Forum Discussion
External guests in O365 groups have access to people directory and other sites w/o invitation
MicrosoftIf you do some investigation, I'm guessing you'll find a lot of these sites that your guests can get to have been shared with 'Everyone' when they should have been shared with 'Everyone except External Users'.
We disabled the 'Everyone' claim in the people picker and then iterated through the entire tenant to remove all occurrences of it where it was not required by the system. You can do this via PowerShell with the Set-SPOTenant cmdlet - specificially the ShowEveryoneClaim parameter:
ShowEveryoneClaim | Optional | System.Boolean | Enables the administrator to hide the Everyone claim in the People Picker, but it doesn’t prevent resolving of Everyone claim when fully typed. When users share an item with Everyone, it is accessible to all authenticated users in the tenant’s Azure Active Directory, including any active external users who have previously accepted invitations. The valid values are:
The default value is True. |
Full info here: https://technet.microsoft.com/en-us/library/fp161390.aspx
We disabled the 'Everyone' claim in the people picker and then iterated through the entire tenant to remove all occurrences of it where it was not required by the system.
Hello David, does this also limit the people search results? Or do we have another option to hide people results for guests?
- David Rosenthal
Look at this parameter available in the same cmdlet, but look closely and think about the impact of setting this to True as then sharing will get more difficult for your internal users as well:
SearchResolveExactEmailOrUPN
Optional
System.Boolean
Removes the search capability from People Picker.
The valid values are:
True- Removes search functionality from People Picker. Users will be required to enter a full email address or UPN for a person in People Picker to resolve.
For more information about how to remove search functionality, see Manage Query Rules, Add and edit user profile properties, or Plan to disable people discovery in OneDrive for Business and SharePoint Online
Note: Recently resolved names will still appear in the list. False- Restores default search functionality.
Thanks, David, for your reply! I understand this setting will remove the search option from the People Picker such that users can't search for people anymore.
However, the original concern was more regarding the native SharePoint search - it returns sites, documents, and people as a search result. And the people results list shows the full contact details and other properties of the individuals such that an external guest can perform some intensive research on our internal staff. Is there a way to change this behaviour? Can those people information be restricted to "everyone except external"?
Thanks for your great help!
