Control: 7.2.5 Ensure that SharePoint guest users cannot share items they don't own
Description
SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties.
Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information.
Remediation
To remediate using the UI:
- Navigate to
SharePoint admin centerhttps://admin.microsoft.com/sharepoint. - Click to expand
Policiesthen selectSharing. - Expand
More external sharing settings, uncheckAllow guests to share items they don't own. - Click
Save.
To remediate using PowerShell:
- Connect to SharePoint Online service using
Connect-SPOService. - Run the following SharePoint Online PowerShell command:
Set-SPOTenant -PreventExternalUsersFromResharing $True
Default Value
Checked (False)
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v500_7_2_5Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v500_7_2_5 --shareSQL
This control uses a named query:
select tenant_id as resource, case when not (sharepoint_settings -> 'is_resharing_by_external_users_enabled')::bool then 'ok' else 'alarm' end as status, case when not (sharepoint_settings -> 'is_resharing_by_external_users_enabled')::bool then title || ' SharePoint guest users cannot share items they don''t own.' else title || ' SharePoint guest users can share items they don''t own.' end as reason , tenant_id as tenant_idfrom microsoft365_organization;