Security trimming in SharePoint Search ensures that users only see search results they have permission to access. This prevents unauthorized access to confidential content. By using PnP PowerShell, administrators can configure and enforce security trimming efficiently.
Key Objectives:
✔ Understand how security trimming works
✔ Configure SharePoint Search settings for security trimming
✔ Automate security trimming enforcement
Step 1: Install and Connect PnP PowerShell
Ensure you have the latest PnP PowerShell module installed:
Install-Module -Name PnP.PowerShell -Force -AllowClobber
Update-Module -Name PnP.PowerShell
Connect to SharePoint Online
# Connect to SharePoint Online
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
✔ Authenticates your session to manage SharePoint Search settings.
Step 2: Enable Security Trimming for SharePoint Search
To check if security trimming is enabled:
$searchSettings = Get-PnPPropertyBag -Key "SecurityTrimmingEnabled"
Write-Host "Security Trimming Status: $searchSettings"
✔ Retrieves current security trimming configuration.
If security trimming is disabled, enable it:
Set-PnPPropertyBagValue -Key "SecurityTrimmingEnabled" -Value "True"
Write-Host "Security Trimming Enabled."
✔ Ensures users see only results they have access to.
Step 3: Configure Search Schema to Respect Permissions
SharePoint search schema determines how security is applied to indexed content. Ensure it is configured correctly:
Set-PnPSearchConfiguration -Scope SiteCollection -Configuration @'
{
"SecurityTrimming": {
"Enabled": true
}
}
'@
Write-Host "Search Security Trimming Configured."
✔ Forces SharePoint Search to respect user permissions.
Step 4: Reindex the SharePoint Site
To apply changes, reindex the entire site:
$siteUrl = "https://yourtenant.sharepoint.com/sites/SecureSite"
Connect-PnPOnline -Url $siteUrl -Interactive
# Trigger reindexing
Set-PnPSearchSettings -Scope Site -Configuration @'
{
"Reindex": true
}
'@
Write-Host "Site reindexing triggered."
✔ Updates search results to reflect security trimming settings.
Step 5: Remove Inappropriate Search Results from Index
If confidential content appears in search results, manually remove it:
Submit-PnPSearchQuery -Query "DELETE FROM Search WHERE Path='https://yourtenant.sharepoint.com/sites/SecureSite/ConfidentialDoc.pdf'"
Write-Host "Confidential content removed from search index."
✔ Prevents unintended search exposure of restricted files.
Step 6: Test Security Trimming for Users
To verify security trimming, perform a test search as a specific user:
$testUser = "user@yourdomain.com"
$result = Submit-PnPSearchQuery -Query "Confidential" -TrimDuplicates $true -SourceId $testUser
$result.PrimarySearchResults | Select-Object Title, Path
✔ Confirms that unauthorized users cannot see confidential files.
Step 7: Automate Security Trimming Audits
To regularly check if security trimming is working, generate an audit report:
$reportPath = "C:\Reports\SecurityTrimmingAudit.csv"
$secureSites = Get-PnPTenantSite | Where-Object { $_.Url -like "*secure*" }
$results = @()
foreach ($site in $secureSites) {
Connect-PnPOnline -Url $site.Url -Interactive
$searchResults = Submit-PnPSearchQuery -Query "Confidential" -TrimDuplicates $true
foreach ($item in $searchResults.PrimarySearchResults) {
$results += [PSCustomObject]@{
SiteName = $site.Title
SiteURL = $site.Url
Document = $item.Title
Path = $item.Path
}
}
}
$results | Export-Csv -Path $reportPath -NoTypeInformation
Write-Host "Security Trimming Audit Report saved to $reportPath"
✔ Helps identify and fix security risks in search results.