prowler-cloud · puchy22 · Dec 23, 2025 · Dec 23, 2025
@@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
 - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
 - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609)
+- Update M365 SharePoint service metadata to new format [(#9684)](https://github.com/prowler-cloud/prowler/pull/9684)
+
 
 ---
 

@@ -1,29 +1,42 @@
 {
   "Provider": "m365",
   "CheckID": "sharepoint_external_sharing_managed",
-  "CheckTitle": "Ensure SharePoint external sharing is managed through domain whitelists/blacklists.",
+  "CheckTitle": "SharePoint external sharing is restricted using a non-empty domain allowlist or blocklist",
   "CheckType": [],
   "ServiceName": "sharepoint",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Sharepoint Settings",
-  "Description": "Control the sharing of documents to external domains by either blocking specific domains or only allowing sharing with named trusted domains.",
-  "Risk": "If domain-based sharing restrictions are not enforced, users may share documents with untrusted external entities, increasing the risk of data exfiltration or unauthorized access.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off",
+  "ResourceType": "",
+  "Description": "**SharePoint external sharing** uses **domain-based restrictions** via `AllowList` or `BlockList`. The evaluation inspects `sharingDomainRestrictionMode` and whether the corresponding domain list is populated, flagging when domain controls are missing or the selected list is empty.",
+  "Risk": "Without enforced domain limits, users may share with personal or rogue domains, enabling data exfiltration and unauthorized persistence.\n- Confidentiality: leaks of files and sites\n- Integrity: unvetted collaborators can alter content\n- Availability: takeovers can disrupt shared sites",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://sharepoint.stackexchange.com/questions/291169/sharepoint-admin-why-cant-i-add-new-allowed-domains-to-more-external-sharing",
+    "https://learn.microsoft.com/en-us/sharepoint/restricted-domains-sharing",
+    "https://www.mrsharepoint.com/external-sharing-in-sharepoint-online/",
+    "https://admin.microsoft.com/sharepoint.",
+    "https://www.sharepointdiary.com/2019/07/sharepoint-online-limit-external-sharing-by-domain.html",
+    "https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps",
+    "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off",
+    "https://sharepointmaven.com/how-to-limit-external-sharing-by-domain-in-sharepoint-online/",
+    "https://blog.admindroid.com/restrict-domain-sharing-in-sharepoint-online-and-onedrive/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "Set-SPOTenant -SharingDomainRestrictionMode AllowList -SharingAllowedDomainList 'domain1.com domain2.com'",
+      "CLI": "Set-SPOTenant -SharingDomainRestrictionMode AllowList -SharingAllowedDomainList 'contoso.com'",
       "NativeIaC": "",
-      "Other": "1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint. 2. Expand Policies then click Sharing. 3. Expand More external sharing settings and check 'Limit external sharing by domain'. 4. Select 'Add domains' to configure a list of approved domains. 5. Click Save.",
+      "Other": "1. In the SharePoint admin center, go to Policies > Sharing\n2. Expand More external sharing settings and check Limit external sharing by domain\n3. Click Add domains, select Allow only specific domains (or Block specific domains)\n4. Enter at least one domain (e.g., contoso.com) and click Save\n5. On the Sharing page, click Save to apply",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Enforce domain-based restrictions for SharePoint external sharing to control document sharing with trusted domains.",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps"
+      "Text": "Apply **least privilege** by enforcing domain-based sharing with a curated `AllowList` of trusted partners; use `BlockList` only to complement gaps.\n- Review and attest lists regularly\n- Use **defense in depth**: prefer authenticated, scoped links over public links and align with B2B governance and oversight.",
+      "Url": "https://hub.prowler.com/check/sharepoint_external_sharing_managed"
     }
   },
   "Categories": [
+    "internet-exposed",
+    "identity-access",
     "e3"
   ],
   "DependsOn": [],

