New PowerShell Controls Available to Control Default Sharing Links for SharePoint Sites

Builds on Existing Control Over Site Sharing Capability

The container management settings of sensitivity labels can control the sharing capability of SharePoint Online sites. If you create a label and configure it to apply a sharing capability of “Only people in your organization,” any site which receives the label automatically enforces that sharing capability. Site owners cannot change the sharing capability of a site without changing the label assigned to the site. Although tenant administrators can’t stop site owners changing a label, this is an auditable action which organizations can track to revert if necessary. While it would be nice to be able to lock labels assigned to sites, enforcing consistent sharing capabilities is a good example of how container management through sensitivity labels make it easier to apply organizational standards across sites in an Office 365 tenant.

Controlling Default Sharing Links

SharePoint Online creates sharing links when users share content from a site (Figure 1). The sharing link identifies what the person receiving the link can do with the content (read or edit). It also identifies who can use the link (anyone, specific people, tenant accounts).

SharePoint Online generates a sharing link for a document
Figure 1: SharePoint Online generates a sharing link for a document

SharePoint administrators can configure settings for the default sharing link for a site through PowerShell by running the Set-SPOSite cmdlet from the SharePoint Online management module. The relevant parameters are:

  • DefaultSharingLinkType: Defines the default sharing link type for the site. For example, if this is “Internal,” the default sharing link type is set to anyone in the organization. The default is None, meaning respect the organization setting (defined with Set-SPOTenant).
  • DefaultLinkPermission: Set to View or Edit to define what the link recipient can do. The default is None, meaning respect the organization setting.
  • DefaultLinkToExistingAccess: The default is False. If set to True, the default sharing link type is set to People with existing access.

Defining a default sharing link type does not mean that site users are limited to the default type. Although SharePoint Online generates links based on the defaults, users can update sharing links to use other values, providing they remain within the constraints of the site’s external sharing capability.

Updating Sensitivity Labels with Default Sharing Links

Microsoft has released the public preview capability to control the default sharing link type for sites through sensitivity labels. The advantage of this method over configuring settings using Set-SPOSite is that any site assigned a label inherits the settings automatically. You don’t have to configure each site individually.

For now, configuration is by updating the advanced settings for a label with PowerShell. Given past practice, it’s likely to see an updated GUI for label creation and updates sometime after the feature reaches general availability.

To update label settings, you first need to connect to the compliance endpoint with PowerShell. Do this by running the Connect-IPPSession cmdlet from the Exchange Online management module. You can then use the Set-Label cmdlet to update settings of sensitivity labels. The setting names for Set-Label do not correspond exactly with the values used by Set-SPOSite. Here are the values:

  • DefaultSharingScope (DefaultSharingLinkType) is SpecificPeople, Organization, or Anyone.
  • DefaultShareLinkPermission (DefaultLinkPermission) is Edit or View.
  • DefaultLinkToExistingAccess is True or False (default False).

You can update link settings separately or together. For example, these commands set the default sharing scope and permission in two steps:

Set-Label -Identity 'Guest Access' -AdvancedSettings @{DefaultSharingScope = "SpecificPeople"}
Set-Label -Identity 'Guest Access' -AdvancedSettings @{DefaultShareLinkPermission = "Edit"}

Or set the two values in one command:

Set-Label -Identity 'Non-Business Use' -AdvancedSettings @{DefaultShareLinkPermission = "Edit"; DefaultSharingScope = "Anyone"}

To check the settings for the label and confirm the configuration, run the Get-Label cmdlet:

Get-Label "Non-Business Use" | Select -ExpandProperty Settings
[contenttype, Site, UnifiedGroup]
[tooltip, Apply this label to a team, group, or site intended to support a non-business use such as a sports club or approved employee society.]
[displayname, Non-business use]
[defaultsharingscope, Anyone]
[defaultsharelinkpermission, Edit]

To set the default sharing link for the site so that it overrides any existing setting and uses people with existing access instead, run:

Set-Label -Identity 'Confidential Access' -AdvancedSettings @{DefaultLinkToExistingAccess  = "True"}

Like any other changes made to sensitivity labels, it can take up to 24 hours before SharePoint Online respects updates to the default sharing link settings.

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new development as they happen.

One Reply to “New PowerShell Controls Available to Control Default Sharing Links for SharePoint Sites”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.