CIS.M365.7.2.5 - Ensure that SharePoint guest users cannot share items they don
Overview
7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties.
Rationale
Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information.
Impact
The impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. However, if users do regularly share with guests/externally, minimum impacts could occur as those external users will be unable to 're-share' content.
Remediation
- Navigate to SharePoint admin center
- Click to expand Policies > Sharing.
- Scroll to and expand More external sharing settings., uncheck Allow guests to share items they don't own.
- Click Save.
PowerShell
- Connect to SharePoint Online using
Connect-SPOService - Run the following command:
Set-SPOTenant -PreventExternalUsersFromResharing $True
Default Value: Checked (False)
Related Links
- Manage sharing settings for SharePoint and OneDrive in Microsoft 365
- Overview of external sharing in SharePoint and OneDrive in Microsoft 365
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 376
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.7.2.5 |
| Severity | Unknown |
| Suite | CIS |
| Category | SharePoint Online |
| PowerShell test | Test-MtCisSpoGuestCannotShareUnownedItem |
| Tags | CIS, CIS E3, CIS E3 Level 2, CIS E5, CIS E5 Level 2, CIS M365 v6.0.1, CIS.M365.7.2.5, L2, OneDrive, SharePoint Online |
Source
- Pester test:
tests/cis/Test-MtCisSpoGuestCannotShareUnownedItem.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisSpoGuestCannotShareUnownedItem.ps1