Prevent Guests from Being Added to a Specific Microsoft 365 Group or Microsoft Teams team using PnP PowerShell
Introduction
By default, guest access for Microsoft 365 groups is enabled within the tenant. This can be controlled either to allow or block guest access at the tenant level or for individual Microsoft 365 groups / Teams. For more information, check out Manage guest access in Microsoft 365 groups.
PowerShell Script to Prevent Guest Access
Below is a PowerShell script that allows you to disable/enable guest access for specific Microsoft 365 groups. If disabled this script will prevent new guests from being added to the specified groups but does not remove guests that are already in the group or Team.
param (
[Parameter(Mandatory = $true)]
[string] $domain,
[Parameter(Mandatory = $true)]
[ValidateSet("true", "false")]
[string] $allowToAddGuests
)
$adminSiteURL = "https://$domain-Admin.SharePoint.com"
$dateTime = "_{0:MM_dd_yy}_{0:HH_mm_ss}" -f (Get-Date)
$invocation = (Get-Variable MyInvocation).Value
$directorypath = Split-Path $invocation.MyCommand.Path
$fileName = "m365_disable_addguests" + $dateTime + ".csv"
$outputPath = $directorypath + "\"+ $fileName
if (-not (Test-Path $outputPath)) {
New-Item -ItemType File -Path $outputPath
}
Connect-PnPOnline -Url $adminSiteURL -Interactive -WarningAction SilentlyContinue
# amend as required to be the correct filter
$report = Get-PnPMicrosoft365Group -Filter "startswith(displayName, 'test')" | ForEach-Object {
$group = $_
$groupSettings = Get-PnPMicrosoft365GroupSettings -Identity $group.Id
if (-Not $groupSettings)
{
$groupSettings = New-PnPMicrosoft365GroupSettings -Identity $group.Id -DisplayName "Group.Unified.Guest" -TemplateId "08d542b9-071f-4e16-94b0-74abb372e3d9" -Values @{"AllowToAddGuests"=$allowToAddGuests}
}
if (($groupSettings.Values | Where-Object { $_.Name -eq "AllowToAddGuests"}).Value.ToString() -ne $allowToAddGuests)
{
$groupSettings = Set-PnPMicrosoft365GroupSettings -Identity $groupSettings.ID -Group $group.Id -Values @{"AllowToAddGuests"=$allowToAddGuests}
}
#retrieving the details to ensure the settings are applied
$groupSettings = Get-PnPMicrosoft365GroupSettings -Identity $group.Id
$allowToAddGuestsValue = ($groupSettings.Values | Where-Object { $_.Name -eq "AllowToAddGuests"}).Value.ToString()
[PSCustomObject]@{
id = $group.Id
Description = $group.Description
DisplayName = $group.DisplayName
m365GroupAllowToAddGuests = $allowToAddGuestsValue ?? "Default"
}
}
$report |select * |Export-Csv $outputPath -NoTypeInformation -Append
The script accepts mandatory parameters $domain and $allowToAddGuests to specify the SharePoint domain and whether to allow guest additions to the filtered Microsoft 365 Groups. Amend or remove the filter as per your requirements.
$report = Get-PnPMicrosoft365Group -Filter "startswith(displayName, 'test')" |
Conclusion
This PowerShell script allows to manage guest access for specific Microsoft 365 groups, ensuring that new guests cannot be added while retaining existing guests. This helps maintain control over guest access. Alternatively Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites for controlling external user access.
References
Prevent guests from being added to a specific Microsoft 365 group or Microsoft Teams team