CIS.M365.7.2.11 - Ensure the SharePoint default sharing link permission is set
Overviewβ
7.2.11 (L1) Ensure the SharePoint default sharing link permission is set
This setting configures the permission that is selected by default for sharing link from a SharePoint site.
The recommended state is View.
Rationaleβ
Setting the view permission as the default ensures that users must deliberately select the edit permission when sharing a link. This approach reduces the risk of unintentionally granting edit privileges to a resource that only requires read access, supporting the principle of least privilege.
Impactβ
Not applicable.
Remediationβ
- Navigate to SharePoint admin center
- Click to expand Policies > Sharing.
- Scroll to File and folder links.
- Ensure Choose the permission that's selected by default for sharing links is set to View.
PowerShellβ
- Connect to SharePoint Online using
Connect-SPOService - Run the following command:
Set-SPOTenant -DefaultLinkPermission View
Default Value: DefaultLinkPermission : Edit
Related Linksβ
- Manage sharing settings for SharePoint and OneDrive in Microsoft 365
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 391
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CIS.M365.7.2.11 |
| Severity | Unknown |
| Suite | CIS |
| Category | SharePoint Online |
| PowerShell test | Test-MtCisSpoDefaultSharingLinkPermission |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS E5, CIS E5 Level 1, CIS M365 v6.0.1, CIS.M365.7.2.11, L1, OneDrive, SharePoint Online |
Sourceβ
- Pester test:
tests/cis/Test-MtCisSpoDefaultSharingLinkPermission.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisSpoDefaultSharingLinkPermission.ps1