SharePoint Site Auditing with PowerShell
One of the challenges that comes with a corporate rollout of SharePoint is the need to establish a set of in-house standards. SharePoint is a very flexible and open-ended tool, so the development of a standards document is especially important. Without corporate level SharePoint standards, individual teams and site owners tend to set their own direction and the overall SharePoint environment can be difficult to manage and can result in higher costs to support, administer, and develop solutions.
Well written standards should be specific and read like a requirements document. So now you have a good set of SharePoint standards. Now what?
Look for a systems administration solution. Your first choice in implementing the standard would be to configure your SharePoint environment to directly enforce the standard. For example, you may have a standard against external Sharing on OneDrive sites. Instead of asking your organization’s users to not share externally, your Office 365 tenant administrator has the ability to configure OneDrive to disable external sharing. Another example would be limiting the use of SharePoint Designer by disabling it’s use in the site collection administration screen.
Create a PowerShell Site Audit Script. Many standards are technical in nature but don’t have an option for a setup or configuration solution. This is where our PowerShell site audit script comes into play. An example standard in this category would be the setup of SharePoint security groups. SharePoint groups have a setting that allows a group’s membership to be edited by the group members.
There may be some edge cases such as community sites where this may be appropriate, but in general I would want this set back to ‘Group Owner’ so the site owner is responsible for setting membership.
So that is the standard our audit script will enforce, to find any SharePoint groups with this property set to ‘group members’. In my script I will be logging groups that are out of compliance with this standard.
First install the SharePoint PnP PowerShell – https://github.com/SharePoint/PnP-PowerShell
Next, let’s look at my script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
$cred = Get-Credential; Connect-PnPOnline –Url https://yourtenant-admin.sharepoint.com –Credentials ($cred); #tenant admin URL $sites = Get-PnPTenantSite -Detailed -Force; Write-Output “There are $($sites.count) site collections present”; foreach($site in $sites){ Write-Output “URL : $($site.Url) "; #Get SharePoint Groups for that site collection Connect-PnPOnline -Url $site.Url -Credentials $cred; $groups = Get-PnPGroup -Includes AllowMembersEditMembership; foreach($group in $groups) { if ($group.AllowMembersEditMembership -eq $true){ Write-Output “Group with Edit Membership found $($group.Title)"; } } Write-Output “—————————————–” } Disconnect-PnPOnline; |
Since SharePoint security groups actually live at the site collection level, we don’t need to iterate through each SharePoint site / subsite. We can just loop through at the site collection level.
After your script is developed you could deploy it to a windows server and set a task to run it on a weekly basis. Or depending on your needs it could be run ad-hoc as needed by your SharePoint administrator.
Conclusion. While we typically think of PowerShell as a tool for automating day to day administration tasks, in this post I’ve shown how it can be used to help to enforce your SharePoint standards. The audit script helps you to proactively identify sites that don’t meet your organization’s SharePoint standards.
You could also add other tests to the audit script that are not official standards but may indicate a potential issue. This could include a large number of lists, apps added to the site, the type of site template being used, or the theme colors used.