CIS.M365.7.2.9 - Ensure guest access to a site or OneDrive will expire automatically
Overviewβ
7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically
This policy setting configures the expiration time for each guest that is invited to the SharePoint site or with whom users share individual files and folders with.
The recommended state is 30 or less.
Rationaleβ
This setting ensures that guests who no longer need access to the site or link no longer have access after a set period of time. Allowing guest access for an indefinite amount of time could lead to loss of data confidentiality and oversight.
Note: Guest membership applies at the Microsoft 365 group level. Guests who have permission to view a SharePoint site or use a sharing link may also have access to a Microsoft Teams team or security group.
Impactβ
Site collection administrators will have to renew access to guests who still need access after 30 days. They will receive an e-mail notification once per week about guest access that is about to expire.
Note: The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied.
Remediationβ
- Navigate to SharePoint admin center
- Click to expand Policies > Sharing.
- Scroll to and expand More external sharing settings.
- Set Guest access to a site or OneDrive will expire automatically after this many days to 30
PowerShellβ
- Connect to SharePoint Online using
Connect-SPOService - Run the following command:
Set-SPOTenant -ExternalUserExpireInDays 30 -ExternalUserExpirationRequired $True
Default Value: ExternalUserExpirationRequired $false, ExternalUserExpireInDays 60 days
Related Linksβ
- Manage sharing settings for SharePoint and OneDrive in Microsoft 365
- Managing SharePoint Online Security: A Team Effort
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 385
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CIS.M365.7.2.9 |
| Severity | Unknown |
| Suite | CIS |
| Category | SharePoint Online |
| PowerShell test | Test-MtCisSpoGuestAccessExpiry |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS E5, CIS E5 Level 1, CIS M365 v6.0.1, CIS.M365.7.2.9, L1, OneDrive, SharePoint Online |
Sourceβ
- Pester test:
tests/cis/Test-MtCisSpoGuestAccessExpiry.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisSpoGuestAccessExpiry.ps1