Empowering Secure Collaboration: Configuring Microsoft Loop Sharing SharePoint Tenant and Site Settings with PowerShell

Guest users can be invited to collaborate within Microsoft Loop in the tenant. Refer How to work with guest users using Microsoft Loop how sharing within Loop works.

This post focuses on using PowerShell to control the Microsoft Loop sharing settings to help securing data especially with Copilot for M365 which can expose data not previously accessible by other means.

Tenant Level Microsoft Loop Sharing Settings

Refer to the post which covers some of the SharePoint level settings which applies for Microsoft Loop too for external sharing. Empowering Secure Collaboration: Configuring SharePoint Sharing Tenant and Site Settings with PowerShell to prevent oversharing

The SharePoint settings that apply to Loop are: SharingCapability, ShowAllUsersClaim, ShowEveryoneClaim, ShowEveryoneExceptExternalUsersClaim,RequireAnonymousLinksExpireInDays, DefaultSharingLinkType, PreventExternalUsersFromResharing, ShowPeoplePickerSuggestionsForGuestUsers, FileAnonymousLinkType, FolderAnonymousLinkType, DefaultLinkPermission, RequireAcceptingAccountMatchInvitedAccount, SharingAllowedDomainList, SharingBlockedDomainList, SharingDomainRestrictionMode, ExternalUserExpirationRequired, ExternalUserExpireInDays,EnableAzureADB2BIntegration

For more info, refer to the two posts

• Change the organization-level external sharing setting
• SharePoint and OneDrive integration with Microsoft Entra B2B

Loop components can be used across different M365 services: Teams, Outlook, Whiteboard and Word Online.

Depending on where loop content was originally created it is stored in a different location. Refer to Loop Storage for more info.

• Created in the Loop app ➡️️ SharePoint Embedded
• Created outside the Loop app in places that have dedicated shared storage (e.g. Teams channels) ➡️️ SharePoint
• Created outside the Loop app in all other places that don’t have tightly associated collaborative storage (e.g. Teams chat, Outlook email, Word for the web, Whiteboard) ➡️️ OneDrive

IsLoopEnabled

Enables Loop experiences in M365 Apps supporting Loop.

IsCollabMeetingNotesFluidEnabled

Enable/disable integration in Communication app (Outlook, Teams) to enable view and create Loop files in Outlooks

View Manage Loop components in OneDrive and SharePoint for more details.

To disable Loop everywhere

Set-SPOTenant -IsLoopEnabled $false  `
     -IsCollabMeetingNotesFluidEnabled $false

OneDriveLoopDefaultSharingLinkScope

Gets or sets default share link scope for Microsoft Loop on OneDrive sites.

The valid values are:

• Anyone
• Organization
• SpecificPeople
• Uninitialized

OneDriveLoopDefaultSharingLinkRole

Gets or sets the default sharing link role for Microsoft Loop within OneDrive sites

The values View or Edit can only be set for the time being.

CoreLoopDefaultSharingLinkScope

Gets or sets the default sharing link scope for Microsoft Loop and Whiteboard files on SharePoint sites.

The valid values are:

• Anyone
• Organization
• SpecificPeople
• Uninitialized

CoreLoopDefaultSharingLinkRole

Gets or sets the default sharing link role for Microsoft Loop and Whiteboard files on SharePoint sites.

The values View or Edit can only be set for the time being.

AllowAnonymousMeetingParticipantsToAccessWhiteboards

When a whiteboard is shared in a Teams meeting, Whiteboard creates a sharing link. This link is accessible by anyone within the organization. Whiteboards are shared using company-shareable links, regardless of the default setting.

There’s more capability for temporary collaboration by external and shared device accounts during a Teams meeting. Users can temporarily view and collaborate on whiteboards that are shared in a meeting, in a similar way to PowerPoint Live sharing.In this case, Whiteboard provides temporary viewing and collaboration on the whiteboard during the Teams meeting only. A share link isn’t created and Whiteboard doesn’t grant access to the file.

If external sharing is enabled for OneDrive for Business, no further action is required.

If external sharing is restricted for OneDrive for Business, it can be kept restricted, and enable this setting in order for external and shared device accounts to work. For more information, see Manage sharing for Microsoft Whiteboard.

This setting applies only to whiteboards and replaces the previously shared settings: OneDriveLoopSharingCapability and CoreLoopSharingCapability. Those settings are no longer applicable and can be disregarded.

OneDriveLoopSharingCapability and CoreLoopSharingCapability

Warning thrown while setting OneDriveLoopSharingCapability or CoreLoopSharingCapability. Use AllowAnonymousMeetingParticipantsToAccessWhiteboards instead as OneDriveLoopSharingCapability or CoreLoopSharingCapability are redundant.

Set-PnPTenant: Loop sharing capability settings are disabled. Please use AllowAnonymousMeetingParticipantsToAccessWhiteboards instead.

