In SharePoint Online, restricting access to a site ensures that only authorized users can view or modify its content. PnP PowerShell provides efficient commands to manage site permissions and restrict access.
This guide covers:
✔️ Removing users from a SharePoint site
✔️ Breaking permission inheritance
✔️ Restricting external sharing
✔️ Blocking site access
Prerequisites
Before proceeding, ensure:
PnP PowerShell is installed
You have SharePoint Admin or Global Admin rights
You have the site URL you want to restrict
Step 1: Install and Import PnP PowerShell
If you haven’t installed PnP PowerShell, run:
Install-Module -Name PnP.PowerShell -Scope CurrentUser -AllowClobber -Force
Then, import the module:
Import-Module PnP.PowerShell
PnP PowerShell is ready!
Step 2: Connect to SharePoint Online
Use the following command to connect to your SharePoint Online site:
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com/sites/yoursite" -Interactive
🔹 Replace "yourtenant" with your SharePoint tenant name
🔹 Replace "yoursite" with your actual site name
Connected successfully!
Step 3: Remove Users from the SharePoint Site
To remove a specific user from a site:
# Define variables
$userEmail = "user@domain.com"
# Remove user from the site
Remove-PnPUser -LoginName $userEmail
🔹 If you want to remove multiple users, create a list:
$users = @("user1@domain.com", "user2@domain.com")
foreach ($user in $users) {
Remove-PnPUser -LoginName $user
}
Users removed successfully!
Step 4: Restrict Access by Breaking Permission Inheritance
By default, SharePoint sites inherit permissions from the tenant. To restrict access, break inheritance:
# Break inheritance on the site
Set-PnPAcl -List "Documents" -ClearExistingPermissions
🔹 This removes all existing permissions, so only admins can reassign access.
Permissions inheritance removed!
Step 5: Restrict External Sharing on the Site
To disable external sharing, use:
powershellCopyEditSet-PnPTenantSite -Url "https://yourtenant.sharepoint.com/sites/yoursite" -SharingCapability Disabled
🔹 Other options:
ExistingExternalUserSharingOnly→ Only previously invited external usersExternalUserSharingOnly→ Any external users with an invitationExternalUserAndGuestSharing→ Anyone with a sharing link
External sharing restricted!
Step 6: Remove SharePoint Group Access
To remove a SharePoint group from the site:
# Define group name
$groupName = "Visitors"
# Remove group
Remove-PnPGroup -Identity $groupName
Group access removed!
Step 7: Block Site Access for All Users (Except Admins)
If you want to restrict access completely, remove all users except admins:
$users = Get-PnPUser
foreach ($user in $users) {
if ($user.LoginName -notlike "*@yourtenant.onmicrosoft.com") {
Remove-PnPUser -LoginName $user.LoginName
}
}
All non-admin users removed from the site!
Step 8: Verify Site Access Restrictions
To check who has access to the site:
Get-PnPUser
Site access is now restricted!
Common Errors & Solutions
| Error | Cause | Solution |
|---|---|---|
Access Denied | Insufficient permissions | Ensure you are a SharePoint Admin |
User not found | Incorrect email or user doesn’t exist | Verify the email address |
Cannot remove user | User is a site owner | Assign a different owner before removal |
Permission changes not applying | Cached permissions | Run Clear-PnPRecycleBinItem |