7.2.3 Ensure external content sharing is restricted

Information

The external sharing settings govern sharing for the organization overall. Each site has its own sharing setting that can be set independently, though it must be at the same or more restrictive setting as the organization.

The new and existing guests option requires people who have received invitations to sign in with their work or school account (if their organization uses Microsoft 365) or a Microsoft account, or to provide a code to verify their identity. Users can share with guests already in your organization's directory, and they can send invitations to people who will be added to the directory if they sign in.

The recommended state is New and existing guests or less permissive.

Rationale:

Forcing guest authentication on the organization's tenant enables the implementation of controls and oversight over external file sharing. When a guest is registered with the organization, they now have an identity which can be accounted for. This identity can also have other restrictions applied to it through group membership and conditional access rules.

Impact:

When using B2B integration, Entra ID external collaboration settings, such as guest invite settings and collaboration restrictions apply.

Solution

To remediate using the UI:

Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint

Click to expand Policies > Sharing.

Locate the External sharing section.

Under SharePoint, move the slider bar to New and existing guests or a less permissive level.

OneDrive will also be moved to the same level and can never be more permissive than SharePoint.

To remediate using PowerShell:

Connect to SharePoint Online service using Connect-SPOService.

Run the following cmdlet to establish the minimum recommended state:

Set-SPOTenant -SharingCapability ExternalUserSharingOnly

Note: Other acceptable values for this parameter that are more restrictive include: Disabled and ExistingExternalUserSharingOnly.

Default Value:

Anyone (ExternalUserAndGuestSharing)

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2

Plugin: microsoft_azure

Control ID: 4bf67f11130cad05525528f08079097d3ca932122c496af433eff8766ddafdd4