From 009bde23a923ec366dfc0410189f54061b989282 Mon Sep 17 00:00:00 2001
From: Vasco Azevedo <vasco.azevedo@bindtuning.com>
Date: Wed, 20 May 2026 11:41:25 +0100
Subject: [PATCH] Add WhoCanShareAllowListInTenantByPrincipalIdentity support

Introduce new parameter to Set-Tenant cmdlet for specifying principal identities allowed to share content at the tenant level. Update cmdlet logic to handle assignment and clearing of this list. Add corresponding property to SPOTenant model with documentation.
---
 src/Commands/Admin/SetTenant.cs | 28 ++++++++++++++++++++++++++++
 src/Commands/Model/SPOTenant.cs |  5 +++++
 2 files changed, 33 insertions(+)

diff --git a/src/Commands/Admin/SetTenant.cs b/src/Commands/Admin/SetTenant.cs
index dfc49e56f..23389425e 100644
--- a/src/Commands/Admin/SetTenant.cs
+++ b/src/Commands/Admin/SetTenant.cs
@@ -532,6 +532,17 @@ public class SetTenant : PnPSharePointOnlineAdminCmdlet
         [Parameter(Mandatory = false)]
         public string WhoCanShareAllowListInTenant { set; get; }
 
+        /// <summary>
+        /// Principal identities allowed to share content at the tenant level.
+        /// </summary>
+        /// <example>
+        /// <code>
+        /// Set-Tenant -WhoCanShareAllowListInTenantByPrincipalIdentity @("c:0-.f|rolemanager|spo-grid-all-users/****")
+        /// </code>
+        /// </example>
+        [Parameter(Mandatory = false)]
+        public string[] WhoCanShareAllowListInTenantByPrincipalIdentity { set; get; }
+
         [Parameter(Mandatory = false)]
         public bool? LegacyBrowserAuthProtocolsEnabled { set; get; }
 
@@ -1880,6 +1891,23 @@ protected override void ExecuteCmdlet()
                 }
                 modified = true;
             }
+
+
+            if (WhoCanShareAllowListInTenantByPrincipalIdentity != null)
+            {
+                var hasValidValue = WhoCanShareAllowListInTenantByPrincipalIdentity.Any(x => !string.IsNullOrEmpty(x));
+
+                if (hasValidValue)
+                {
+                    Tenant.WhoCanShareAllowListInTenantByPrincipalIdentity = WhoCanShareAllowListInTenantByPrincipalIdentity;
+                }
+                else
+                {
+                    Tenant.WhoCanShareAllowListInTenantByPrincipalIdentity = Array.Empty<string>();
+                }
+                modified = true;
+            }
+
             if (DelayContentSecurityPolicyEnforcement.HasValue)
             {
                 Tenant.DelayContentSecurityPolicyEnforcement = DelayContentSecurityPolicyEnforcement.Value;
diff --git a/src/Commands/Model/SPOTenant.cs b/src/Commands/Model/SPOTenant.cs
index 60c0dafb2..bfd664480 100644
--- a/src/Commands/Model/SPOTenant.cs
+++ b/src/Commands/Model/SPOTenant.cs
@@ -290,6 +290,11 @@ public class SPOTenant
 
         public string WhoCanShareAllowListInTenant { private set; get; }
 
+        /// <summary>
+        /// Gets: a list of PrincipalNames Example output: List of PrincipalNames. e.g. ["c:0-.f|rolemanager|contoso-all-users/35533f7d-4536-4c82-9dbc-352f9424578b"]
+        /// </summary>
+        public IList<string> WhoCanShareAllowListInTenantByPrincipalIdentity { private set; get; }
+
         public bool? ExtendPermissionsToUnprotectedFiles { private set; get; }
 
         public bool? LegacyBrowserAuthProtocolsEnabled { private set; get; }