Latest Posts

Identifying and Managing SharePoint Guest Users using PnP PowerShell

Posted on by Rishan Solutions

Loading

In SharePoint Online, guest users are external users invited to collaborate on sites, files, or documents. It is essential to monitor and manage guest users to prevent unauthorized access and ensure security compliance.

Using PnP PowerShell, administrators can:
✔ Identify all guest users in SharePoint Online
✔ List guest user permissions across sites
✔ Remove inactive guest users
✔ Automate guest access reviews

This guide provides a step-by-step approach to managing guest users using PnP PowerShell.

Step 1: Install and Update PnP PowerShell

Ensure PnP PowerShell is installed and updated:

Install-Module -Name PnP.PowerShell -Force -AllowClobber
Update-Module -Name PnP.PowerShell

Step 2: Connect to SharePoint Online

Using Interactive Login

Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive

Using App-Based Authentication

$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"

Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://yourtenant-admin.sharepoint.com"

✔ Ensures a secure connection to SharePoint Online before managing guest users.

Step 3: Identify All Guest Users in SharePoint Online

To list all guest users across the SharePoint tenant:

$guestUsers = Get-PnPUser -Site "https://yourtenant.sharepoint.com" | Where-Object { $_.LoginName -like "*#EXT#*" }

$guestUsers | Select-Object Title, Email, LoginName

✔ Extracts all external users based on the #EXT# identifier in their login name.

Step 4: List Guest User Permissions in a Site Collection

To check guest user permissions in a specific SharePoint site:

$siteUrl = "https://yourtenant.sharepoint.com/sites/YourSite"

Connect-PnPOnline -Url $siteUrl -Interactive

$guestUsers = Get-PnPUser | Where-Object { $_.LoginName -like "*#EXT#*" }

foreach ($user in $guestUsers) {
    $permissions = Get-PnPUserEffectivePermissions -User $user.LoginName
    Write-Host "User: $($user.Email) - Permissions: $permissions"
}

✔ Retrieves guest user permissions for a specific site.

Step 5: Remove Inactive Guest Users

To remove guest users who haven’t logged in for a specific period (e.g., 180 days):

$inactiveDays = 180
$cutoffDate = (Get-Date).AddDays(-$inactiveDays)

$guestUsers = Get-PnPUser | Where-Object { $_.LoginName -like "*#EXT#*" }

foreach ($user in $guestUsers) {
    $lastLogin = (Get-AzureADUser -ObjectId $user.Email).SignInActivity.LastSignInDateTime
    if ($lastLogin -lt $cutoffDate) {
        Remove-PnPUser -LoginName $user.LoginName -Force
        Write-Host "Removed inactive guest user: $($user.Email)"
    }
}

✔ Identifies inactive guest users and removes them.

Step 6: Automate Guest Access Reviews

To send automated guest access review reports via email:

$siteUrl = "https://yourtenant.sharepoint.com/sites/YourSite"
$adminEmail = "admin@yourdomain.com"
$reportPath = "C:\Reports\GuestUserReport.csv"

$guestUsers = Get-PnPUser -Site $siteUrl | Where-Object { $_.LoginName -like "*#EXT#*" }
$guestUsers | Select-Object Title, Email, LoginName | Export-Csv -Path $reportPath -NoTypeInformation

Send-MailMessage -To $adminEmail -From "noreply@yourdomain.com" -Subject "Guest User Report" -Body "Guest User report is attached." -Attachments $reportPath -SmtpServer "smtp.yourdomain.com"

✔ Generates a guest user report and sends it to the administrator.

Step 7: Restrict External Sharing for Guest Users

To disable guest sharing for a specific SharePoint site:

$siteUrl = "https://yourtenant.sharepoint.com/sites/YourSite"

Set-PnPSite -Identity $siteUrl -SharingCapability Disabled
Write-Host "External sharing disabled for $siteUrl"

✔ Ensures guests can no longer access the site.

Step 8: Block Guest Users from Specific Document Libraries

To remove guest user access from a document library:

$library = "ConfidentialDocs"
$guestUsers = Get-PnPUser | Where-Object { $_.LoginName -like "*#EXT#*" }

foreach ($user in $guestUsers) {
    Remove-PnPUser -List $library -LoginName $user.LoginName
    Write-Host "Removed $($user.Email) from $library"
}

✔ Prevents guest users from accessing sensitive libraries.

Step 9: Enable Expiring Guest Access

To set expiration for guest user access:

Set-PnPTenant -ExternalUserExpirationInDays 30
Write-Host "Guest user access will expire after 30 days."

✔ Ensures guest users must renew access every 30 days.

Step 10: Audit Guest User Activities

To track guest user activities in SharePoint Online:

$reportPath = "C:\Reports\GuestUserActivity.csv"

$guestActivities = Search-UnifiedAuditLog -Operations "FileAccessed", "FileModified" -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) | Where-Object { $_.UserIds -match "#EXT#" }

$guestActivities | Export-Csv -Path $reportPath -NoTypeInformation
Write-Host "Guest activity report saved to $reportPath"

✔ Identifies which guest users accessed or modified files.

Leave a Reply

Your email address will not be published. Required fields are marked *