Guest users in SharePoint Online are external users who have been granted access to sites, files, or folders. Over time, guest access may become unnecessary or pose a security risk if not managed properly. Automating the removal of expired guest users using PnP PowerShell helps maintain security and compliance.
Key Objectives:
✔ Identify expired guest users in SharePoint Online
✔ Remove guest user access from SharePoint and OneDrive
✔ Automate the guest access review process
Step 1: Install and Update PnP PowerShell
Ensure you have the latest version of PnP PowerShell installed:
Install-Module -Name PnP.PowerShell -Force -AllowClobber
Update-Module -Name PnP.PowerShell
Step 2: Connect to SharePoint Online
Establish a connection to SharePoint Online Admin Center using:
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
Alternatively, use app-based authentication:
$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"
Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://yourtenant-admin.sharepoint.com"
✔ Ensures a secure connection before managing guest users.
Step 3: Identify Expired Guest Users
To list all guest users in your SharePoint environment:
$guestUsers = Get-AzureADUser -Filter "UserType eq 'Guest'"
$guestUsers | Select-Object DisplayName, UserPrincipalName, CreatedDateTime
✔ Retrieves all guest users and their creation date.
To filter guest users older than 90 days (expired users):
$thresholdDate = (Get-Date).AddDays(-90)
$expiredGuests = $guestUsers | Where-Object { $_.CreatedDateTime -lt $thresholdDate }
$expiredGuests | Select-Object DisplayName, UserPrincipalName
✔ Identifies guest users who have had access for over 90 days.
Step 4: Remove Expired Guest Users from SharePoint
To remove expired guest users from SharePoint Online:
foreach ($user in $expiredGuests) {
Remove-PnPUser -LoginName $user.UserPrincipalName -Force
Write-Host "Removed expired guest user: $($user.UserPrincipalName)"
}
✔ Ensures expired guest users are removed from SharePoint.
Step 5: Remove Expired Guest Users from Azure AD
To remove expired guest accounts from Azure AD:
foreach ($user in $expiredGuests) {
Remove-AzureADUser -ObjectId $user.ObjectId -Confirm:$false
Write-Host "Deleted guest user from Azure AD: $($user.UserPrincipalName)"
}
✔ Ensures guest accounts are completely deleted from your tenant.
Step 6: Remove Guest Access from OneDrive
To remove guest sharing links from OneDrive:
$oneDriveSites = Get-PnPTenantSite -IncludeOneDriveSites
foreach ($site in $oneDriveSites) {
Connect-PnPOnline -Url $site.Url -Interactive
Get-PnPSharingPermission | Where-Object { $_.PrincipalType -eq "Guest" } | ForEach-Object {
Remove-PnPSharingPermission -Identity $_.Identity
Write-Host "Removed guest access from OneDrive: $site.Url"
}
}
✔ Ensures guests lose access to shared files and folders.
Step 7: Automate Guest Access Reviews
To send a report of removed guest users to admins:
$reportPath = "C:\Reports\ExpiredGuestUsers.csv"
$expiredGuests | Export-Csv -Path $reportPath -NoTypeInformation
Send-MailMessage -To "admin@yourdomain.com" -From "noreply@yourdomain.com" -Subject "Guest User Removal Report" -Body "Attached is the report of removed guest users." -Attachments $reportPath -SmtpServer "smtp.yourdomain.com"
✔ Keeps admin teams informed about guest access removals.