This article describes how to understand the extent of the "Everyone" permission that's used in your organization.
- Download the SharePoint Search Query Tool from https://github.com/SharePoint/PnP-Tools/tree/master/Solutions/SharePoint.Search.QueryTool.
Note The queries in the following "Process" section can also be run in a browser.
- Create a consumer account at Outlook.com. This account is external to your organization. This example assumes that the account is email@example.com.
- Your Office 365 organization is Contoso. Your organization uses contoso.sharepoint.com for SharePoint sites and groups, and contoso-my.sharepoint.com for OneDrive storage.
- You are an administrator for the organization with the identity of firstname.lastname@example.org.
- Configure your tenant to grant the Everyone claim to external users if they're not set already. To do this, run the following cmdlet:
Set-SPOtenant -ShowEveryoneClaim $true
- Browse to contoso-admin.sharepoint.com, and then sign in by using your email@example.com credentials.
- Locate the Site Collections tab in the Admin Center.
- Create a new site collection by using the URL contoso.sharepoint.com/sites/externalusertest.
- Browse to the site contoso.sharepoint.com/sites/externalusertest.
- Click Share, type the firstname.lastname@example.org address, and then click Send to send an invitation to the account.
- Sign in to the consumer account email@example.com on a separate computer or by using an in-private browser session.
- Click the link in the email invitation, and then sign in by using the firstname.lastname@example.org account. The external user now has access to this site.
- Open the SharePoint Search Query Tool.
- In the Connection section, type the following:
- SharePoint Site URL: https://contoso.sharepoint.com/sites/externalusertest
- Authentication: Authenticate by using a specific user account
- Authentication Method: SharePoint Online
- Click Sign In.
- When you are prompted, type the credentials for the consumer account email@example.com.
In Query Text, type path:https://contoso.sharepoint.com.
This constructs a query as follows:
- Click Run to execute the query.
- View the Primary Results tab. This lists the content to which external users have access under the root site of your tenancy. Ignore the results from the site to which they were invited (https://contoso.sharepoint.com/sites/externalusertest).
- Repeat the query by using the following Query Text to review access to OneDrive content:
The results will include access to some system ASPX pages that have no content. Those pages can be ignored.
Then, you can investigate any results individually to determine whether they are permissioned correctly.