Edit

Share via

Start-SPODataAccessGovernanceInsight

Module:
Microsoft.Online.SharePoint.PowerShell Module

This cmdlet generates Data Access Governance (DAG) reports meant to provide insights into potential oversharing of sensitive data in SharePoint and/or OneDrive for Business. SharePoint Advanced Management (SAM) license is required to run these reports.

Syntax

EEEUParameterSet 

Start-SPODataAccessGovernanceInsight
    -ReportEntity <ReportEntityEnum>
    -Workload <WorkloadEnum>
    -ReportType <ReportTypeEnum>
    -Name <String>
    [-Template <System.Collections.Generic.List`1[Microsoft.Online.SharePoint.TenantAdministration.TemplateEnum]>]
    [-Privacy <PrivacyEnum>]
    [-SiteSensitivityLabelGUID <System.Collections.Generic.List`1[System.Guid]>]
    [<CommonParameters>]

SharingLinkParameterSet 

Start-SPODataAccessGovernanceInsight
    -ReportEntity <ReportEntityEnum>
    -Workload <WorkloadEnum>
    -ReportType <ReportTypeEnum>
    [<CommonParameters>]

LabelParameterSet 

Start-SPODataAccessGovernanceInsight
    -ReportEntity <ReportEntityEnum>
    -Workload <WorkloadEnum>
    -ReportType <ReportTypeEnum>
    -FileSensitivityLabelGUID <Guid>
    [-FileSensitivityLabelName <String>]
    [<CommonParameters>]

SitePermissionsParameterSet 

Start-SPODataAccessGovernanceInsight
    -ReportEntity <ReportEntityEnum>
    -Workload <WorkloadEnum>
    -ReportType <ReportTypeEnum>
    -Name <String>
    -CountOfUsersMoreThan <Int32>
    [-Template <System.Collections.Generic.List`1[Microsoft.Online.SharePoint.TenantAdministration.TemplateEnum]>]
    [-Privacy <PrivacyEnum>]
    [-SiteSensitivityLabelGUID <System.Collections.Generic.List`1[System.Guid]>]
    [<CommonParameters>]

UserPermissionsParameterSet 

Start-SPODataAccessGovernanceInsight
    -ReportEntity <ReportEntityEnum>
    -Workload <WorkloadEnum>
    -ReportType <ReportTypeEnum>
    -Name <String>
    -UserIDList <System.Collections.Generic.List`1[System.Guid]>
    [<CommonParameters>]

Description

This cmdlet is used to generate DAG reports which deal with potential oversharing of sensitive data. These reports are present in Sharepoint admin center. Reports are currently available for the following scenarios:

  • Sharing links created in last 28 days (Anyone, People-in-your-org, Specific people shared externally).
  • Content shared with Everyone except external users (EEEU) in last 28 days.
  • List of sites having labelled files, as of report generation time.
  • List of sites having 'too-many-users', as of report generation time, to setup an oversharing baseline.
  • List of sites with direct or indirect permissions to given users. (Private Preview)

Examples

Example 1

Start-SPODataAccessGovernanceInsight -ReportEntity PermissionedUsers -Workload SharePoint -ReportType Snapshot -Name "OversharingBaselineReport" -CountOfUsersMoreThan 0

The above cmdlet generates a list of SharePoint sites which can be accessed by more than 1000 users, as of report generation day.

Parameters

-CountOfUsersMoreThan

Specifies the threshold of oversharing as defined by the number of users that can access the site. The number of users that can access the site are determined by expanding all users, groups across all permissions (at site level and at the level of any item with unqiue permissions), deduplicate and arrive at a unique number. Minimum value is 0.

Parameter properties

Type:System.Int32
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

SitePermissionsParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-FileSensitivityLabelGUID

Specifies the GUID for the sensitivity label for the file.

Parameter properties

Type:System.Guid
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

LabelParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-FileSensitivityLabelName

Specifies the name of the sensitivity label for the file.

Parameter properties

Type:System.String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

LabelParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Name

Specifies the name to be given to the generated report.

Parameter properties

Type:System.String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

EEEUParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
SitePermissionsParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UserPermissionsParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Privacy

Specifies the privacy setting of the Microsoft 365 group. Relevant in case of filtering the report for group connected sites.

Parameter properties

Type:Microsoft.Online.SharePoint.TenantAdministration.PrivacyEnum
Default value:None
Accepted values:All, Private, Public
Supports wildcards:False
DontShow:False

Parameter sets

EEEUParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
SitePermissionsParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ReportEntity

Specifies the entity that could cause oversharing and hence tracked by these reports.

Parameter properties

Type:Microsoft.Online.SharePoint.TenantAdministration.ReportEntityEnum
Default value:None
Accepted values:SharingLinks_Anyone, SharingLinks_PeopleInYourOrg, SharingLinks_Guests, SensitivityLabelForFiles, EveryoneExceptExternalUsersAtSite, EveryoneExceptExternalUsersForItems, PermissionedUsers, PermissionsReport
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ReportType

Specifies the time period of data based on which DAG report is generated. A 'Snapshot' report will have the latest data as of the report generation time. A 'RecentActivity' report will be based on data in the last 28 days.

Parameter properties

Type:Microsoft.Online.SharePoint.TenantAdministration.ReportTypeEnum
Default value:None
Accepted values:Snapshot, RecentActivity
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SiteSensitivityLabelGUID

Specifies the GUID of the sensitivity label applied to the site.

Parameter properties

Type:

System.Collections.Generic.List`1[System.Guid]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

EEEUParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
SitePermissionsParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Template

Specifies the template of the site. Relevant in case a report should be generated for that particular template.

Parameter properties

Type:

System.Collections.Generic.List`1[Microsoft.Online.SharePoint.TenantAdministration.TemplateEnum]

Default value:None
Accepted values:AllSites, ClassicSites, CommunicationSites, TeamSites, OtherSites
Supports wildcards:False
DontShow:False

Parameter sets

EEEUParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
SitePermissionsParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-UserIDList

Specifies the Entra object IDs of the users for whom permissions report should be generated. Can be fetched using the Get-MgUser command from Microsoft Graph PowerShell.

Parameter properties

Type:

System.Collections.Generic.List`1[System.Guid]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UserPermissionsParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Workload

Specifies whether the report is for SharePoint sites or OneDrive accounts.

Parameter properties

Type:Microsoft.Online.SharePoint.TenantAdministration.WorkloadEnum
Default value:None
Accepted values:SharePoint, OneDriveForBusiness
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

None

Outputs

System.Object