The valid values are:

• Disabled
• ExternalUserSharingOnly
• ExternalUserAndGuestSharing
• ExistingExternalUserSharingOnly

Sample script to amend tenant level sharing settings for Microsoft Loop configuration

SPO PowerShell

To get Microsoft Loop settings

 Get-SPOTenant | select-object -Property IsLoopEnabled `
        ,OneDriveLoopDefaultSharingLinkScope `
        ,OneDriveLoopSharingCapability `
        ,OneDriveLoopDefaultSharingLinkRole `
        ,CoreLoopSharingCapability `
        ,CoreLoopDefaultSharingLinkScope `
        ,CoreLoopDefaultSharingLinkRole `
        ,IsCollabMeetingNotesFluidEnabled `
        ,AllowAnonymousMeetingParticipantsToAccessWhiteboards

To set the Microsoft Loop settings

connect-SPOService -Url https://contoso-admin.sharepoint.com
## Microsoft Loop specific settings
    Set-SPOTenant -IsLoopEnabled $true `
            -OneDriveLoopDefaultSharingLinkScope Organization `
            -OneDriveLoopDefaultSharingLinkRole Edit `
            -CoreLoopDefaultSharingLinkScope Organization `
            -CoreLoopDefaultSharingLinkRole Edit `
            -IsCollabMeetingNotesFluidEnabled $false `
            -AllowAnonymousMeetingParticipantsToAccessWhiteboards On `

PnP PowerShell

To get Microsoft Loop settings

#currently unable to retrieve below properties using PnP PowerShell, I have created PR https://github.com/pnp/powershell/pull/3948 to enable retrieval of these values
 Get-PnPTenant | select-object -Property IsLoopEnabled `
        ,OneDriveLoopDefaultSharingLinkScope `
        ,OneDriveLoopSharingCapability `
        ,OneDriveLoopDefaultSharingLinkRole `
        ,CoreLoopSharingCapability `
        ,CoreLoopDefaultSharingLinkScope `
        ,CoreLoopDefaultSharingLinkRole ` 
        ,IsCollabMeetingNotesFluidEnabled `
        ,AllowAnonymousMeetingParticipantsToAccessWhiteboards

To set the Microsoft Loop settings

    connect-PnPOnline -Url https://contoso-admin.sharepoint.com -interactive
    ## Microsoft Loop specific settings
    Set-PnPTenant -IsLoopEnabled $true `
            -OneDriveLoopDefaultSharingLinkScope Organization `
            -OneDriveLoopDefaultSharingLinkRole Edit `
            -CoreLoopDefaultSharingLinkScope Organization `
            -CoreLoopDefaultSharingLinkRole Edit `
            -IsCollabMeetingNotesFluidEnabled $false `
            -AllowAnonymousMeetingParticipantsToAccessWhiteboards On

Microsoft Loop site level sharing settings

Sharing settings for Microsoft Loop can be set at the site level to provide more granular control.

LoopDefaultSharingLinkScope

Gets or sets default share link scope for Microsoft Loop on SharePoint or OneDrive site.

The valid values are:

• Anyone
• Organization
• SpecificPeople
• Uninitialized

LoopDefaultSharingLinkRole

Gets or sets the default sharing link role for Microsoft Loop within OneDrive sites

The values View or Edit can only be set for the time being.

PowerShell script to update Microsoft Loop site sharing settings

Connect-SPOService -Url https://contoso-admin.sharepoint.com

Set-SPOSite -Identity https://contoso.sharepoint.com/sites/SharingTest `
            -LoopDefaultSharingLinkScope Organization `
            -LoopDefaultSharingLinkRole Edit 

Get-SPOSite -Identity https://contoso.sharepoint.com/sites/SharingTest | select-object -Property `
            LoopDefaultSharingLinkScope `
            LoopDefaultSharingLinkRole             

PnP PowerShell

connect-pnponline -url https://contoso.sharepoint.com/sites/SharingTest  -interactive

Set-PnPSite -Identity https://contoso.sharepoint.com/sites/SharingTest `
            -LoopDefaultSharingLinkScope Organization `
            -LoopDefaultSharingLinkRole Edit 

Get-PnPSite -Identity https://contoso.sharepoint.com/sites/SharingTest | select-object -Property `
            LoopDefaultSharingLinkScope `
            LoopDefaultSharingLinkRole 

Other settings to consider

1. Sensitivity Labels How to protect sensitive information in SharePoint Online using Purview Sensitivity Labels

2. Retention Policies

3. Data Loss Prevention

View Empowering Secure Collaboration: Configuring SharePoint Sharing Tenant and Site Settings with PowerShell to prevent oversharing for more info

Conclusion

Effective management of sharing settings is crucial for maintaining data security across M365 apps including Microsoft Loop. PowerShell offers unparalleled flexibility and control in configuring these settings, ensuring that collaboration remains both seamless and secure.

References

Microsoft Copilot for Microsoft 365 - best practices with SharePoint

Manage sharing for Microsoft Whiteboard

How to work with guest users using Microsoft Loop

Change the organization-level external sharing setting

SharePoint and OneDrive integration with Microsoft Entra B2B

Loop in Teams

Outlook, Whiteboard and Word Online

Loop Storage

• SharePoint
• Sharing
• Tenant
• Sites
• PowerShell
• Copilot for M365
• Governance
• Microsoft Loop