On March 1, 2018, we are updating the behavior and governance of access by external users in Office 365.
After this date, an external user will see only the content that’s shared with that user or with groups to which the user belongs. External users will no longer see content that’s shared with Everyone, All Authenticated Users, or All Forms Users. By default, content that’s granted permissions to these groups will be visible only to your organization's users.
Administrator can change the default behavior to enable external users to see content that's with Everyone, All Authenticated Users, or All Forms Users.
In on-premises Active Directory domains, the Everyone special group represents all identities in the Active Directory domain, including the domain's guest account, which is disabled by default. By default, the Everyone group effectively includes all user accounts that are added by delegated administrators to the domain.
Before the upcoming change in functionality, Office 365 shared the behavior of on-premises Active Directory domains: every user in a tenant's Azure Active Directory (Azure AD), including external users, was effectively considered "Everyone" by adding a claim representing "Everyone" to the user's security context. The Everyone claim enables a user to access any content shared with the Everyone group.
Similarly, the All Authenticated Users and All Forms Users claims were added automatically to each user’s security context, including external users who have accounts in the tenant's Azure AD. These claims enable users to access any content shared with the All Authenticated Users or All Forms Users groups.
Office 365 is built to enable users to share and collaborate seamlessly with users inside and outside their organizations. When a user in your organization adds an external user to an Office 365 group or shares content with an external user and requires authentication ("sign-in") for access, an account is automatically created in Azure AD to represent the external guest user. There is no need for a delegated administrator to create the account for the external user.
Updates to the default access for external users
To better support user-driven sharing, we are updating the behavior and governance of access by external users in Office 365.
After March 1, 2018, external users will no longer be granted the Everyone, All Authenticated Users or All Forms Users claims by default. Therefore, external users will be granted access only to content shared with the group to which the external user belongs, and content shared directly with the external user. They will not have access to content shared with these three special groups.
New choice to govern the access given to external users
If your organization wants external users to access content shared with Everyone, you may configure your tenant to grant the Everyone claim to external users.
To configure your tenant to grant the Everyone claim to external users, use the following Windows PowerShell cmdlet:
Set-SPOTenant -ShowEveryoneClaim $true
After you run the cmdlet, external users will be granted the Everyone claim and will have access to content shared with the Everyone group.
If your organization wants users to have access to content shared with All Authenticated Users or All Forms Users, you may configure your tenant to grant these two claims to external users.
To configure your tenant to grant the All Authenticated Users and All Forms Users claims to external users, use the following Windows PowerShell cmdlet:
Set-SPOTenant -ShowAllUsersClaim $true
After you run the cmdlet, external users will be granted the All Authenticated Users and All Forms Users claims and will have access to content shared with these two groups.
Use Azure AD groups and dynamic membership instead of default claims
Although we continue to support sharing with the Everyone, Everyone Except External Users, All Authenticated Users, and All Forms Users groups, we encourage customers to implement role-based access management by using customer-defined groups in Azure AD, including Office 365 groups. Office 365 groups define the membership and access to content across Office 365 services and experiences. Many Office 365 services already support Azure AD dynamic groups, and these services are defined as a set of rules based on Azure AD properties and business logic. Dynamic groups are the best way to make sure that the correct users have access to the correct content. They let you define a group one time based on rules, so that you do not have to add or remove members as your organization changes.
Identifying resources permissioned to all external users in the tenancy
- Download the SharePoint Search Query Tool from https://github.com/SharePoint/PnP-Tools/tree/master/Solutions/SharePoint.Search.QueryTool.
Note The queries in the following Process section can also be run in browsers.
- Create a consumer account at Outlook.com. This account is external to your organization. This example assumes the account is firstname.lastname@example.org.
- Your Office 365 organization is Contoso. Your organization uses contoso.sharepoint.com for SharePoint sites and groups, and contoso-my.sharepoint.com for OneDrive storage.
- You are an administrator for the organization, with the identity of email@example.com.
- Configure your tenant to grant the Everyone claim to external users following the Microsoft article KB 4089174 How to determine resources to which all external users have access.