SharePoint
SharePoint Online is a collaboration service that allows you to store and share information through a web-based interface. Many organizations use SharePoint sites to build web portals for departments. To provide users with access to SharePoint Online, you need to understand how permissions are assigned. Additionally, you need to understand how external sharing is configured to help ensure that sensitive information isn't shared when it shouldn't be.
You can manage many SharePoint Online features by using the web-based SharePoint admin center. However, it doesn't provide full management access to SharePoint Online. For some advanced operations, you need to use SharePoint Online Management Shell. The SharePoint Online Management Shell is a Windows PowerShell module that you can install.
Installation
You install the SharePoint Online Management Shell from the PowerShell Gallery by running the following command:
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
The SharePoint Online Management Shell doesn't update automatically. To update the module, run the following command:
Update-Module -Name Microsoft.Online.SharePoint.PowerShell
Connection
All of the cmdlet nouns in the SharePoint Online Management Shell begin with SPO. You can connect to SharePoint Online by using the Connect-SPOService cmdlet as in the following example:
Connect-SPOService -Url https://adatum-admin.sharepoint.com
When you connect to SharePoint Online, you need to provide the URL for your SharePoint Online instance. This URL is based on your Microsoft 365 tenant name. For example, if your Microsoft 365 tenant name is adatum.onmicrosoft.com, then the URL for administering SharePoint Online is adatum-admin.sharepoint.com. You can also find this URL when you sign in to SharePoint admin center.
To sign in by using Connect-SPOService, you need a user account with either SharePoint Admin or Global Administrator permissions for the Microsoft 365 tenant.
Users and Groups
To provide access to a SharePoint site, you can assign users and groups varying levels of site permissions. Some of the permissions available by default are:
- Full Control
- Design
- Edit
- Approve
- Contribute
- Read
You can create customized permission levels by using SharePoint admin center. There are no cmdlets in SharePoint Online Management Shell for creating or modifying customized permission levels.
SharePoint groups
To assign permissions in SharePoint Online by using PowerShell, you create SharePoint groups. SharePoint groups exist only in SharePoint Online and are specific to the site in which you create them. The following example depicts how to use the New-SPOSiteGroup cmdlet to create a SharePoint Online group and assign permissions for a site:
New-SPOSiteGroup -Group MarketingUsers -PermissionLevels Read -Site https://adatum.sharepoint.com/sites/Marketing
You can use the Get-SPOSiteGroup cmdlet to identify the SharePoint groups that have been created for a site and assigned permissions. The results also contain the group membership. You need to specify the site URL with the request as depicted in the following example:
Get-SPOSiteGroup -Site https://adatum.sharepoint.com/sites/Marketing
You can modify the permissions assigned to a SharePoint group by using the Set-SPOSiteGroup cmdlet. You need to specify the name of the group and the site URL in addition to the permissions to be modified. To add permissions, use the -PermissionLevelsToAdd parameter. To remove permissions, use the -PermissionLevelsToRemove parameter. The following example uses the -PermissionLevelsToAdd parameter:
Set-SPOSiteGroup -Site https://adatum.sharepoint.com/sites/Marketing -Group MarketingUsers -PermissionLevelsToAdd Contribute
Managing site users
To give permissions to Azure AD users, you must make them members of a SharePoint group. You can add members to a SharePoint group by using the Add-SPOUser cmdlet as depicted in the following example. You need to specify the site URL along with the group name:
Add-SPOUser -Site https://adatum.sharepoint.com/sites/Marketing -Group MarketingUsers -LoginName AbbieP@adatum.com
You can also add security groups from Azure AD as members of SharePoint groups by using the Add-SPOUser cmdlet.
The Remove-SPOUser cmdlet has similar syntax to the Add-SPOUser cmdlet but removes a user from the specified SharePoint group. If you don't specify a group, then the user is removed from all SharePoint groups in the site.
To review the users who are members of SharePoint groups, you can use the Get-SPOUser cmdlet. You need to specify the site URL from which to retrieve users, but the group is optional. If you don't specify the group, you'll receive a list of all users in the site and the SharePoint groups that they are members of.
