Oversight of Sharing Information in SharePoint sites using PowerShell with CSOM, REST and PnP PowerShell
Effective oversight of sharing links and sharing information are paramount to ensuring data security, compliance, and optimal collaboration experiences.
As organisations migrate to M365 environments, they inherit powerful collaboration tools that facilitate seamless sharing of documents and resources. However, without proper governance, these capabilities can lead to unintended consequences such as data breaches, compliance violations, and loss of intellectual property.
Sharing is a powerful feature for collaboration. However depending on how items, files or folders are shared, a sharing link might be created or unique permissions on these items are created.
For M365 Copilot implementations, ensuring there is no oversharing is a critical aspect of safeguarding sensitive information and maintaining regulatory compliance.
An extract from Announcing SharePoint advanced management innovations for the AI and Copilot era
“With Copilot and AI, security has become a concern. Not because Copilot allows people to access anything more than they could previously; it just allows them to find information they have access to faster. A term used sometimes in SharePoint is “Security by obscurity”; hide stuff and hope people don’t find it. That doesn’t work as well anymore with Copilot. It surfaces data more broadly and quickly.”
Refer to Microsoft Copilot for Microsoft 365 - best practices with SharePoint.
However, manually tracking down these links across multiple sites and libraries can be a daunting task. There are few options available, each with its own limitations.
Report on file and folder sharing in a SharePoint site allows to report on sharing per site only.
Data access governance reports for SharePoint sites provide a very high level view of the sharing links without details on which folder or item the sharing link was created. At the time of writing this blog post in April/May 2024, Data Access Governance reports show new sharing links in the past 28 days, which makes it very difficult to find content that was shared using an Everyone Except External Users or Anyone links more than a month ago.
Use sharing auditing in the audit log is restricted to the filter criteria used, which may not retrieve all sharing links.
The sharing link is created when “Copy Link” is clicked on, otherwise custom permissions are created.
Sharing links can be accessed from Manage Access.
There have been changes to sharing as per MC706173, please refer for more infoM365 Changelog: (Updated) Invite people you choose in the Share control in Microsoft 365 apps though the full changes are not clear.
So reporting on sharing links might not be enough and look into drilling into unique permissions applied to each file, folder or item.
View post Query unique permissions for more details.
This post focuses on retrieving sharing links using different options: PnP PowerShell, REST and CSOM.
Get all sharing links using the PnP PowerShell
The cmdlets Get-PnPFileSharingLink and Get-PnPFolderSharingLink return all sharing links created at file/item and folder level respectively.
The cmdlets Get-PnPFileSharingLink and Get-PnPFolderSharingLink uses the Microsoft Graph permissions endPoint under the hood.