Information
This setting governs the global permissiveness of OneDrive content sharing in the organization.
OneDrive content sharing can be restricted independent of SharePoint but can never be more permissive than the level established with SharePoint.
The recommended state is Only people in your organization.
Rationale:
OneDrive, designed for end-user cloud storage, inherently provides less oversight and control compared to SharePoint, which often involves additional content overseers or site administrators. This autonomy can lead to potential risks such as inadvertent sharing of privileged information by end users. Restricting external OneDrive sharing will require users to transfer content to SharePoint folders first which have those tighter controls.
Impact:
Users will be required to take additional steps to share OneDrive content or use other official channels.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To remediate using the UI:
Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint
Click to expand Policies > Sharing.
Locate the External sharing section.
Under OneDrive, set the slider bar to Only people in your organization.
To remediate using PowerShell:
Connect to SharePoint Online service using Connect-SPOService.
Run the following cmdlet:
Set-SPOTenant -OneDriveSharingCapability Disabled
Alternative remediation method using PowerShell:
Connect to SharePoint Online.
Run one of the following:
# Replace [tenant] with your tenant id
Set-SPOSite -Identity https://[tenant]-my.sharepoint.com/ -SharingCapability Disabled
# Or run this to filter to the specific site without supplying the tenant name.
$OneDriveSite = Get-SPOSite -Filter { Url -like '*-my.sharepoint.com/' }
Set-SPOSite -Identity $OneDriveSite -SharingCapability Disabled
Default Value:
Anyone (ExternalUserAndGuestSharing)