Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 7.2.3 Ensure external content sharing is restricted

Description

The external sharing settings govern sharing for the organization overall. Each site has its own sharing setting that can be set independently, though it must be at the same or more restrictive setting as the organization.

The new and existing guests option requires people who have received invitations to sign in with their work or school account (if their organization uses Microsoft 365) or a Microsoft account, or to provide a code to verify their identity. Users can share with guests already in your organization's directory, and they can send invitations to people who will be added to the directory if they sign in.

The recommended state is New and existing guests or less permissive.

Remediation

To remediate using the UI:

  1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint.
  2. Click Policies > Sharing.
  3. Locate the External sharing section.
  4. Under SharePoint, move the slider bar to New and existing guests or a less permissive level.
    • OneDrive will also be moved to the same level and can never be more permissive than SharePoint.

To remediate using PowerShell:

  1. Connect to SharePoint Online using Connect-SPOService -Url https://[tenant]-admin.sharepoint.com.
  2. Run the following cmdlet to establish the minimum recommended state:
Set-SPOTenant -SharingCapability ExternalUserSharingOnly

Note: Other acceptable values for this parameter that are more restrictive include: Disabled and ExistingExternalUserSharingOnly.

Default Value

Anyone (ExternalUserAndGuestSharing)

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v500_7_2_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v500_7_2_3 --share

SQL

This control uses a named query:

select
  tenant_id as resource,
  case
    when sharepoint_settings ->> 'sharing_capability' = 'externalUserAndGuestSharing' then 'alarm'
    else 'ok'
  end as status,
  case
    when sharepoint_settings ->> 'sharing_capability' = 'externalUserAndGuestSharing' then title || ' microsoft365 external content sharing unrestricted.'
    else title || ' external content sharing set to ' || (sharepoint_settings ->> 'sharing_capability') || '.'
  end as reason
  , tenant_id as tenant_id
from
  microsoft365_organization;

Tags

category = Compliance
cis = true
cis_item_id = 7.2.3
cis_level = 1
cis_section_id = 7.2
cis_type = automated
cis_version = v5.0.0
microsoft_365_license = E3,E5
plugin = microsoft365
service = Microsoft365/SharePoint