There is also a Set-SPOUser cmdlet but its only purpose is to set whether a user is an administrator for the site. The following example depicts how to configure a user as a site administrator:
Set-SPOUser -Site https://adatum.sharepoint.com/sites/Marketing -LoginName AbbieP@adatum.com -IsSiteCollectionAdmin $true
SP Sites
In SharePoint Online, you can have multiple sites that contain different content. There's a default site designed for collaboration that's created automatically when you create your tenant. There are also sites created automatically for each Microsoft 365 group or Microsoft Team and OneDrive users. Additionally, you can create your own SharePoint sites and customize them.
Creating sites
You can use the New-SPOSite cmdlet to create new sites in SharePoint online. When you create a new site, the parameters in the following table are required.
| Parameter | Description |
|---|---|
| -Url | The URL for the site, which needs to be with your SharePoint Online namespace. For example, if the default URL for your SharePoint Online tenant is https://adatum.sharepoint.com, then the URL for the site could be https://adatum.sharepoint.com/sites/Marketing. |
| -Owner | The owner of the site that can manage it. |
| -StorageQuota | The maximum size of the site in megabytes (MB). This must be less than the quota available in the tenant. |
The following example creates a new site with AbbieP@adatum.com as the owner and a 256 MB storage quota:
New-SPOSite -Url https://adatum.sharepoint.com/sites/Marketing -Owner AbbieP@adatum.com -StorageQuota 256
Most of the time when you create a site, you'll want to base it on a template. A template defines components that are automatically included in a site. There are templates included in SharePoint Online by default and you can also make your own. To review the template in your SharePoint Online tenant, use the Get-SPOWebTemplate cmdlet. To use a template when creating a site with the New-SPOSite cmdlet, use the -Template parameter.
Modifying sites
You can use the Set-SPOSite cmdlet to modify existing sites. To define which site you want to modify, use the -Identity parameter and provide the URL for the site. The URL for a site is a unique identifier for the site, and you cannot modify it by using Set-SPOSite. The following table lists some parameters you can use with Set-SPOSite.
| Parameter | Description |
|---|---|
| -Title | Sets the title for the site. The title typically displays when users sign in to the site. For example, a title might be Marketing Portal. |
| -StorageQuotaWarningLevel | Sends a warning message to the site owner when the warning level is reached. This value should be less than the -StorageQuota. |
| -AllowEditing | Controls whether users are allowed to edit Office files in the browser, and copy and paste Office file content out of the browser window. |
| -LockState | Sets the lock state on a site. Valid values are: NoAccess, ReadOnly, and Unlock. |
The following example sets the title for a site:
Set-SPOSite -Identity https://adatum.sharepoint.com/sites/Marketing -Title "Marketing Portal"
Listing and reviewing sites
You can use the Get-SPOSite cmdlet to review the sites created in your SharePoint Online tenant and their configurations. To list all sites in your tenant, don't include any parameters. To list the specific site's properties, you use the -Identity parameter and specify the site's URL. The following example depicts how to list a specific site's properties:
Get-SPOSite -Identity https://adatum.sharepoint.com/sites/Marketing | Format-List
Removing sites
You use Remove-SPOSite to remove a site. The following example depicts how to use this cmdlet to remove a site:
Remove-SPOSite -Identity https://adatum.sharepoint.com/sites/Marketing
When you remove a site, it's placed in the SharePoint Recycle Bin. You can use the Restore-SPODeletedSite cmdlet to restore a site from the SharePoint Recycle Bin. To purge a deleted site from the SharePoint Recycle Bin, you can use the Remove-SPODeletedSite cmdlet.
SharePoint Online terminology
The SharePoint admin center uses the site and sub-site terminology to describe how to nest content. When you create a sub-site, it inherits some of the settings from the site, such as the owner.
If you're familiar with the on-premises version of SharePoint, it uses the terminology site collections and sites instead. When reviewing documentation for SharePoint Online cmdlets, you might notice that it often uses the on-premises site collections terminology. There are no cmdlets for managing sites within site collections (or sub-sites).
