Align WhoCanShareAllowListInTenant with existing ByPrincipalIdentity pattern SET-PnPTenant

[vascoazevedo08]

Aligning Set-PnPTenant -WhoCanShareAllowListInTenant with existing ByPrincipalIdentity pattern

While investigating Set-PnPTenant -WhoCanShareAllowListInTenant, I noticed that the only reliable way to configure the allow list is by using the CSOM ACL XML format.

However, there is already an existing and consistent pattern in SharePoint Online tenant settings:

WhoCanShareAllowListInTenantByPrincipalIdentity

---

Proposal

Instead of relying on the legacy CSOM claim-based property (WhoCanShareAllowListInTenant), it might be more consistent to use the existing ByPrincipalIdentity pattern:

• GuestSharingGroupAllowListInTenantByPrincipalIdentity ✔ already exists
• WhoCanShareAllowListInTenantByPrincipalIdentity ✔ also exists and works

---

Why this matters

• Current WhoCanShareAllowListInTenant requires undocumented CSOM ACL XML input
• Other tenant settings already follow the ByPrincipalIdentity model
• This would improve consistency across SharePoint Online tenant configuration APIs

---

Additional observation

The CSOM model already exposes a consistent pattern:

• GuestSharingGroupAllowListInTenantByPrincipalIdentity ✔ already implemented in PnP / CSOM
• WhoCanShareAllowListInTenant still relies on CSOM ACL XML
• other tenant policies already support principal identity-based configuration

This suggests that the principal identity model is already the preferred abstraction in SharePoint Online, and WhoCanShareAllowListInTenant is the remaining legacy outlier.