CIS.M365.7.2.7 - Ensure link sharing is restricted in SharePoint and OneDrive
Overview
7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive
This setting sets the default link type that a user will see when sharing content in OneDrive or SharePoint. It does not restrict or exclude any other options. The recommended state is Specific people (only the people the user specifies) or Only people in your organization (more restrictive).
Rationale
By defaulting to specific people, the user will first need to consider whether or not the content being shared should be accessible by the entire organization versus select individuals. This aids in reinforcing the concept of least privilege.
Remediation
- Navigate to SharePoint admin center
- Click to expand Policies > Sharing.
- Scroll to File and folder links.
- Set Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive to Specific people (only the people the user specifies) or Only people in your organization.
PowerShell
- Connect to SharePoint Online using
Connect-SPOService - Run the following command:
Set-SPOTenant -DefaultSharingLinkType Direct
- Or, to set a more restrictive state:
Set-SPOTenant -DefaultSharingLinkType Internal
Default Value: Only people in your organization (Internal)
Related Links
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.7.2.7 |
| Severity | Unknown |
| Suite | CIS |
| Category | SharePoint Online |
| PowerShell test | Test-MtCisSpoDefaultSharingLink |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS E5, CIS E5 Level 1, CIS M365 v6.0.1, CIS.M365.7.2.7, L1, OneDrive, SharePoint Online |
Source
- Pester test:
tests/cis/Test-MtCisSpoDefaultSharingLink.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisSpoDefaultSharingLink.ps1