Security in SharePoint Online is crucial to prevent unauthorized access, protect sensitive data, and ensure compliance with regulatory standards. PnP PowerShell provides powerful commands to manage security policies efficiently.
Why Use PnP PowerShell for Security?
✔ Automates Role-Based Access Control (RBAC)
✔ Applies Sensitivity & Retention Labels
✔ Monitors Security Audits & Reports
✔ Enhances Authentication with Multi-Factor Authentication (MFA)
✔ Manages Secure Sharing & External Access
Step 1: Connecting Securely to SharePoint Online
1.1 Secure Connection Using MFA
To securely connect to SharePoint Online with Multi-Factor Authentication (MFA), use:
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com" -UseWebLogin
Result: Requires user authentication with MFA for enhanced security.
Step 2: Managing Role-Based Access Control (RBAC)
2.1 Assigning Users to SharePoint Groups
# Define variables
$SiteURL = "https://yourtenant.sharepoint.com/sites/SecureSite"
$UserEmail = "user@yourdomain.com"
$GroupName = "Site Owners"
# Connect to SharePoint
Connect-PnPOnline -Url $SiteURL -UseWebLogin
# Add User to SharePoint Group
Add-PnPGroupMember -Group $GroupName -Users $UserEmail
Result: The user gains specific permissions based on their role.
Step 3: Applying Sensitivity Labels to Protect Data
3.1 Enable Sensitivity Labels for SharePoint
1️⃣ Enable Unified Labeling in Microsoft 365 Compliance Center
2️⃣ Create Sensitivity Labels (e.g., Confidential, Restricted)
3️⃣ Apply Sensitivity Labels to SharePoint Documents
3.2 Automate Sensitivity Labeling Using PowerShell
# Define Variables
$DocumentLibrary = "ConfidentialDocs"
$LabelName = "Highly Confidential"
# Apply Sensitivity Label
Set-PnPList -Identity $DocumentLibrary -SensitivityLabel $LabelName
Result: Documents in the specified library are automatically labeled as “Highly Confidential.”
Step 4: Restricting External Sharing
4.1 Block External Sharing for a SharePoint Site
Set-PnPSite -Identity "https://yourtenant.sharepoint.com/sites/SecureSite" -SharingCapability Disabled
Result: External users cannot share or access content from this site.
4.2 Restrict Sharing to Specific Domains
Set-PnPTenantSite -Url "https://yourtenant.sharepoint.com/sites/SecureSite" -SharingAllowedDomainList "trustedpartner.com" -SharingDomainRestrictionMode AllowList
Result: Only users from trustedpartner.com can be added as external guests.
Step 5: Implementing Retention Policies
5.1 Automatically Apply Retention Labels to Documents
Set-PnPList -Identity "FinancialRecords" -DefaultRetentionLabel "7-Year Retention"
Result: Documents in FinancialRecords are automatically retained for 7 years.
Step 6: Monitoring Security with Audit Logs
6.1 Retrieve SharePoint Security Logs
$AuditLogs = Get-PnPAuditing -Web
$AuditLogs | Format-Table UserId, EventType, EventTime
Result: Displays user activity logs, including file access and permission changes.
Step 7: Automating Security Reports
7.1 Generate and Email a Security Report
$Report = Get-PnPAuditing -Web | Export-Csv -Path "C:\SecurityReport.csv"
# Send Email with Report
Send-MailMessage -To "admin@yourdomain.com" -From "security@yourdomain.com" -Subject "Security Report" -Body "Attached is the latest security report." -Attachments "C:\SecurityReport.csv" -SmtpServer "smtp.yourdomain.com"
Result: Admins receive automated security reports via email.
Step 8: Enforcing Multi-Factor Authentication (MFA) for Admins
8.1 Require MFA for Admin Accounts
Set-MsolUser -UserPrincipalName "admin@yourdomain.com" -StrongAuthenticationRequirements @(@{RelyingParty="*"; State="Enabled"})
Result: Enforces MFA login for SharePoint Administrators.
Step 9: Detecting and Removing Unauthorized Users
9.1 Identify Unauthorized Users
Get-PnPUser -Web | Where-Object { $_.LoginName -match "externaluser" }
Result: Lists all external users in SharePoint.
9.2 Remove Unauthorized Users
Remove-PnPUser -LoginName "unauthorized@external.com" -Web
Result: Unauthorized external user is removed.
Step 10: Securing PowerShell Scripts Using Azure Key Vault
10.1 Store Secure Credentials in Azure Key Vault
1️⃣ Go to Azure Key Vault → Secrets
2️⃣ Add a new secret “AdminPassword”
3️⃣ Use PowerShell to fetch credentials securely:
$Secret = Get-AzKeyVaultSecret -VaultName "MyKeyVault" -Name "AdminPassword" -AsPlainText
$Credential = New-Object System.Management.Automation.PSCredential ("admin@yourtenant.com", (ConvertTo-SecureString $Secret -AsPlainText -Force))
Result: Ensures secure handling of credentials in scripts.