How to determine resources to which all external users have access

የሚተገበረው ለ፦ Office 365

Summary


This article describes how to understand the extent of the "Everyone" permission that's used in your organization.

More Information


Prerequisites

Assumption

  • Your Office 365 organization is Contoso. Your organization uses contoso.sharepoint.com for SharePoint sites and groups, and contoso-my.sharepoint.com for OneDrive storage.
  • You are an administrator for the organization with the identity of admin@contoso.com.

Process

  1. Configure your tenant to grant the Everyone claim to external users if they're not set already. To do this, run the following cmdlet: 
    Set-SPOtenant -ShowEveryoneClaim $true
  2. Browse to contoso-admin.sharepoint.com, and then sign in by using your admin@contoso.com credentials.
  3. Locate the Site Collections tab in the Admin Center. 
  4. Create a new site collection by using the URL contoso.sharepoint.com/sites/externalusertest.
  5. Browse to the site contoso.sharepoint.com/sites/externalusertest
  6. Click Share, type the contoso_externaluser@outlook.com address, and then click Send to send an invitation to the account.
  7. Sign in to the consumer account contoso_externaluser@outlook.com on a separate computer or by using an in-private browser session.
  8. Click the link in the email invitation, and then sign in by using the contoso_externaluser@outlook.com account. The external user now has access to this site. 
  9. Open the SharePoint Search Query Tool
  10. In the Connection section, type the following: 
    • SharePoint Site URL: https://contoso.sharepoint.com/sites/externalusertest
    • Authentication: Authenticate by using a specific user account
    • Authentication Method: SharePoint Online
  11. Click Sign In
  12. When you are prompted, type the credentials for the consumer account contoso_externaluser@outlook.com. 

    In Query Text, type path:https://contoso.sharepoint.com.

    This constructs a query as follows:

    https://contoso.sharepoint.com/sites/externalusertest/_api/search/query?querytext='path:https://contoso.sharepoint.com'
  13. Click Run to execute the query. 
  14. View the Primary Results tab. This lists the content to which external users have access under the root site of your tenancy. Ignore the results from the site to which they were invited (https://contoso.sharepoint.com/sites/externalusertest). 
  15. Repeat the query by using the following Query Text to review access to OneDrive content:

    path:https://contoso-my.sharepoint.com

The results will include access to some system ASPX pages that have no content. Those pages can be ignored.

Then, you can investigate any results individually to determine whether they are permissioned correctly.

Reference


For more information about how to govern access of external users in Office 365, refer to the following Microsoft Help article: 

4089534 How to govern access of external users in Office 365