Control: 7.2.6 Ensure SharePoint external sharing is restricted
Description
The external sharing features of SharePoint and OneDrive let users in the organization share content with people outside the organization (such as partners, vendors, clients, or customers). It can also be used to share between licensed users on multiple Microsoft 365 subscriptions if your organization has more than one subscription.
The recommended state is Limit external sharing by domain > Allow only specific domains.
Remediation
To remediate using the UI:
- Navigate to
SharePoint admin centerhttps://admin.microsoft.com/sharepoint. - Expand
Policiesthen clickSharing. - Expand
More external sharing settingsand checkLimit external sharing by domain. - Select
Add domainsto add a list of approved domains. - Click
Saveat the bottom of the page.
To remediate using PowerShell:
- Connect to SharePoint Online using
Connect-SPOService. - Run the following PowerShell command:
Set-SPOTenant -SharingDomainRestrictionMode AllowList -SharingAllowedDomainList "domain1.com domain2.com"
Default Value
Limit external sharing by domain is unchecked
SharingDomainRestrictionMode: None
SharingDomainRestrictionMode: <Undefined>
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v600_7_2_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v600_7_2_6 --shareSQL
This control uses a named query:
select tenant_id as resource, case when jsonb_array_length(sharepoint_settings -> 'sharing_allowed_domain_list') > 0 then 'ok' else 'alarm' end as status, case when jsonb_array_length(sharepoint_settings -> 'sharing_allowed_domain_list') > 0 then title || ' sharepoint external sharing is managed through domain whitelist/blacklists.' else title || ' sharepoint external sharing is not managed through domain whitelist/blacklists.' end as reason , tenant_id as tenant_idfrom microsoft365_organization;