SharePoint Standards

Low Impact

Standard Name

Description

Recommended By

PowerShell Equivalent

APIName

Set deleted user retention time in OneDrive

When a OneDrive user gets deleted, the personal SharePoint site is saved for selected amount of time that data can be retrieved from it.

Update-MgBetaAdminSharepointSetting

DeletedUserRentention

Enable SharePoint and OneDrive integration with Azure AD B2B

Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled

"CIS 3.0"

Set-SPOTenant -EnableAzureADB2BIntegration $true

SPAzureB2B

Disable Legacy Workflows

Disables the creation of new SharePoint 2010 and 2013 classic workflows and removes the 'Return to classic SharePoint' link on modern SharePoint list and library pages.

Set-SPOTenant -DisableWorkflow2010 $true -DisableWorkflow2013 $true -DisableBackToClassic $true

SPDisableLegacyWorkflows

Disallow downloading infected files from SharePoint

Ensure Office 365 SharePoint infected files are disallowed for download

"CIS 3.0"

Set-SPOTenant -DisallowInfectedFileDownload $true

SPDisallowInfectedFiles

Set Default Timezone for Tenant

Sets the default timezone for the tenant. This will be used for all new users and sites.

Update-MgBetaAdminSharepointSetting

TenantDefaultTimezone

Medium Impact

Standard Name

Description

Recommended By

PowerShell Equivalent

APIName

Set Add Shortcuts To OneDrive button state

If disabled, the button Add shortcut to OneDrive will be removed and users in the tenant will no longer be able to add new shortcuts to their OneDrive. Existing shortcuts will remain functional

Set-SPOTenant -DisableAddShortcutsToOneDrive $true or $false

DisableAddShortcutsToOneDrive

Disable legacy basic authentication for SharePoint

Disables the ability for users and applications to access SharePoint via legacy basic authentication. This will likely not have any user impact, but will block systems/applications depending on basic auth or the SharePointOnlineCredentials class.

"CIS"

Set-SPOTenant -LegacyAuthProtocolsEnabled $false

DisableSharePointLegacyAuth

Default sharing to Direct users

Ensure default link sharing is set to Direct in SharePoint and OneDrive

"CIS 3.0"

Set-SPOTenant -DefaultSharingLinkType Direct

SPDirectSharing

Require reauthentication with verification code

Ensure reauthentication with verification code is restricted

"CIS 3.0"

Set-SPOTenant -EmailAttestationRequired $true -EmailAttestationReAuthDays 15

SPEmailAttestation

Set guest access to expire automatically

Ensure guest access to a site or OneDrive will expire automatically

"CIS 3.0"

Set-SPOTenant -ExternalUserExpireInDays 30 -ExternalUserExpirationRequired $True

SPExternalUserExpiration

Set SharePoint sync button state

If disabled, users in the tenant will no longer be able to use the Sync button to sync SharePoint content on all sites. However, existing synced content will remain functional on the user's computer.

Set-SPOTenant -HideSyncButtonOnTeamSite $true or $false

SPSyncButtonState

High Impact

Standard Name

Description

Recommended By

PowerShell Equivalent

APIName

Do not allow Mac devices to sync using OneDrive

Disables the ability for Mac devices to sync with OneDrive.

Update-MgAdminSharepointSetting

disableMacSync

Disable Resharing by External Users

Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access. This is a tenant wide setting and overrules any settings set on the site level

"CIS"

Update-MgBetaAdminSharepointSetting

DisableReshare

Disable site creation by standard users

Disables standard users from creating SharePoint sites, also disables the ability to fully create teams

Update-MgAdminSharepointSetting

DisableUserSiteCreate

Exclude File Extensions from Syncing

Sets the file extensions that are excluded from syncing with OneDrive. These files will be blocked from upload. '*.' is automatically added to the extension and can be omitted.

Update-MgAdminSharepointSetting

ExcludedfileExt

Set Sharing Level for OneDrive and Sharepoint

Sets the default sharing level for OneDrive and Sharepoint. This is a tenant wide setting and overrules any settings set on the site level

"CIS"

Update-MgBetaAdminSharepointSetting

sharingCapability

Restrict sharing to a specific domain

Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain.

Update-MgAdminSharepointSetting

sharingDomainRestriction

Only allow users to sync OneDrive from AAD joined devices

The unmanaged Sync standard has been temporarily disabled and does nothing.

