Applying SharePoint sharing policy settings to all of your Teams

sharepoint_logo

If you find the ‘anyone’ setting greyed out and not matching the policy, this is how to apply SharePoint sharing policy settings, set in the SharePoint Admin Center, to all your Team sites.

So, you may have decided that you need to allow users to share files with external users using anonymouse sharing links, especially if you have users coming from DropBox or Box who are used to this functionality.

So, you change the setting in the SharePoint Admin Center to allow anonymous links, but dragging the slider to ‘Anyone’.

After changing this setting, if you try and share a file from Teams (via Open in SharePoint), you will find that the option is still greyed out:

But this is enabled via policy, even if you create a new Team, it doesn’t have the setting specified in the policy. So what’s the solution? You could select each site, then Sharing, and click on the strangely worded link ‘Reset to organization level settings’ (although you never changed it aware from the organization level settings). This is tedious if you have a lot of sites.

The fact is that there is no way to actually apply the policy to all sites, the policy only specifies what permissions are available. So you still have to apply this setting to every site, which luckily we can do with PowerShell.

First, connect to SharePoint online (I use the following connection script, just change the $sharepointadmin variable):

write-host "Connecting to SharePoint (SPOService)..." -ForegroundColor Yellow

if ($module = Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version) {
    #write-host "installed"
    } else {
        write-host "SharePoint module Not installed, install with Install-Module -Name Microsoft.Online.SharePoint.PowerShell" -ForegroundColor Red
        exit
        }

$sharepointadmin = "https://yourtenant-admin.sharepoint.com"

try { 
    $var = Get-SPOGeoStorageQuota # Just using this as it is quick
} 
catch {
    Write-Host "Not connected, authenticate in other window"; Connect-SPOService -Url $sharepointadmin
}

Now get all your Teams and check the settings:

get-sposite -LIMIT ALL | Where-Object {$_.Template -eq "GROUP#0"}| ft Url,template,SharingCapability
# Or just get the ones that don't match the policy you want set
get-sposite -LIMIT ALL | Where-Object {$_.Template -eq "GROUP#0" -AND $_.SharingCapability -ne "ExternalUserAndGuestSharing"} |ft Url,template,SharingCapability

Set the sharing capability (not this is quite slow so don’t include every site):

get-sposite -LIMIT ALL | Where-Object {$_.Template -eq "GROUP#0" -AND $_.SharingCapability -ne "ExternalUserAndGuestSharing"}| set-SPOSite -SharingCapability ExternalUserAndGuestSharing 

And check the result using the previous command.

Note that the values for SharingCapability are somewhat counterintuitive, refer to https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/set-sposite?view=sharepoint-ps#examples

The possible values are as follows, and correspond to the slider values in the first image:

  • ExternalUserAndGuestSharing – allow sharing with all external users, and by using anonymous access links.
  • ExternalUserSharingOnly – allow external users who accept sharing invitations and sign in as authenticated users
  • ExistingExternalUserSharingOnly – Allow sharing only with the external users that already exist in your organization’s directory
  • Disabled – don’t allow sharing outside your organization

Unfortunately, you’ll still have to do this for every new Team, but at least it’s easier now!

Posted in Office 365, SharePoint, Teams

Related Posts

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: