This is part 2 of a 3-part series on OneDrive For Business Sharing Policies and their impacts to Mergers, Acquisitions & Divestitures.
In Part 1, we covered How To View OneDrive For Business Sharing Polices In PowerShell & The Admin Center. This post can be found here: https://madmike.net/how-to-view-one-drive-for-business-sharing-polices-in-powershell-the-admin-center/
In this part we will show how to change OneDrive For Business Sharing Policies in PowerShell at the user level. We will use the output from Part 1 as an input file in this blog post.
In Part 3, we will review why OneDrive For Business Sharing Policy analysis is important in Mergers, Acquisitions & Divestitures, and provide some practical advice. [Part 3 can be found here: https://madmike.net/how-to-handle-differences-in-onedrive-for-business-sharing-polices-in-mergers-acquisitions-divestitures/]
Conflicts In Policy
Many organizations limit users’ ability to share externally. Although a lot of organizations have the same policy for all users, others will control the policies for some users who they consider to be high risk or to meet a security standard for a client. In Part 3 we will go over the common scenarios and ways forward. Keep in mind, that these policies may have been made under a contract for a subset of users, or for a subset of users who have access to sensitive data. These situations require special attention and will be covered in part 3 of this series.
Policy Switches
A user can have one of four policies, depending upon your organization’s overall sharing configuration. These options include turning external sharing on/off and all together, and three external sharing options below. In the Admin Center, you can easily find these settings:
- On/Off – This either turns on, or off, the user’s ability to share outside the organization. In Powershell, the setting is “Disabled” to turn it off for a user. See the special note at the end of this blog post on this setting.
- The PowerShell switch setting is “Disabled” for this setting
- Allow sharing to authenticated guest users with invitations
- This setting allows the end users to share with specific people and can invite other users who are not in the directory.
- The PowerShell switch setting is “ExternalUserSharingOnly”
- Allow sharing with anonymous guest links and authenticated users
- This setting allows the user to share with specific people and anonymous links. This is the least restrictive setting, but is open to misuse.
- The PowerShell switch setting is “ExternalUserAndGuestSharing”
- Only allow sharing with existing guest users in the directory
- This is a restrictive policy and requires the external user to be in the directory. Some companies have put in a procedure to get a user into a directory. This can provide a good balance to provide external collaboration, but in a controlled manner. It should be noted, there are some known workarounds to invite users, so you have to lock this down in other areas to avoid these workarounds.
- The PowerShell switch setting is “ExistingExternalUserSharingOnly”
Conflicting Settings
If you try to set a user to a setting less restrictive than the company policy, you will get an error. If you have a subset of users who need a less restrictive setting, then you will need to increase the organization sharing setting and then restrict the users who should not have this less restrictive setting. This configuration can create confusion, the root of this blog series, so be sure to read part 3.
Admin Center Error:
Error: Update failed for OneDrive external sharing setting. It needs to be more restrictive. Please check sharing setting under Resources > Sites.
PowerShell Error:
Error: Set-SPOSite : You can’t set the sharing capability to the level you specified, because it is a less restrictive setting than either its parent site collection or your organization.
Change Users’ OneDrive For Business Sharing Policy in PowerShell
Below are two scripts, one to change a list of users, and another to change a single user. In the first article in this series (see link above) we:
- Looked at the Organization’s Sharing Policy
- Looked how to view and change a single user’s policy in the admin center
- Provided a script on how to export a list of all users’ Sharing Policy
- You will need the output from the exported list of all user’s Sharing Policy file from part 1 in order to use the following script.
CAUTION: If you make a policy more restrictive, loosening the policy will not reactivate the previous sharing links! You should do this with care and user communications. Like always, practice on test users, or ideally in a test/demo tenant.
Note: Switch Behavior: It should be noted that in PowerShell you do not change the “-SiteDefinedSharingCapability” switch. If you change a user’s setting using the -SharingCapability switch, the “-SiteDefinedSharingCapability” will change to match the “-SharingCapability” setting.
How To Change Multiple Users’ OneDrive For Business Sharing Policy in PowerShell
How to use this script
- Take the output from the Part 1 blog post above
- Make a copy of the output
- Remove any users you do not want to change.
