Summary
This article describes how to understand the extent of the "Everyone" permission that's used in your organization.
More Information
Prerequisites
-
Download the SharePoint Search Query Tool from https://github.com/SharePoint/PnP-Tools/tree/master/Solutions/SharePoint.Search.QueryTool.
Note: The queries in the following "Process" section can also be run in a browser.
-
Create a consumer account at Outlook.com. This account is external to your organization. This example assumes that the account is contoso_externaluser@outlook.com.
Assumption
-
Your Microsoft 365 organization is Contoso. Your organization uses contoso.sharepoint.com for SharePoint sites and groups, and contoso-my.sharepoint.com for OneDrive storage.
-
You are an administrator for the organization with the identity of admin@contoso.com.
Process
-
Configure your tenant to grant the Everyone claim to external users if they're not set already. To do this, run the following cmdlet:
Set-SPOtenant -ShowEveryoneClaim $true -
Browse to contoso-admin.sharepoint.com, and then sign in by using your admin@contoso.com credentials.
-
Locate the Site Collections tab in the Admin Center.
-
Create a new site collection by using the URL contoso.sharepoint.com/sites/externalusertest.
-
Browse to the site contoso.sharepoint.com/sites/externalusertest.
-
Click Share, type the contoso_externaluser@outlook.com address, and then click Send to send an invitation to the account.
-
Sign in to the consumer account contoso_externaluser@outlook.com on a separate computer or by using an in-private browser session.
-
Click the link in the email invitation, and then sign in by using the contoso_externaluser@outlook.com account. The external user now has access to this site.
-
Open the SharePoint Search Query Tool.
-
In the Connection section, type the following:
SharePoint Site URL: https://contoso.sharepoint.com/sites/externalusertest
Authentication: Authenticate by using a specific user account
Authentication Method: SharePoint Online
-
Click Sign In.
-
When you are prompted, type the credentials for the consumer account contoso_externaluser@outlook.com.
In Query Text, type path:https://contoso.sharepoint.com.
This constructs a query as follows:
https://contoso.sharepoint.com/sites/externalusertest/_api/search/query?querytext='path:https://contoso.sharepoint.com' -
Click Run to execute the query.
-
View the Primary Results tab. This lists the content to which external users have access under the root site of your tenancy. Ignore the results from the site to which they were invited (https://contoso.sharepoint.com/sites/externalusertest).
-
Repeat the query by using the following Query Text to review access to OneDrive content:
path:https://contoso-my.sharepoint.com
The results will include access to some system ASPX pages that have no content. Those pages can be ignored.
Then, you can investigate any results individually to determine whether they are permissioned correctly.
Reference
For more info about how to govern access of external users in Microsoft 365, refer to the following Microsoft Help article:
4089534 How to govern access of external users in Microsoft 365