As clarified in previous post, Azure AD Access Reviews capability although promising qua concept, is in it's current implementation yet unfit to assess the external access per site. But luckily we have PowerShell, which enables us per site, determine the collection of guest authorizations and ask site owner to review + re-confirm the authorizations. Crucial is to provide insight and awareness; who all has access authorization to my business site, and as site / business owner I still are ok with each indivdual guest authorization? For those not / no longer; explicit revoke, for good secure housekeeping in your external shared site.
PowerShell script to assess the external authorization per site in the tenant:
<# .SYNOPSIS Access Review of guest users into the SharePoint tenant #> #Connection to SharePoint Online $SPOAdminSiteUrl="https://<tenant>-admin.sharepoint.com/" try { Connect-SPOService -Url $SPOAdminSiteUrl -ErrorAction Stop } catch { exit } $externalUsersInfoDictionary= @{} $externalSharedSites = Get-SPOSite | Where-Object {$_.SharingCapability -eq "ExistingExternalUserSharingOnly"} foreach ($site in $externalSharedSites) { $externalUsersInfoCollection= @() $position = 0 $page = 0 $pageSize = 50 while ($position -eq $page * $pageSize) { foreach ($externalUser in Get-SPOExternalUser -Position ($page * $pageSize) -PageSize $pageSize -SiteUrl $site.Url | Select DisplayName,Email,WhenCreated) { if (!$externalUsersInfoDictionary.ContainsKey($externalUser.Email)) { $externalUsersInfoDictionary[$externalUser.Email] = @() } $externalUsersInfoDictionary[$externalUser.Email]+=$site.Url $externalUsersInfo = new-object psobject $externalUsersInfo | add-member noteproperty -name "Site Url" -value $site.Url $externalUsersInfo | add-member noteproperty -name "Email" -value $externalUser.Email $externalUsersInfo | add-member noteproperty -name "DisplayName" -value $externalUser.DisplayName $externalUsersInfo | add-member noteproperty -name "WhenCreated" -value $externalUser.WhenCreated $externalUsersInfo | add-member noteproperty -name "Preserve Access?" -value "Yes" $externalUsersInfoCollection+=$externalUsersInfo $position++ } $page++ } if ($externalUsersInfoCollection.Count -ne 0) { $exportFile = "External Access Review (" + $site.Url.SubString($site.Url.LastIndexOf("/")+ 1) + ")- " + $(get-date -f yyyy-MM-dd) + ".csv" $externalUsersInfoCollection | Export-Csv $exportFile -NoTypeInformation } } # Export matrix overview: per user, in which of the external sites granted access $externalUsersInfoCollection= @() $externalUsersInfoDictionary.Keys | ForEach-Object { $externalUsersInfo = new-object psobject $externalUsersInfo | add-member noteproperty -name "User Email" -value $_ foreach ($site in $externalSharedSites) { if ($externalUsersInfoDictionary[$_].Contains($site.Url)) { $externalUsersInfo | add-member noteproperty -name $site.Url -value "X" } else { $externalUsersInfo | add-member noteproperty -name $site.Url -value "" } } $externalUsersInfoCollection+=$externalUsersInfo } $exportFile = "External Access Review user X site - " + $(get-date -f yyyy-MM-dd) + ".csv" $externalUsersInfoCollection | Export-Csv $exportFile -NoTypeInformation Disconnect-SPOService
No comments:
Post a Comment