This Windows PowerShell script identifies site collections, subsites, folders or files which may have been inadvertaly overshared with either the Everyone or Everyone Except External Users (EEEU) claim, or any security group in which your content user account is a member.
The PowerShell script reports shared content types by executing a search query. Running this script as a domain or cloud based user account with no explicit access to any content, results in findings that inhertiently are shared with Everyone or EEEU.
- A user account (domain or cloud) with no explicit access to any content (except read access to root site) in SharePoint Online and OneDrive for Business.
- Account must have read (or higher) access to the SharePoint root site and the OD4B root site.
- Windows PowerShell 5.1 or higher
- PnP.PowerShell module version 1.12.0 or higher
- The following content properties will be exported in the CSV file:
- SiteUrl
- WebUrl
- FileName
- FileExtension
- Path
- Created
- LastModifiedTime
- ViewableByExternalUsers
- ContentClass
- IsDocument (Added on 04/01/2024)
- IsContainer (Added on 04/01/2024)
- The following site properties will be exported in the CSV file:
- Url
- WebsCount
- Template
- GroupId - only populated on M365 Group connected sites
- Visibility - only populated on M365 Group connected sites
- SensitivityLabel - only populated on sites with a Sensitivity Label applied
- LastContentModifiedDate
- OwnerEmail - the primary owner value, else M365 Group owners for M365 Group connected sites
- HasTeam - true/false if connected to a Microsoft Team
- SharedWithEveryoneOrEEEUObjectCount - Number of result rows for site in the input csv
- The function serves as a mechanism to export all rows matching a specific SiteUrl to a new file.
- To find overshared content, execute Find-SharedWithEveryoneOrEEEUContent.ps1 as a domain or cloud account with no access to content in SharePoint or OneDrive.
-
You can optionally collect additional site properties for sites identified as containing overshared content, which can be useful remediation and reporting activities. To use this script, you must authenticate to SharePoint Online using either delegatd or application (app-only) credentials, both of which require the PnP.Powershell application to be consented to by a global administrator.
- Delegated
- SharePoint Tenant Admin Role
- Microsoft Graph > Delegated > Groups.Read.All
- Application
- SharePoint > Application > Sites.FullControl.All
- Microsoft Graph > Application > Groups.Read.All
- Delegated
- Update line #222 & #223 with your environment specific values.
- Execute Find-SharedWithEveryoneOrEEEUContent.ps1. When prompted, enter credentails for the user account with no access to content.
- Wait patiently, the script will take several hours to complete on large tenants. It will intermittently flush results to the provided output path to avoid excessive memory pressure.
- Update line #98 & #99 with your environment specific values.
- Execute Get-SharedWithEveryoneOrEEEUContentSiteProperties.ps1. When prompted, enter credentails for the user account with no access to content.
- Wait patiently, the script may also take several hours to complete on large tenants.
I'm new to PnP powershell, and noticed when installing either through Enterprise App or as an App Registration, it assigns 'Sites.FullControl.All' as 'Application' and 'AllSites.FullControl' as 'Delegated'. So with those level of permissions, how is this script supposed to work if the account running this script is using an app registration with so much permissions? Since the Enterprise App is not configurable, i deleted it and created the App Registration and removed the application permissions 'Sites.FullControl.All', but left the delegated permissions 'AllSites.FullControl', and reran script. However this time it errored with "The current principal does not have permission to execute queries on behalf of other users.". So far, i either get a list of all files due to 'Sites.FullControl.All' or script errors out when i remove those permissions. Any guidance? Thanks in advance. By the way, cool script.