We will use the Set-SPOSite command to accomplish this.
- In order to do this, you will need to have installed the SharePoint Online Management Shell, just like we did in Part 1. This can be found here: https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-online/connect-sharepoint-online?view=sharepoint-ps
- Open the SharePoint Online Management Shell
- Your SharePoint online admin url is your orgname-admin.sharepoint.com For example, if my tenant name was madmike / madmike.onmicrosoft.com, then my SharePoint URL is https://madmike-admin.sharepoint.com.
- Save this script below as a .ps1 file and make the following changes for it to work on your environment
- I have commented out (the # character in PowerShell) a few sections. You can comment in / out the sections you need.
- $AdminURL needs to point to your admin URL
- $FileImport needs to point to the source file
- $SharingSetting needs to be the setting you wish to set the users to from your CSV file. See the settings above.
- $User2Change is the UPN of the user you would like to change
- I have commented out (the # character in PowerShell) a few sections. You can comment in / out the sections you need.
$AdminUrl = "https://madmiketest-admin.sharepoint.com"
$FileImport = "C:\Path\OneDriveSitesChange.csv"
$PathTest = Test-Path -Path $FileImport
#Use this setting if you want to turn off a user’s external sharing capability for everyone in the CSV List
#$SharingSetting = 'Disabled'
#Use this setting if you want to allow external access to authenticated external users for everyone in the CSV List
#$SharingSetting = 'ExternalUserSharingOnly'
#Use this setting if you want to allow external sharing to authenticated external users and guest users for everyone in the CSV list
$SharingSetting = 'ExternalUserAndGuestSharing'
#Use this setting if you want to allow external sharing to authenticated external users and guest users already in your directory for everyone in the CSV list
#$SharingSetting = 'ExistingExternalUserSharingOnly'
If ($PathTest -eq 'True')
{
Connect-SPOService -Url $AdminUrl
$ODFBURL = Import-CSV -Path $FileImport
Foreach ($User in $ODFBURL)
{
$URL2Change = ($User.url).trim()
Get-SPOSite -Identity $URL2Change | Set-SPOSite -SharingCapability $SharingSetting
#If you want to view all the URLs before changing, comment out the change URL above and just leave this uncommented. You will then see the output in the console to allow you to check your work.
Get-SPOSite -Identity $URL2Change | Select Url,Owner,SharingCapability,SiteDefinedSharingCapability
}
}
Else
{
Write-Error "The file path $FileImport is not valid - check spelling and file location and try again"
}
#Tested May 2 2020
How To Change A Single Users’ OneDrive For Business Sharing Policy in PowerShell
[or see the one liner below]
#$SharingSetting = 'Disabled'
#Use this setting if you want to allow external access to authenticated external users for everyone in the CSV List
$SharingSetting = 'ExternalUserSharingOnly'
#Use this setting if you want to allow external sharing to authenticated external users and guest users for everyone in the CSV list
#$SharingSetting = 'ExternalUserAndGuestSharing'
#Use this setting if you want to allow external sharing to authenticated external users and guest users already in your directory for everyone in the CSV list
#$SharingSetting = 'ExternalUserAndGuestSharing'
Connect-SPOService -Url $AdminUrl
Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'" | ? {$_.Owner -eq $User2Change} | Set-SPOSite -SharingCapability $SharingSetting
#Tested May 2 2020
One Liner To Change A Single User
- Put in the user’s ODFB URL
- Put in one of the 4 SharingCapability Switches From Above
- Fire
Set-SPOSite -Identity [ODFB URL] -SharingCapability [Sharing Setting]
Special Notes On Users That Have External Sharing Disabled!
In writing this article I discovered something that I was not aware of. If you disable a user’s ability to Share outside the organization inside the Office 365 Admin Center, the option to manage a user’s settings will disappear! (Manage external sharing is just gone completely!)
If you want to enable external access again for a user, you have to do it in PowerShell using one of the scripts above…I don’t like this!
Stay tuned for Part 3, where we will review why OneDrive For Business Sharing Policy analysis is important in Mergers, Acquisitions & Divestures, and provide some practical advice.