@@ -1,29 +1,36 @@
 {
   "Provider": "m365",
   "CheckID": "sharepoint_external_sharing_restricted",
-  "CheckTitle": "Ensure external content sharing is restricted.",
+  "CheckTitle": "SharePoint organization external sharing is set to Existing guests only, New and existing guests, or Disabled",
   "CheckType": [],
   "ServiceName": "sharepoint",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Sharepoint Settings",
-  "Description": "Ensure that external sharing settings in SharePoint are restricted to 'New and existing guests' or a less permissive level to enforce authentication and control over shared content.",
-  "Risk": "If external sharing is not restricted, unauthorized users may gain access to sensitive information, increasing the risk of data breaches and compliance violations.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off",
+  "ResourceType": "",
+  "Description": "**SharePoint Online** org-wide external sharing is evaluated to ensure it excludes anonymous 'Anyone' links and is restricted to **authenticated guests** via `ExternalUserSharingOnly`, `ExistingExternalUserSharingOnly`, or fully `Disabled`.",
+  "Risk": "Anonymous or overly permissive sharing enables uncontrolled link access, eroding **confidentiality** and accountability. With edit links, **integrity** can be altered by unknown parties. Forwarded links and caching complicate revocation, increasing **data exfiltration** and long-lived exposure.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off",
+    "https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps",
+    "https://admin.microsoft.com/sharepoint."
+  ],
   "Remediation": {
     "Code": {
       "CLI": "Set-SPOTenant -SharingCapability ExternalUserSharingOnly",
       "NativeIaC": "",
-      "Other": "1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint. 2. Click to expand Policies > Sharing. 3. Locate the External sharing section. 4. Under SharePoint, move the slider bar to 'New and existing guests' or a less permissive level.",
+      "Other": "1. Go to the Microsoft 365 admin center > Admin centers > SharePoint\n2. Navigate to Policies > Sharing\n3. Under External sharing for SharePoint, select New and existing guests (or a more restrictive option: Existing guests only or Only people in your organization)\n4. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Restrict external sharing in SharePoint to 'New and existing guests' or a more restrictive setting to enhance security.",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps"
+      "Text": "Set org-level sharing to `ExternalUserSharingOnly` or stricter (`ExistingExternalUserSharingOnly`/`Disabled`). Apply **least privilege** with default links scoped to `SpecificPeople`, enforce Microsoft Entra B2B guest authentication, limit domains, require link expiration, block guest resharing, and monitor via audit logs.",
+      "Url": "https://hub.prowler.com/check/sharepoint_external_sharing_restricted"
     }
   },
   "Categories": [
+    "internet-exposed",
+    "identity-access",
     "e3"
   ],
   "DependsOn": [],

@@ -1,29 +1,35 @@
 {
   "Provider": "m365",
   "CheckID": "sharepoint_guest_sharing_restricted",
-  "CheckTitle": "Ensure that SharePoint guest users cannot share items they don't own.",
+  "CheckTitle": "SharePoint guest users cannot share items they do not own",
   "CheckType": [],
   "ServiceName": "sharepoint",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "Sharepoint Settings",
-  "Description": "Ensure that guest users in SharePoint cannot share items they do not own, preventing unauthorized disclosure of shared content.",
-  "Risk": "If guest users are allowed to share items they don't own, there is a higher risk of unauthorized data exposure, as external users could share content beyond intended recipients.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview",
+  "Severity": "high",
+  "ResourceType": "",
+  "Description": "**SharePoint** tenant sharing settings evaluate whether **guest resharing** is disabled (`resharingEnabled=false`).\n\nFocus is the org-level option that blocks guests from sharing items they don't own.",
+  "Risk": "Allowing **guest resharing** threatens confidentiality and integrity:\n- External users can extend access beyond oversight\n- Edit permissions enable unauthorized changes or deletion\n- Link sprawl reduces accountability and control\n\nSensitive data can spread across sites, hindering revocation and response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off",
+    "https://admin.microsoft.com/sharepoint.",
+    "https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "Set-SPOTenant -PreventExternalUsersFromResharing $True",
+      "CLI": "Set-SPOTenant -PreventExternalUsersFromResharing $true",
       "NativeIaC": "",
-      "Other": "1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint. 2. Click to expand Policies then select Sharing. 3. Expand More external sharing settings and uncheck 'Allow guests to share items they don't own'. 4. Click Save.",
+      "Other": "1. Go to the SharePoint admin center: https://admin.microsoft.com/sharepoint\n2. Navigate to Policies > Sharing\n3. Expand More external sharing settings and uncheck \"Allow guests to share items they don't own\"\n4. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Restrict guest users from sharing items they don't own to enhance security and prevent unauthorized access.",
-      "Url": "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off"
+      "Text": "Disable **guest resharing** and apply **least privilege** so only owners or designated roles can share.\n\nLimit external sharing scope, require authenticated `Specific people` links with expirations, review guest access regularly, and monitor sharing activity to enforce **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/sharepoint_guest_sharing_restricted"
     }
   },
   "Categories": [
+    "identity-access",
     "e3"
   ],
   "DependsOn": [],

