Restrict site access to members of a Microsoft 365 group

Information icon This feature is in preview and will require a Microsoft Syntex Advanced Management license when the feature becomes generally available (GA)

Note

This feature is currently in private preview. If you would like to participate in the preview, contact your Microsoft account manager.

With restricted access control (preview), you can manage the access of a SharePoint site and its content. As a SharePoint administrator, you can grant access to users of the Microsoft 365 group associated with a SharePoint site. Users who are not added to the group membership won’t have access even if they previously had site access permissions to a file. Restricted access control policy also applies to Microsoft 365 group memberships associated with Microsoft Teams.

Restricting access to sites based on group membership lets you reduce the risk of oversharing within your organization and provides an additional layer of security to safeguard site content. By enabling restricted site access, you apply a policy that stops sharing content with people who aren't a member of the Microsoft 365 group. Use and consult data access governance reports to see how data is currently being shared.

For example, the research department has a Microsoft 365 group that contains all of their department members. They don’t want anyone outside of the department to have access to the research department site or its contents. As their SharePoint admin, you can restrict site access to only members of the Microsoft 365 group by enabling restricted access control in PowerShell.

PowerShell is required to enable restricted access control.

Enable restricted access control for your organization

To enable restricted access control in SharePoint, run the following command:

Set-SPOTenant -EnableRestrictedAccessControl $true

Then, wait for approximately 1 hour before managing restricted access control for that site.

Note

If you have Microsoft 365 Multi-Geo, you must run this command for each geo-location you want to use restricted access control.

Enable restricted access control for your SharePoint site

You can enable restricted access control on a group-connected or Teams-connected site by running the following command:

Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $true

For example:

Set-SPOSite -Identity https://contoso.sharepoint.com/sites/ResearchTeamSite -RestrictedAccessControl $true

View restricted access control for site

To view the restricted access control configuration for a site, run the following command:

Get-SPOSite -Identity <siteurl> | Select RestrictedAccessControl

Remove restricted access control for site

To remove restricted access control from a site, run the following command:

Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $false

For example:

Set-SPOSite -Identity https://contoso.sharepoint.com/sites/ResearchTeamSite -RestrictedAccessControl $false

Manage site access based on sensitivity label

Data Access Governance reports