Post
Ask Question

Handling With Everyone Except External Users During ODFB Migration

Introduction 

 
Hi guys, let's try to learn the most important aspects of handling everyone except the External Users domain group, which gets access by default and can't be deleted. There is an issue with security and compliance terms with most of our Business clients.
 
Following are different ways to handle this:
 
Option 1 - New option to govern access for external users
 
Use the following guidelines to grant access to external users for the selected groups.
 
NEW OPTION TO GOVERN ACCESS FOR EXTERNAL USERS
Group claim
Procedure
Result
Everyone
Configure your tenant to grant the Everyone claim to external users by running the Set-SPOTenant -ShowEveryoneClaim $true Windows PowerShell cmdlet.
External users who are granted the Everyone claim have access to content that is shared with the Everyone group.
All Authenticated Users and All Forms Users
Configure your tenant to grant the All Authenticated Users and All Forms Users claims to external users by running the Set-SPOTenant -ShowAllUsersClaim $true Windows PowerShell cmdlet
External users who are granted the All Authenticated Users and All Forms Users claims have access to content that is shared with the All Authenticated Users and All Forms Users groups.
 
PS script to do make the necessary change: Set-SPOTenant - ShowEveryoneClaim$false [For restricting as per our requirement]
Set-SPOTenant -ShowEveryoneClaim$true [Available By default for allowing]
 
 
Option 2
 
Go to Site Settings >> Site Permissions >> Check all the 3 Groups Visitors/Members/Owners etc. if Everyone except external users is available >> Remove this Account from the Group >> Share/Save
 
The above process is applicable for all SP Site collections. We can project the same idea on the Tenant portal if feasible.
 
Option 3
 
If we do this for the tenants, it has to reflect across all the One Drive Sites & SP Sites too!
  1. #SharePoint Online Admin Center URL  
  2. $AdminURL = "https://<Tenant>-admin.sharepoint.com"  
  3. #Connect to SharePoint Online  
  4. Connect - SPOService - url $AdminURL - credential(Get - Credential)  
  5. #Disable EveryoneExceptExternalUser & Everyone groups  
  6. Set - SPOTenant - ShowEveryoneExceptExternalUsersClaim $False  
  7. Set - SPOTenant - ShowEveryoneClaim $false  
Please try the above script. If it's not sufficient, I will give you per One Drive Site removing User Account!!
 
Option 4
 
Remove users from a Hub Site Collection and it's associated sites in all the SharePoint Groups.
 
We can replace a Hub Site collection with a One drive site collection too using the below PS script.
  1. cls  
  2. $tenantAdmin = https: //<TenantName>-admin.sharepoint.com/  
  3.     $hubSite = “ODFB User Site”  
  4. Connect - PnPOnline - Url $tenantAdmin - UseWebLogin  
  5. $HubSite = Get - PnPHubSite $hubSite  
  6. $HubSiteId = $HubSite.SiteId  
  7. $ModernSites = (Get - PnPTenantSite - Template 'GROUP#0') + (Get - PnPTenantSite - Template 'SITEPAGEPUBLISHING#0')  
  8. $SitesFromHub = New - Object System.Collections.ArrayList  
  9. Write - Host("Searching {0} sites:" - f $HubSite.Title) - BackgroundColor Gray  
  10. foreach($ModernSite in $ModernSites) {  
  11.     $site = Get - PnPHubSite $ModernSite.Url  
  12.     if ($site.SiteUrl) {  
  13.         if ($site.SiteId - eq $HubSiteId) {  
  14.             Write - Host("* {0} - {1}" - f $ModernSite.Title, $ModernSite.Url)  
  15.             $SitesFromHub.Add($ModernSite) | Out - Null  
  16.         }  
  17.     }  
  18. }  
  19. Write - Host ""  
  20. Write - Host "Adding Users:" - BackgroundColor Gray  
  21. foreach($SiteHub in $SitesFromHub) {  
  22.     Write - Host("* {0} - {1} ... " - f $SiteHub.Title, $SiteHub.Url)  
  23.     #Write - Host("* {0} - {1} ... " - f $SiteHub.Title, $SiteHub.Url) - NoNewline  
  24.     Connect - PnPOnline - Url $SiteHub.Url - UseWebLogin  
  25.     try {  
  26.         $group = Get - PnPGroup - AssociatedMemberGroup  
  27.         #Get - PnPGroupPermissions - Identity $group  
  28.         Remove - PnPUserFromGroup - LoginName < Everyone except external users  
  29.         @tenant.com > -GroupName $group  
  30.         Remove - PnPUserFromGroup - LoginName < Everyone @tenant.com > -GroupName $group  
  31.         #You can Remove more valid Users in the same above kind of syntax  
  32.         Write - Host "User(s) Removing Done to the:"  
  33.         $group.LoginName - BackgroundColor Magenta  
  34.         #Get - PnPGroupMembers - Identity $group  
  35.         #Get - PnPGroupPermissions - Identity $group  
  36.     } catch {  
  37.         Write - Host $_.ToString() - BackgroundColor Red  
  38.     }  
  39. }  
  40. Write - Host "All Done"  
  41. Write - Host "Press any key to Close..."  
  42. $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")  
Option 5 - Everyone except external users
 
All users added to your organization automatically become members of "Everyone except external users". Please note that you cannot change default permissions granted to "Everyone except external users" on Microsoft 365 group-connected team sites. If a group-connected team site is set to "Public," "Everyone except external users" has a default permission level of "Edit." When a group-connected team site is set to "Private," "Everyone except external users" can't be granted any permission to the site. Although the "Site permissions" tab will allow modifications to be granted, a background job will block such modifications to take effect. To change the privacy setting for a group-connected team site, select the Settings icon, and then select Site information. For a full reference, please check here.
 
More References
  • https://sharegate.com/blog/sharepoint-security-groups
  • https://blog.stealthbits.com/open-access-in-sharepoint-what-it-is-and-how-to-find-it/
Conclusion
 
Thus, we can use any of the above options that suit your business needs or requirements.
 
Happy ODFB management! Sharing is caring!!