Forum Discussion
Blocking users from SPO
We've got a situation where we need to block a subset of users from accessing our SPO tenant while still keeping their access to the rest of the O365 suite active. We can't remove them from AD at the moment, so that's not a solution. Any other ideas?
16 Replies
Jen, we have a similar requirement. How did you end up blocking the users from SPO?
- The license is an obvious route but be careful because I think they will lose access to their ODfB, not sure if that will kick off the deletion process. In our tenancy, all new users are added to at least one AD group that gives them access to all core SharePoint facilities so that is also a good way to apply control without having to mess with licenses. Of course, that really needs some setup before you can make full use of it. Create the AD Security Group, add all licensed users to it (a script), add the group to all appropriate SharePoint objects (Site Collections, sites, etc. depending on how you have security set up).
As has already been mentioned, removing their license will not prevent them from accessing a SharePoint Online site to which they have been given permission. Office 365 stopped checking licenses when accessing SharePoint sites about two years ago. The only way to block users is either to Block their login (which will block their access to all Office 365 services) or remove their permissions in SharePoint. Removing the license will NOT work.
I was hoping that wouldn't be the solution since they've been given permission to a variety of material on the internet, both through the standard sharepoint permission group and individually. What a nightmare.
- Removing their license will be easiest if you want to block them from all SPO sites, this will also block their ODfB. If you just want to block a few SPO site collections would be to add them to an Azure AD group, create a custom Permission Level (with no perms) in the SPO site collection and assign the new group to that level.
Can you not just change their licenses to be the Office client only?
You can do it through PowerShell if there's too many for the UI.
https://technet.microsoft.com/en-us/library/dn771769.aspx for more details on the PowerShell option.
Paul.
Unfortunately, removing their license will not keep them from accessing SahrePoint online if someone adds them to a site. it used to work that way, but MS took out the license check about two years ago. I am not aware of any way to lock users out of SharePoint and still allow them access to other Office 365 features other than finding and removing all permissions in SharePoint that would give them access.
Thanks Paul, that was going to be my next suggestion. A lot depends on how people have been given access to the Intranet. If it's a larger group such as Domain Users, then you could create a new group that doesn't include these users and swing the Intranet permissions over.
Kind of a sledge hammer/nut scenario.
I suppose you could block sign-in on the user, but I think that would stop the office client working.
We've tried removing their SharePoint license but that didn't seem to remove access to the intranet. Not sure if there's something we were missing.
- Have you tried the PowerShell approach: https://support.microsoft.com/en-us/kb/3026385?
