In enterprise environments using SharePoint Online, it’s common to encounter situations where users request access to specific sites through the automatic access request system. While this functionality is useful in many scenarios, some organizations may prefer to disable this option across all tenant sites for security or internal policy reasons.
In this article, I will demonstrate how to disable access requests on all sites in a SharePoint Online tenant using modern PnP PowerShell.
Prerequisites
Before getting started, make sure you have:
- PowerShell 7.4 or higher installed
- PnP.PowerShell module installed (latest version)
- Global administrator or SharePoint administrator permissions on the tenant
- Access to the SharePoint Online admin console
Installing the PnP PowerShell Module
If you don’t already have the module installed, run the following command:
Install-Module -Name PnP.PowerShell -Force
Complete Script
Step 1: Run the App Registration Setup Script
https://github.com/arferraz/spo-powershell-scripts/blob/main/setup-spo-app-registration.ps1
.\setup-spo-app-registration.ps1 -ApplicationName "SPO-AccessRequest-Manager" -TenantName "seutenant" -CertificatePassword "SuaSenhaSegura123!" -OutputPath "C:\Certificados"
Parameters for setup-spo-app-registration.ps1:
| Parameter | Type | Required | Description |
|---|---|---|---|
AppName | String | Yes | Name for the Entra ID application registration |
TenantId | String | Yes | Your Azure tenant ID (GUID format) |
CertificatePassword | SecureString | No | Password for the certificate (will prompt if not provided) |
CertificateValidityYears | Integer | No | Certificate validity period (default: 2 years) |
OutputPath | String | No | Path to save certificate and configuration files (default: current directory) |
What this script does:
- Creates Entra ID App Registration with appropriate permissions
- Generates self-signed certificate for authentication
- Configures API permissions for SharePoint and Microsoft Graph
- Exports certificate files (.cer and .pfx)
- Saves configuration details for the next script
Step 2: Grant Admin Consent
After running the setup script:
- Navigate to Azure Portal > Entra ID > App registrations
- Find your newly created application
- Go to API permissions
- Click “Grant admin consent for [Your Organization]”
- Confirm the consent
Step 3: Run the Access Request Disable Script
https://github.com/arferraz/spo-powershell-scripts/blob/main/updated-disable-access-requests.ps1
.\updated-disable-access-requests.ps1 -TenantUrl "https://yourtenant.sharepoint.com" -AppId "your-app-id" -CertificatePath "path\to\certificate.pfx" -CertificatePassword $securePasswordParameters for updated-disable-access-requests.ps1:
| Parameter | Type | Required | Description |
|---|---|---|---|
TenantUrl | String | Yes | SharePoint Online tenant URL |
AppId | String | Yes | Application (Client) ID from step 1 |
CertificatePath | String | Yes | Path to the .pfx certificate file |
CertificatePassword | SecureString | Yes | Password for the certificate |
LogPath | String | No | Path for log files (default: .\logs) |
Whatif | Switch | No | Preview changes without applying them |
Detailed Parameter Explanations
Certificate Management
- Certificate Type: Self-signed X.509 certificate
- Key Length: 2048-bit RSA
- Validity: Configurable (default 2 years)
- Storage: Both .cer (public) and .pfx (private) formats
API Permissions Required
The app registration requires these Microsoft Graph permissions:
- Sites.FullControl.All (Application)
- Sites.Read.All (Application)
- Directory.Read.All (Application)
SharePoint Permissions
- Full Control on SharePoint Online tenant
- Sites.FullControl.All for comprehensive site management
Important Considerations
Security
- Always run scripts in a test environment first
- Make sure you have adequate backups
- Consider notifying users about this change
Performance
- The script may take some time depending on the number of sites
- Consider running outside business hours
- For very large tenants, consider processing in batches
Troubleshooting
Error: “Access Denied”
- Verify you have administrative permissions
- Confirm you’re using the correct credentials
- Try running PowerShell as administrator
Error: “Site not found”
- Check if the site URL is correct
- Verify the site hasn’t been deleted
- Try accessing the site manually
Error: “Module not found”
- Install the PnP.PowerShell module
- Update to the latest version
- Check PowerShell execution policy
Conclusion
Disabling access requests across all sites in a SharePoint Online tenant is a task that can be efficiently automated with modern PnP PowerShell. This script provides a solid foundation that can be adapted to your organization’s specific needs.
Always remember to test in a development environment before applying to production and consider the impact on end users.
Arsénio Ferraz 
Leave a comment