Table of Contents
Stop Non-Group Members Accessing Restricted Sites
For years, I have been under the impression that SharePoint Online imposed access control for sites connected to Microsoft 365 through group membership. But then MC671823 came along on 29 August 2023 on the topic of Restricted Access Control for SharePoint and OneDrive Sites. According to Microsoft 365 roadmap item 163991, the deployment date is December 2023, but MC671823 says that the feature is now rolling out through both the SharePoint Online admin center and PowerShell. Confusion reigns.
Microsoft says that the feature allows administrators to “restrict site access to specified users using Microsoft 365 group or AAD security groups. Users not added in the specified group(s) will not be able to access the site even if they were previously granted site access.” The idea is “to reduce the risk of oversharing or permission sprawl within their organizations.” Both are good aspects to restrict, especially for organizations considering the implementation of Microsoft 365 Copilot, where the danger exists that Copilot might use sensitive information in its responses.
I think the basic thinking behind restricted sites is that it’s possible for site administrators to add extra users to sites that might expose confidential information to those people. By restricting access to known groups, you remove the risk. Of course, there’s nothing to stop a administrator for a site connected to a Microsoft 365 group adding someone to the group membership (by definition, they’re a group owner), but then everyone else in the group can see that a new member is present and could ask some awkward questions.
Configuring Restricted Sites
The first thing to do is to configure the tenant to support restricted sites. Download the latest version of the Microsoft.Online.SharePoint.PowerShell module from the PowerShell gallery (or use our script to update your Office 365 modules). I used version 16.0.24009.12000. Connect to the module and run:
Set-SPOTenant -EnableRestrictedAccessControl $True
If you don’t take this step, you won’t be able to configure restricted access for individual sites using either the SharePoint Online admin center or PowerShell. Like any setting applied to a SharePoint Online tenant, wait for a couple of hours to allow the change to take effect. You can then update individual sites. For instance, to update a site with PowerShell, run the Set-SPOSite cmdlet:
Set-SPOSite -Identity "https://office365itpros.sharepoint.com/sites/ProjectHiddenSecret" -RestrictedAccessControl $True
Restricted access control has been enabled on the site https://office365itpros.sharepoint.com/sites/ProjectHiddenSecret. The site access is restricted to members of the group b248090e-2bca-4d14-8aa6-3969a157a2a6.
Get-SPOSite -Identity "https://office365itpros.sharepoint.com/sites/ProjectHiddenSecret" | Format-List Restrictedaccess*
RestrictedAccessControl : True
RestrictedAccessControlGroups : {b248090e-2bca-4d14-8aa6-3969a157a2a6}
The GUID (b248090e-2bca-4d14-8aa6-3969a157a2a6) returned by the Get-SPOSite cmdlet is the group identifier pointing to the group SharePoint Online uses to control restricted access. Because this is a site connected to a Microsoft 365 group, the GUID resolves to that group:
Get-MgGroup -GroupId b248090e-2bca-4d14-8aa6-3969a157a2a6
DisplayName Id MailNickname Description GroupTy
pes
----------- -- ------------ ----------- -------
Project Hidden Secret b248090e-2bca-4d14-8aa6-3969a157a2a6 ProjectHiddenSecret A project full of hidden secrets {Uni...
Alternatively, edit the site settings to enable restricted site access (Figure 1).
Restricted Sites Not Connected to Microsoft 365 Groups
An extra step is needed to configure sites that aren’t connected to Microsoft 365 groups. In this case, you must specify the identifier for one or more (up to 10) comma-separated Entra ID security groups to use for access control. Dynamic security groups are supported. Here’s an example:
Set-SPOSite -Identity "https://office365itpros.sharepoint.com/sites/TestSite001" -RestrictedAccessControl $True -RestrictedAccessControlGroups d347eec5-62f1-4436-af41-e53fa18090be Restricted access control has been enabled on the site https://office365itpros.sharepoint.com/sites/TestSite001. The site access is restricted to members of the group d347eec5-62f1-4436-af41-e53fa18090be.
Finding Restricted Sites
To find sites with restricted access, you must scan each site and then resolve the group identifiers using code like this:
[array]$Sites = Get-SPOSite -Limit All
ForEach ($Site in $Sites) {
$SiteDetails = Get-SPOSite -Identity $Site.Url
If ($SiteDetails.RestrictedAccessControl -eq $True) {
[array]$Groups = $SiteDetails.RestrictedAccessControlGroups
ForEach ($G in $Groups) {
$Group = Get-MgGroup -GroupId $G
Write-Host ("Site {0} owned by group {1}" -f $SiteDetails.Title, $Group.displayname)
}
}
}
Licensing Restricted Sites
Making a SharePoint Online site subject to restricted access requires the Syntex-SharePoint advanced management license. At least, that’s what we learn from Microsoft’s documentation, which says that “some features” require the license without offering any further guidance. My assumption is that any user accessing a restricted site needs the license.
Another Layer of Protection
Restricted sites add another security layer to protect confidential information stored in SharePoint Online. If you pay for the advanced management license, you can also assign the block download policy to sites to stop site members downloading files from the site. Add sensitivity labels to block access unless people have the right to open files, and you’ve got a nice set of protections to prevent unauthorized access to information.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
I was wondering which use case, because if you’re in the M365 Group, only you have access and no one else, but then I read: Both are good aspects to restrict, especially for organizations considering the implementation of Microsoft 365 Copilot, where the danger exists that Copilot might use sensitive information in its responses.
So… I know that we know little from Copilot, but I was expeting that at least respect the security trimming for the answers…
Copilot absolutely supports trimming. The simple rule of thumb is that if you can’t find something with Microsoft Search, Copilot cannot use it. The danger exists where people do not adequately protect sensitive sites that contain information which Copilot is then able to use in its responses. Oversharing is a big danger in that respect.
I could not get this to work with a regular security group. For context a customer requested internal sharing be disabled, the only way I found outside of information barriers, is this solution which is a bit more straight forward and a tad easier to manage.
The only issue I found when attempting to set the security group on the site was it would give me an error if it wasn’t a Microsoft 365 Group. As soon as I pointed the -AddRestrictedAccessControlGroup to a M365 Group, it worked.
error: Set-SPOSite : Could not set RestrictedAccessControlGroups on the site.
The article does mention that the GUID used in the restriction is the SPO site of the Microsoft 365 group… security groups don’t have SPO sites.