Browse Tag

spo

Locking a SharePoint Online Site Collection

Within SharePoint Online you have the ability to completely lock down a site collection so no one can get access to it.  This is set via PowerShell and the SharePoint Online Management Shell.  Here are instructions on how to get started using connecting to SharePoint Online via PowerShell.  This lock can also be set on a user’s OneDrive for Business site collection.

Along with the ability to lock a site collection you can also set a redirect URL for the tenant for any locked sites that are accessed.  That means that when a user tries to access that locked site they will be redirected to the URL that you provided at the tenant level.  This could be helpful to provide instructions or further info for anyone letting them know that the site they were trying to access has been locked.  If no redirect URL is set they will receive a 403 error. 

NOTE: As of writing this post you are not able to set a lock state of a site provisioned with an Office 365 Group even though the PS cmdlets say it should be possible.  I will demo the actions later in this post but I have contacted Microsoft on this error and they state it is currently as designed and the error received is incorrect. 

The PowerShell cmdlets that are used to set this up are:

Steps to lock or unlock a site collection

1 – Connect to SharePoint Online

Connect-SPOService

2 – Locking – Set the -LockState of the site collection to “NoAccess” while replacing the domain and sitecollection info to lock the site

  • This can also be a OneDrive for Business site collection (i.e. https://domain-my.sharepoint.com/personal/usersite)
Set-SPOSite -Identity https://domain.sharepoint.com/sites/sitecollection -LockState "NoAccess"

 

2(a) – Unlocking – Set the -LockState of the site collection to “Unlock” while replacing the domain and sitecollection info to unlock the site

Set-SPOSite -Identity https://domain.sharepoint.com/sites/sitecollection -LockState "Unlock"

3 – Navigate to the URL to confirm and use PowerShell to confirm locked state

Get-SPOSite -Identity https://domain.sharepoint.com/sites/sitecollection | select Title,URL,LockState

Steps to set a tenant redirect URL

1 – Connect to SharePoint Online

Connect-SPOService

2 – Set the NoAccessRedirectURL of the tenant to a URL while replacing the domain and sitecollection info

Set-SPOTenant -NoAccessRedirectUrl "https://domain.sharepoint.com/Pages/Locked-Site.aspx"

3 – Navigate to the URL to confirm the redirect.  This may take a few minutes

To remove the NoAccessRedirectURL you can pass in an empty string

Set-SPOTenant -NoAccessRedirectUrl ""

Trying to lock an Office 365 Group site

Here is the error you receive when trying to lock a group site:

 

Set-SPOSite : https://domain.sharepoint.com/sites/drewtesto365group is a OneDrive for Business site collection. The only valid parameters for this type of site collection are ‘-Identity’, ‘-StorageQuota’, ‘-StorageWarningLevel’, ‘-LockState’ and ‘-SharingCapability’.
At line:1 char:1
+ Set-SPOSite -Identity https://domain.sharepoint.com/sites/dre …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-SPOSite], ServerException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.ServerException,Microsoft.Online.SharePoint.PowerShell.SetSite

The error declares it as a OneDrive for Business site collection and says that -LockState is a valid parameter yet still doesn’t work.  I opened a support ticket with Microsoft and this was their resolution:

“It is by design Issue. We can lock a site collection however we cannot lock a unified group site.”

If this is something that you need I would recommend adding to to Uservoice.  If you need to “lock” an Office 365 Group site the best way as it exists when I am writing this is to remove permissions within the group.

Getting status of all locked site collections in a tenant

Get-SPOSite | Where-Object {$_.LockState -eq "NoAccess"}

At this point Get-SPOSite will not return any OneDrive for Business or Group sites.  There is new parameter called “-IncludePersonalSite” which at some point should return OneDrive sites via this cmdlet.  If you run this now you get the error:

WARNING: SharePoint Online does not support these new features yet.

Get-SPOSite -IncludePersonalSite $true | Where-Object {$_.LockState -eq "NoAccess"}