Restrict site access to members of a Microsoft 365 group
This feature is in preview and will require a Microsoft Syntex Advanced Management license when the feature becomes generally available (GA)
Note
This feature is currently in private preview. If you would like to participate in the preview, contact your Microsoft account manager.
With restricted access control (preview), you can manage the access of a SharePoint site and its content. As a SharePoint administrator, you can grant access to users of the Microsoft 365 group associated with a SharePoint site. Users who are not added to the group membership won’t have access even if they previously had site access permissions to a file. Restricted access control policy also applies to Microsoft 365 group memberships associated with Microsoft Teams.
Restricting access to sites based on group membership lets you reduce the risk of oversharing within your organization and provides an additional layer of security to safeguard site content. By enabling restricted site access, you apply a policy that stops sharing content with people who aren't a member of the Microsoft 365 group. Use and consult data access governance reports to see how data is currently being shared.
For example, the research department has a Microsoft 365 group that contains all of their department members. They don’t want anyone outside of the department to have access to the research department site or its contents. As their SharePoint admin, you can restrict site access to only members of the Microsoft 365 group by enabling restricted access control in PowerShell.
PowerShell is required to enable restricted access control.
Enable restricted access control for your organization
To enable restricted access control in SharePoint, run the following command:
Set-SPOTenant -EnableRestrictedAccessControl $true
Then, wait for approximately 1 hour before managing restricted access control for that site.
Note
If you have Microsoft 365 Multi-Geo, you must run this command for each geo-location you want to use restricted access control.
Enable restricted access control for your SharePoint site
You can enable restricted access control on a group-connected or Teams-connected site by running the following command:
Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $true
For example:
Set-SPOSite -Identity https://contoso.sharepoint.com/sites/ResearchTeamSite -RestrictedAccessControl $true
View restricted access control for site
To view the restricted access control configuration for a site, run the following command:
Get-SPOSite -Identity <siteurl> | Select RestrictedAccessControl
Remove restricted access control for site
To remove restricted access control from a site, run the following command:
Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $false
For example:
Set-SPOSite -Identity https://contoso.sharepoint.com/sites/ResearchTeamSite -RestrictedAccessControl $false
Related topics
Feedback
Submit and view feedback for