External Users
SharePoint Online content can be shared with external users. Because Microsoft OneDrive storage is part of SharePoint Online, there are similar settings for both. When you configure settings for external sharing, the OneDrive settings must be the same or more restrictive than the SharePoint Online settings. The commonly used external sharing settings for SharePoint Online are listed in the following table.
| Permission level | Description |
|---|---|
| Anyone | Allows users to share files and folders by using links that let anyone who has the link access the files or folders without authenticating. This setting also allows users to share sites with new and existing guests who authenticate. If you select this setting, you can restrict the Anyone links so that they expire within a specific number of days, or so that they provide only View permission. |
| New and existing guests | Requires people who have received invitations to sign in with their work or school account (if their organization uses Microsoft 365). Alternatively, they can use a Microsoft account, or provide a code to verify their identity. Users can share with guests already in your organization's directory, and they can send invitations to people who will be added to the directory if they sign in. |
| Existing guests | Allows sharing only with guests who are already in the directory. These guests might exist in your directory because they previously accepted sharing invitations or because they were added manually, such as through Azure business-to-business (B2B) collaboration. |
| Only people in your organization | Doesn't allow external sharing. |
Managing sharing
To configure these permissions for a site, you use the Set-SPOSite cmdlet with the -SharingCapability parameter. Valid values for the -SharingCapability parameter are:
- ExternalUserAndGuestSharing
- ExternalUserSharingOnly
- ExistingExternalUserSharingOnly
- Disabled
The following example disables external sharing for a site:
Set-SPOSite -https://adatum.sharepoint.com/sites/Marketing -SharingCapability Disabled
When you allow sharing with external users, you can restrict sharing based on the user domain by using the -SharingDomainRestrictionMode parameter. The following table describes the valid values.
| Value | Description |
|---|---|
| None | Doesn't restrict sharing by domain (default). |
| AllowList | Allows sharing only with external users that have an account on domains specified by using the -SharingAllowedDomainList parameter. |
| BlockList | Allows Sharing with external users in all domains except in domains specified by using the -SharingBlockedDomainList parameter. |
Managing sharing links
When a user shares content from a SharePoint site, a sharing link is sent to the recipient. This link is unique and includes information, such as permissions, to edit the file and who can use it.
You can use the -DefaultLinkSharingType parameter to specify the default value for the users who can use the sharing link. Users that are sharing can still select the option that they prefer. The following table lists the valid values.
| Value | Description |
|---|---|
| None | Uses the value set at the tenant level. |
| AnonymousAccess | Sets the default sharing link for this site to an Anonymous Access or Anyone link. |
| Internal | Sets the default sharing link for this site to the organization link or company shareable link. |
| Direct | Sets the default sharing link for this site to the Specific people link. |
You can use the -DefaultLinkPermission parameter to specify the default value for what users can do to the content via the sharing link. Users that are sharing can still select the option that they prefer. The following table lists the valid values.
| Value | Description |
|---|---|
| None | Uses the value set at the tenant level. |
| View | Set the default value to View permissions. |
| Edit | Sets the default value to Edit permissions. |
You can configure an expiration time for external sharing links. After a link expires, it can no longer be used to access the linked content. The expiration time can be set independently for anonymous and external users. The following table lists parameters that you can use to configure link expiration for a site.
| Parameter | Description |
|---|---|
| -OverrideTenantAnonymousLinkExpirationPolicy | To set an expiration time for anonymous links at the site level, set this value to $true. When set to $false, anonymous link expiration settings from the tenant level are used. |
| -AnonymousLinkExpirationInDays | This sets the number of days that an anonymous link is valid. |
| -OverrideTenantExternalUserExpirationPolicy | To set an expiration time for external user links at the site level, set this value to $true. When set to $false, external user link expiration settings from the tenant level are used. |
| -ExternalUserExpirationInDays | This sets the number of days that an external user link is valid. |
You can configure some sharing settings at the tenant level by using the Set-SPOTenant cmdlet.
Takeaways
- SharePoint Online is used to create sites for user collaboration and file storage in addition to being used as storage for other Microsoft 365 services. You can use the web-based SharePoint admin center to manage many SharePoint Online features. However, for certain advanced operations, you will need the SharePoint Online Management Shell, a Windows PowerShell module.
- To provide access to a SharePoint site, you can assign users and groups varying levels of site permissions. To assign permissions in SharePoint Online by using PowerShell, you create SharePoint groups. To give permissions to Azure AD users, you must make them members of a SharePoint group.
- In SharePoint Online, you can have multiple sites that contain different content. There's a default site designed for collaboration that's created automatically when you create your tenant. There are also sites created automatically for each Microsoft 365 group or Microsoft Team and OneDrive users. Additionally, you can create your own SharePoint sites and customize them.
- Microsoft OneDrive storage is part of SharePoint Online, because of which there are similar settings for both. When you configure settings for external sharing, the OneDrive settings must be the same or more restrictive than the SharePoint Online settings.