In SharePoint Online, organizations often collaborate with external users by granting them access to specific sites, documents, or libraries. However, security best practices require limiting external access to prevent unauthorized use of resources.
Using PnP PowerShell, administrators can:
✔ Monitor external user access
✔ Set expiration policies for external sharing
✔ Revoke expired access automatically
✔ Notify administrators of expiring permissions
This guide provides a step-by-step approach to managing expiring external user access in SharePoint Online using PnP PowerShell.
Step 1: Install & Update PnP PowerShell
Ensure PnP PowerShell is installed or updated:
Install-Module -Name PnP.PowerShell -Force -AllowClobber
If it’s already installed, update it:
Update-Module -Name PnP.PowerShell
Step 2: Connect to SharePoint Online
Connect to SharePoint Online Admin Center using PnP PowerShell:
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
For app-based authentication, use:
$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"
Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://yourtenant-admin.sharepoint.com"
Step 3: Check External Sharing Settings
Before managing expiration policies, verify external sharing settings:
Get-PnPTenant | Select-Object SharingCapability, RequireAnonymousLinksExpireInDays, SharingAllowedDomainList
This will display:
✔ SharingCapability → Whether external sharing is enabled
✔ RequireAnonymousLinksExpireInDays → Expiration settings for anonymous links
✔ SharingAllowedDomainList → Allowed external domains
Step 4: Enable External User Access Expiration
To enable expiration policies for guest users, run:
Set-PnPTenant -ExternalUserExpirationRequired $true -ExternalUserExpireInDays 30
This setting:
✔ Forces external users to be removed after 30 days
✔ Can be customized (e.g., 60 or 90 days)
Step 5: Check External User Expiration Policy
To confirm expiration settings:
Get-PnPTenant | Select-Object ExternalUserExpirationRequired, ExternalUserExpireInDays
✔ If set to $true, external users will be automatically removed after expiration.
✔ If set to $false, external access remains active indefinitely.
Step 6: List External Users & Expiration Dates
To retrieve external users and their expiration dates, use:
$externalUsers = Get-PnPExternalUser
$externalUsers | Select DisplayName, Email, WhenCreated, Expiration | Format-Table -AutoSize
✔ This command lists external users, their email addresses, account creation date, and expiration date.
Step 7: Revoke Expired External User Access
To remove expired external users automatically:
$externalUsers = Get-PnPExternalUser
foreach ($user in $externalUsers) {
if ($user.Expiration -lt (Get-Date)) {
Write-Host "Removing expired user: $($user.Email)"
Remove-PnPExternalUser -Identity $user.Email -Confirm:$false
}
}
✔ This script removes all external users whose access has expired.
Step 8: Notify Admins of Expiring Users
To send a report of expiring users before removing them:
$expiringUsers = $externalUsers | Where-Object { $_.Expiration -lt (Get-Date).AddDays(7) }
if ($expiringUsers) {
$reportPath = "C:\Reports\ExpiringExternalUsers.csv"
$expiringUsers | Export-Csv -Path $reportPath -NoTypeInformation
Write-Host "Expiring External Users report saved at: $reportPath"
# Optional: Send an email alert (requires SMTP configuration)
}
✔ Generates a report of external users expiring in 7 days.
✔ Admins can review the list before revoking access.
Step 9: Set Expiration on Specific Site Collections
To apply expiration policies for a specific SharePoint site:
Set-PnPSite -Url "https://yourtenant.sharepoint.com/sites/SecureSite" -ExternalUserExpireInDays 30
✔ External users on this site will expire after 30 days.
Step 10: Restrict External Sharing to Trusted Domains
To allow only specific external domains:
Set-PnPTenant -SharingAllowedDomainList "trustedpartner.com, clientcompany.com"
✔ External sharing is limited to trusted partners.
✔ Prevents unauthorized external access.
Step 11: Automate External User Expiration Management
To schedule automatic external user cleanup, save the script as “ManageExternalAccess.ps1”, then schedule it in Task Scheduler:
if ((Get-PnPTenant).ExternalUserExpirationRequired -eq $false) {
Set-PnPTenant -ExternalUserExpirationRequired $true -ExternalUserExpireInDays 30
}
$expiredUsers = Get-PnPExternalUser | Where-Object { $_.Expiration -lt (Get-Date) }
foreach ($user in $expiredUsers) {
Remove-PnPExternalUser -Identity $user.Email -Confirm:$false
}
✔ This script ensures external access expiration remains active.
✔ Runs automatically via Windows Task Scheduler or Azure Automation.