Managing external users in SharePoint Online is crucial for collaboration while maintaining security. External users are guests who are granted access to SharePoint sites, documents, or lists. PnP PowerShell allows administrators to manage these users efficiently—adding, listing, removing, or restricting their access.
Step 1: Install & Update PnP PowerShell
Before managing external users, install or update PnP PowerShell:
Install-Module -Name PnP.PowerShell -Force -AllowClobber
To update an existing module:
Update-Module -Name PnP.PowerShell
Step 2: Connect to SharePoint Online
To manage external users, connect to SharePoint Online using PnP PowerShell:
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
If using app-based authentication, use:
$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"
Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://yourtenant-admin.sharepoint.com"
Step 3: List All External Users in SharePoint Online
To retrieve all external (guest) users in SharePoint Online, run:
Get-PnPUser -Site "https://yourtenant.sharepoint.com/sites/YourSite" | Where-Object { $_.LoginName -like "*#EXT#*" } | Select-Object Title, Email, LoginName
This filters users with #EXT# in their login name, indicating they are external users.
Step 4: Add an External User to a SharePoint Site
To invite an external user, use:
New-PnPUser -LoginName "guestuser@example.com" -Site "https://yourtenant.sharepoint.com/sites/YourSite"
Alternatively, add an external user to a group for better permission control:
Add-PnPUserToGroup -LoginName "guestuser@example.com" -Group "YourSite Visitors"
Step 5: Remove an External User from a SharePoint Site
To remove an external user, run:
Remove-PnPUser -LoginName "guestuser@example.com" -Site "https://yourtenant.sharepoint.com/sites/YourSite"
To remove all external users from a site:
$externalUsers = Get-PnPUser -Site "https://yourtenant.sharepoint.com/sites/YourSite" | Where-Object { $_.LoginName -like "*#EXT#*" }
foreach ($user in $externalUsers) {
Remove-PnPUser -LoginName $user.LoginName -Site "https://yourtenant.sharepoint.com/sites/YourSite"
}
Step 6: Restrict External Sharing in SharePoint Online
To restrict external sharing on a SharePoint site:
Set-PnPSite -Identity "https://yourtenant.sharepoint.com/sites/YourSite" -SharingCapability Disabled
Other SharingCapability options:
ExternalUserSharingOnly→ Only specific external users can be invitedExistingExternalUserSharingOnly→ Only pre-approved external users can accessAnyone→ Anyone with the link can access
Step 7: Audit External Users in SharePoint Online
To generate a report of all external users in a CSV file:
$siteUrl = "https://yourtenant.sharepoint.com/sites/YourSite"
$reportPath = "C:\Reports\ExternalUsersReport.csv"
$externalUsers = Get-PnPUser -Site $siteUrl | Where-Object { $_.LoginName -like "*#EXT#*" } | Select-Object Title, Email, LoginName
$externalUsers | Export-Csv -Path $reportPath -NoTypeInformation
Write-Host "External Users Report generated at: $reportPath"
This report can be used for auditing and security reviews.
Step 8: Block Specific External Users
To block a specific external user from accessing SharePoint Online:
$UserPrincipalName = "guestuser@example.com"
Revoke-PnPAzureADUser -Identity $UserPrincipalName
To block all external users from a site:
$externalUsers = Get-PnPUser -Site "https://yourtenant.sharepoint.com/sites/YourSite" | Where-Object { $_.LoginName -like "*#EXT#*" }
foreach ($user in $externalUsers) {
Revoke-PnPAzureADUser -Identity $user.LoginName
}
Step 9: Automate External User Cleanup with PowerShell
To automatically remove inactive external users, schedule the following script:
$siteUrl = "https://yourtenant.sharepoint.com/sites/YourSite"
$inactiveDays = 90
$cutoffDate = (Get-Date).AddDays(-$inactiveDays)
$externalUsers = Get-PnPUser -Site $siteUrl | Where-Object { $_.LoginName -like "*#EXT#*" }
foreach ($user in $externalUsers) {
$lastLogin = (Get-PnPAzureADUser -Identity $user.Email).SignInActivity.LastSignInDateTime
if ($lastLogin -lt $cutoffDate) {
Remove-PnPUser -LoginName $user.LoginName -Site $siteUrl
Write-Host "Removed inactive external user: $($user.Email)"
}
}
This script:
✔ Checks external user logins
✔ Removes users inactive for 90+ days
✔ Ensures security & compliance
Step 10: Monitor External Users & Send Email Alerts
To send an email alert when new external users are added:
$adminEmail = "admin@yourdomain.com"
$subject = "New External Users Added to SharePoint"
$body = "External users have been added to SharePoint. Please review the access."
Send-MailMessage -To $adminEmail -From "noreply@yourdomain.com" -Subject $subject -Body $body -Sm