SharePoint Visitor Permissions Group - Teams Phones License

Hi Chris_Clark1968​ 

What you’re observing is by design.

The “Everyone except external users” (EEEU) claim includes all internal Entra ID identities, not just human users. This means it will also include service accounts, admin accounts, room/resource mailboxes, and other non‑person identities. As a result, using EEEU can lead to unexpected side effects, including licensing evaluations (for example Teams Phone), even for accounts that should never be licensed.

Because of this, EEEU is generally not recommended for controlled or governed scenarios:

• You cannot manage or filter its membership
• It includes non‑human identities
• It increases the risk of oversharing and licensing noise
• Microsoft is progressively discouraging its usage in modern SharePoint and OneDrive scenarios

https://learn.microsoft.com/sharepoint/data-access-governance-everyone-except-external-user-report?wt.mc_id=MVP_386670

I can recommend you the approach to disable/hide this claim at the Tenant level:

Set-SPOTenant -ShowEveryoneExceptExternalUsersClaim $false

Then, replace it by a Dynamic Security Group (for example, All Employees) using a rule such as:

(user.accountEnabled -eq true) -and (user.userType -eq "Member") -and -not (user.userPrincipalName -startsWith "svc.") -and -not (user.userPrincipalName -contains "-adm@")

This query is based on the following assumptions:

• Service accounts following a naming convention (svc.*@contoso.com)
• Admin accounts with suffix (-email address removed for privacy reasons)
• Guest accounts containing #EXT# in the UPN (this is Microsoft OOB behavior) and have userType = Guest
• Only enabled accounts should be included

If you have additional user attributes available in your tenant (for example, department, company name, or custom attributes), you can further refine this rule to better match your use case.

I hope this helps.

Best regards