set Trigger to Daily at 2:00 AM
5️⃣ Set Action to Start a Program
6️⃣ Enter powershell.exe in Program/Script
7️⃣ In Add Arguments, enter:
-File "C:\Scripts\ComplianceReports.ps1"
8️⃣ Click Finish to enable automation
✔ Automatically generates and exports compliance reports every day.