@@ -1,30 +1,35 @@
 {
   "Provider": "m365",
   "CheckID": "sharepoint_modern_authentication_required",
-  "CheckTitle": "Ensure modern authentication for SharePoint applications is required.",
+  "CheckTitle": "Microsoft 365 SharePoint requires modern authentication for applications",
   "CheckType": [],
   "ServiceName": "sharepoint",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "critical",
-  "ResourceType": "Sharepoint Settings",
-  "Description": "Ensure that modern authentication is required for SharePoint applications in Microsoft 365, preventing the use of legacy authentication protocols and blocking access to apps that don't use modern authentication.",
-  "Risk": "If modern authentication is not enforced, SharePoint applications may rely on basic authentication, which lacks strong security measures like MFA and increases the risk of credential theft.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/graph/api/resources/sharepoint?view=graph-rest-1.0",
+  "Severity": "high",
+  "ResourceType": "",
+  "Description": "SharePoint Online tenant settings require **modern authentication** for applications and block access for apps using legacy protocols.\n\nThe assessment determines whether legacy authentication is disabled so only OAuth-based sign-ins with advanced controls are allowed.",
+  "Risk": "Without modern authentication, SharePoint is exposed to:\n- Password spraying and credential stuffing (no MFA)\n- Session/token capture and replay from basic auth\n- Unauthorized access leading to data exfiltration and tampering\n\nThis undermines data **confidentiality** and **integrity**, enabling lateral movement.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/graph/api/resources/sharepoint?view=graph-rest-1.0",
+    "https://admin.microsoft.com/sharepoint.",
+    "https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "Set-SPOTenant -LegacyAuthProtocolsEnabled $false",
       "NativeIaC": "",
-      "Other": "1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint. 2. Click to expand Policies select Access control. 3. Select Apps that don't use modern authentication. 4. Select the radio button for Block access. 5. Click Save.",
+      "Other": "1. Open the SharePoint admin center (admin.microsoft.com/sharepoint)\n2. Go to Policies > Access control > Apps that don't use modern authentication\n3. Select Block access and click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Block access for SharePoint applications that don't use modern authentication to ensure secure authentication mechanisms.",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps"
+      "Text": "Enforce **modern authentication** tenant-wide and disable legacy protocols. Require **MFA** and apply **conditional access** to all SharePoint apps. Migrate or block legacy clients, adhere to **least privilege** for app permissions, and monitor sign-ins to eradicate legacy auth usage.",
+      "Url": "https://hub.prowler.com/check/sharepoint_modern_authentication_required"
     }
   },
   "Categories": [
-    "e3"
+    "identity-access"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,29 +1,35 @@
 {
   "Provider": "m365",
   "CheckID": "sharepoint_onedrive_sync_restricted_unmanaged_devices",
-  "CheckTitle": "Ensure OneDrive sync is restricted for unmanaged devices.",
+  "CheckTitle": "Microsoft 365 SharePoint blocks OneDrive sync from unmanaged devices",
   "CheckType": [],
   "ServiceName": "sharepoint",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "critical",
-  "ResourceType": "Sharepoint Settings",
-  "Description": "Microsoft OneDrive allows users to sign in their cloud tenant account and begin syncing select folders or the entire contents of OneDrive to a local computer. By default, this includes any computer with OneDrive already installed, whether it is Entra Joined, Entra Hybrid Joined or Active Directory Domain joined. The recommended state for this setting is Allow syncing only on computers joined to specific domains Enabled: Specify the AD domain GUID(s).",
-  "Risk": "Unmanaged devices can pose a security risk by allowing users to sync sensitive data to unauthorized devices, potentially leading to data leakage or unauthorized access.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/graph/api/resources/sharepoint?view=graph-rest-1.0",
+  "Severity": "high",
+  "ResourceType": "",
+  "Description": "SharePoint tenant settings for **OneDrive sync** enforce that only **managed, domain-joined devices** can sync. The evaluation looks for a configured list of approved `domain GUIDs` that limits syncing to specific Active Directory domains.",
+  "Risk": "Without this restriction, users can sync SharePoint/OneDrive files to **unmanaged devices**, undermining:\n- **Confidentiality**: data copied to personal or lost endpoints, outside DLP.\n- **Integrity**: malicious edits synced back to sites.\n- **Availability**: mass deletion or ransomware can propagate via sync clients.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/graph/api/resources/sharepoint?view=graph-rest-1.0",
+    "https://learn.microsoft.com/en-us/sharepoint/allow-syncing-only-on-specific-domains",
+    "https://admin.microsoft.com/sharepoint"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "Set-SPOTenantSyncClientRestriction -Enable -DomainGuids '<domain_guid_1>; <domain_guid_2>; ...'",
+      "CLI": "Set-SPOTenantSyncClientRestriction -Enable -DomainGuids '<DOMAIN_GUID>'",
       "NativeIaC": "",
-      "Other": "1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click Settings then select OneDrive - Sync. 3. Check the Allow syncing only on computers joined to specific domains. 4. Use the Get-ADDomain PowerShell command on the on-premises server to obtain the GUID for each on-premises domain. 5. Click Save.",
+      "Other": "1. Go to the SharePoint admin center: https://admin.microsoft.com/sharepoint\n2. Select Settings > Sync\n3. Check \"Allow syncing only on computers joined to specific domains\"\n4. Enter at least one AD domain GUID (separate multiple GUIDs with semicolons)\n5. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Restrict OneDrive sync to managed devices to prevent unauthorized access to sensitive data.",
-      "Url": "https://learn.microsoft.com/en-us/sharepoint/allow-syncing-only-on-specific-domains"
+      "Text": "Allow OneDrive sync only from **managed, domain-joined devices** by maintaining an approved `domain GUIDs` list. For Entra-joined devices, require **device compliance** via **Conditional Access**. Apply **least privilege**, use **DLP/sensitivity labels**, and periodically review exceptions.",
+      "Url": "https://hub.prowler.com/check/sharepoint_onedrive_sync_restricted_unmanaged_devices"
     }
   },
   "Categories": [
+    "trust-boundaries",
     "e3"
   ],
   "DependsOn": [],