Update-MgAdminSharepointSetting

unmanagedSync

Last updated 5 months ago

Was this helpful?

SharePoint Standards

Low Impact

Standard Name

Description

Recommended By

PowerShell Equivalent

APIName

Set deleted user retention time in OneDrive

When a OneDrive user gets deleted, the personal SharePoint site is saved for selected amount of time that data can be retrieved from it.

Update-MgBetaAdminSharepointSetting

DeletedUserRentention

Enable SharePoint and OneDrive integration with Azure AD B2B

Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled

"CIS 3.0"

Set-SPOTenant -EnableAzureADB2BIntegration $true

SPAzureB2B

Disable Legacy Workflows

Disables the creation of new SharePoint 2010 and 2013 classic workflows and removes the 'Return to classic SharePoint' link on modern SharePoint list and library pages.

Set-SPOTenant -DisableWorkflow2010 $true -DisableWorkflow2013 $true -DisableBackToClassic $true

SPDisableLegacyWorkflows

Disallow downloading infected files from SharePoint

Ensure Office 365 SharePoint infected files are disallowed for download

"CIS 3.0"

Set-SPOTenant -DisallowInfectedFileDownload $true

SPDisallowInfectedFiles

Set Default Timezone for Tenant

Sets the default timezone for the tenant. This will be used for all new users and sites.

Update-MgBetaAdminSharepointSetting

TenantDefaultTimezone

Medium Impact

Standard Name

Description

Recommended By

PowerShell Equivalent

APIName

Set Add Shortcuts To OneDrive button state

If disabled, the button Add shortcut to OneDrive will be removed and users in the tenant will no longer be able to add new shortcuts to their OneDrive. Existing shortcuts will remain functional

Set-SPOTenant -DisableAddShortcutsToOneDrive $true or $false

DisableAddShortcutsToOneDrive

Disable legacy basic authentication for SharePoint

"CIS"

Set-SPOTenant -LegacyAuthProtocolsEnabled $false

DisableSharePointLegacyAuth

Default sharing to Direct users

Ensure default link sharing is set to Direct in SharePoint and OneDrive

"CIS 3.0"

Set-SPOTenant -DefaultSharingLinkType Direct

SPDirectSharing

Require reauthentication with verification code

Ensure reauthentication with verification code is restricted

"CIS 3.0"

Set-SPOTenant -EmailAttestationRequired $true -EmailAttestationReAuthDays 15

SPEmailAttestation

Set guest access to expire automatically

Ensure guest access to a site or OneDrive will expire automatically

"CIS 3.0"

Set-SPOTenant -ExternalUserExpireInDays 30 -ExternalUserExpirationRequired $True

SPExternalUserExpiration

Set SharePoint sync button state

If disabled, users in the tenant will no longer be able to use the Sync button to sync SharePoint content on all sites. However, existing synced content will remain functional on the user's computer.

Set-SPOTenant -HideSyncButtonOnTeamSite $true or $false

SPSyncButtonState

High Impact

Standard Name

Description

Recommended By

PowerShell Equivalent

APIName

Do not allow Mac devices to sync using OneDrive

Disables the ability for Mac devices to sync with OneDrive.

Update-MgAdminSharepointSetting

disableMacSync

Disable Resharing by External Users

"CIS"

Update-MgBetaAdminSharepointSetting

DisableReshare

Disable site creation by standard users

Disables standard users from creating SharePoint sites, also disables the ability to fully create teams

Update-MgAdminSharepointSetting

DisableUserSiteCreate

Exclude File Extensions from Syncing

Sets the file extensions that are excluded from syncing with OneDrive. These files will be blocked from upload. '*.' is automatically added to the extension and can be omitted.

Update-MgAdminSharepointSetting

ExcludedfileExt

Set Sharing Level for OneDrive and Sharepoint

Sets the default sharing level for OneDrive and Sharepoint. This is a tenant wide setting and overrules any settings set on the site level

"CIS"

Update-MgBetaAdminSharepointSetting

sharingCapability

Restrict sharing to a specific domain

Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain.

Update-MgAdminSharepointSetting

sharingDomainRestriction

Only allow users to sync OneDrive from AAD joined devices

The unmanaged Sync standard has been temporarily disabled and does nothing.

Update-MgAdminSharepointSetting

unmanagedSync

Last updated 5 months ago

Was this helpful?