Restrict SharePoint site access with Microsoft 365 groups and Entra security groups
Some features in this article require Microsoft Syntex - SharePoint Advanced Management
You can restrict access to SharePoint sites and content to users in a specific group by using a site access restriction policy. Users not in the specified group can't access the site or its content, even if they had prior permissions or a shared link. This policy can be used with Microsoft 365 group-connected, Teams-connected, and non-group connected sites.
Site access restriction policies are applied when a user attempts to open a site or access a file. Users with direct permissions to the file can still view files in search results. However, they can't access the files if they're not part of the specified group.
Restricting site access via group membership can minimize the risk of oversharing content. For insights into data sharing, see Data access governance reports.
Prerequisites
The site access restriction policy requires Microsoft Syntex - SharePoint Advanced Management.
Enable site-level access restriction for your organization
You must enable site-level access restriction for your organization before you can configure it for individual sites.
To enable site-level access restriction for your organization in SharePoint admin center:
Expand Policies and select Access control.
Select Site-level access restriction.
Select Allow access restriction and then select Save.
To enable site-level access restriction for your organization using PowerShell, run the following command:
Set-SPOTenant -EnableRestrictedAccessControl $true
It might take up to one hour for command to take effect
Note
For Microsoft 365 Multi-Geo users, run this command separately for each desired geo-location.
Restrict access to group-connected sites (Microsoft 365 Groups and Teams)
Site access restriction policy for group-connected sites restricts SharePoint site access to members of the Microsoft 365 group or team associated with the site.
To manage site access restriction for a group-connected site in SharePoint admin center
- In SharePoint admin center, expand Sites and select Active sites.
- Select the site you want to manage and the site details panel appears.
- In the Settings tab, select Edit in the Restricted site access section.
- Select the Restrict access to this site box and select Save.
To enable site access restriction for a group-connected site, run the following command:
Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $true
To view site access restriction for a group-connected site, run the following command:
Get-SPOSite -Identity <siteurl> | Select RestrictedAccessControl
To disable site access restriction for a group-connected site, run the following command:
Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $false
Restrict site access to non-group connected sites
You can restrict access to non-group connected sites by specifying Entra security groups or Microsoft 365 groups that contain the people who should be allowed access to the site. You can configure up to 10 Entra security groups or Microsoft 365 groups. Once the policy is applied, users in the specified group who have site access permissions are granted access to the site and its content. You can use dynamic security groups if you want to base group membership on user properties.
To manage site access to a non-group connected site:
- In SharePoint admin center, expand Sites and select Active sites.
- Select the site you want to manage and the site details panel appears.
- In Settings tab, select Edit in the Restricted site access section.
- Select the Restrict SharePoint site access to only users in specified groups check box.
- Add or remove your security groups or Microsoft 365 groups and select Save.
In order for site access restriction to be applied to the site, you must add at least one group to the site access restriction policy.
To manage site access restriction for non-group connected sites using PowerShell, use the following commands:
Action | PowerShell command |
---|---|
Enable site access restriction | Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $true |
Add group | Set-SPOSite -Identity <siteurl> -AddRestrictedAccessControlGroups <comma separated group GUIDS> |
Edit group | Set-SPOSite -Identity <siteurl> -RestrictedAccessControlGroups <comma separated group GUIDS> |
View group | Get-SPOSite -Identity <siteurl> Select RestrictedAccessControl, RestrictedAccessControlGroups |
Remove group | Set-SPOSite -Identity <siteurl> -RemoveRestrictedAccessControlGroups <comma separated group GUIDS> |
Reset site access restriction | Set-SPOSite -Identity <siteurl> -ClearRestrictedAccessControl |
Shared and private channel sites
Shared and private channel sites are separate from the Microsoft 365 group-connected site that standard channels use. Because shared and private channel sites aren't connected to the Microsoft 365 group, site access restriction policies applied to the team don't affect them. You must enable site access restriction for each shared or private channel site separately as non-group connected sites.
For shared channel sites, only internal users in the resource tenant are subject to site access restriction. External channel participants are excluded from site access restriction policy and only evaluated per the site's existing site permissions.
Important
Adding people to the security group or Microsoft 365 group won't give users access to the channel in Teams. It is recommended to add or remove the same users of the teams channel in Teams and the security group or Microsoft 365 group so users have access to both Teams and SharePoint.
Auditing
Audit events are available in the Purview compliance portal to help you monitor site access restriction activities. Audit events are logged for the following activities:
- Applying site access restriction for site
- Removing site access restriction for site
- Changing site access restriction groups for site
Related articles
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for