Latest Posts

Restricting Access to Sensitive SharePoint Content using PnP PowerShell

Posted on by Rishan Solutions

Loading

Organizations store sensitive data in SharePoint Online, such as financial records, legal documents, and confidential reports. Ensuring only authorized users can access these files is critical for security and compliance.

With PnP PowerShell, administrators can:
✔ Identify and classify sensitive content
✔ Restrict access to specific users/groups
✔ Remove existing permissions
✔ Apply security policies automatically

This guide provides a step-by-step approach to restricting access to sensitive SharePoint content using PnP PowerShell.

Step 1: Install & Update PnP PowerShell

Ensure PnP PowerShell is installed and updated:

Install-Module -Name PnP.PowerShell -Force -AllowClobber
Update-Module -Name PnP.PowerShell

Step 2: Connect to SharePoint Online

Using Interactive Login

Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive

Using App-Based Authentication

$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"

Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://yourtenant-admin.sharepoint.com"

✔ Ensures a secure connection before managing permissions.

Step 3: Identify Sensitive Content

To list files tagged as sensitive in a SharePoint document library:

$siteUrl = "https://yourtenant.sharepoint.com/sites/SensitiveDocs"
$library = "Documents"

Connect-PnPOnline -Url $siteUrl -Interactive
$sensitiveFiles = Get-PnPListItem -List $library | Where-Object { $_["ComplianceTag"] -match "Sensitive" }

$sensitiveFiles | Select-Object ID, FileLeafRef, ComplianceTag

✔ Retrieves files marked with sensitivity labels.

Step 4: Restrict Access to Specific Users/Groups

To limit access to a specific file for only selected users:

$fileName = "ConfidentialReport.pdf"
$userEmail = "authorizeduser@yourdomain.com"

$role = Get-PnPRoleDefinition -Identity "Read"
Set-PnPListItemPermission -List $library -Identity $fileName -User $userEmail -AddRole $role

✔ Ensures only authorized users can access the file.

Step 5: Remove Existing Permissions

To remove permissions from all users except specific ones:

$fileName = "ConfidentialReport.pdf"
$library = "Documents"

# Break inheritance and clear permissions
Set-PnPListItemPermission -List $library -Identity $fileName -RemoveExistingPermissions

# Grant access to authorized users
$authorizedUsers = @("user1@yourdomain.com", "user2@yourdomain.com")

foreach ($user in $authorizedUsers) {
    Set-PnPListItemPermission -List $library -Identity $fileName -User $user -AddRole "Read"
}

Write-Host "Permissions updated for $fileName"

✔ Ensures only approved users have access while revoking others.

Step 6: Restrict Access to Entire Document Libraries

To restrict access to an entire document library, first break inheritance and remove existing permissions:

$library = "SensitiveDocs"

Set-PnPListPermission -List $library -RemoveExistingPermissions

Now, grant permissions to selected users:

$authorizedUsers = @("user1@yourdomain.com", "user2@yourdomain.com")

foreach ($user in $authorizedUsers) {
    Set-PnPListPermission -List $library -User $user -AddRole "Read"
}

✔ Ensures only specific users can access the entire library.

Step 7: Automate Access Restriction for New Files

To automatically restrict access to all new files added to the SensitiveDocs library:

$library = "SensitiveDocs"
$authorizedUsers = @("user1@yourdomain.com", "user2@yourdomain.com")

$files = Get-PnPListItem -List $library | Where-Object { $_["ComplianceTag"] -match "Sensitive" }

foreach ($file in $files) {
    Set-PnPListItemPermission -List $library -Identity $file.FileLeafRef -RemoveExistingPermissions
    foreach ($user in $authorizedUsers) {
        Set-PnPListItemPermission -List $library -Identity $file.FileLeafRef -User $user -AddRole "Read"
    }
    Write-Host "Access restricted for: $($file.FileLeafRef)"
}

✔ Ensures all new sensitive files have restricted access.

Step 8: Monitor and Audit Access Permissions

To generate a report of current permissions on sensitive files:

$library = "SensitiveDocs"
$reportPath = "C:\Reports\RestrictedFiles.csv"

$restrictedFiles = Get-PnPListItem -List $library | Where-Object { $_["ComplianceTag"] -match "Sensitive" }

$report = @()

foreach ($file in $restrictedFiles) {
    $permissions = Get-PnPListItemPermission -List $library -Identity $file.ID
    $report += [PSCustomObject]@{
        FileName = $file.FileLeafRef
        Permissions = ($permissions | Select-Object -ExpandProperty User)
    }
}

$report | Export-Csv -Path $reportPath -NoTypeInformation

Write-Host "Access report saved to: $reportPath"

✔ Provides a detailed report of who has access to sensitive files.

Leave a Reply

Your email address will not be published. Required fields are marked *