Forum Discussion

Chris_Clark1968's avatar
Chris_Clark1968
Iron Contributor
Feb 03, 2026

SharePoint Visitor Permissions Group - Teams Phones License

Hi,

The Visitor permissions group used in SharePoint 'Everyone except external users' looks like it includes all accounts from Azure including non-personal accounts such as Service Accounts, Meeting Rooms and CAP's.

All the accounts included seem to be to requiring Teams Phones MS licenses.  Which many of the accounts, mentioned will not require. 

As anyone come across this and how did you manage it?
We are looking at creating a new group which excludes the above mentioned accounts.

Is this the best and only solution??    

Permissions
SharePoint Online

1 Reply

  • lsittler's avatar
    lsittler
    Brass Contributor
    Mar 06, 2026

    Hi Chris_Clark1968​ 

    What you’re observing is by design.

    The “Everyone except external users” (EEEU) claim includes all internal Entra ID identities, not just human users. This means it will also include service accounts, admin accounts, room/resource mailboxes, and other non‑person identities. As a result, using EEEU can lead to unexpected side effects, including licensing evaluations (for example Teams Phone), even for accounts that should never be licensed.

    Because of this, EEEU is generally not recommended for controlled or governed scenarios:

    • You cannot manage or filter its membership
    • It includes non‑human identities
    • It increases the risk of oversharing and licensing noise
    • Microsoft is progressively discouraging its usage in modern SharePoint and OneDrive scenarios

    https://learn.microsoft.com/sharepoint/data-access-governance-everyone-except-external-user-report?wt.mc_id=MVP_386670

    I can recommend you the approach to disable/hide this claim at the Tenant level:

    Set-SPOTenant -ShowEveryoneExceptExternalUsersClaim $false

    Then, replace it by a Dynamic Security Group (for example, All Employees) using a rule such as:

    (user.accountEnabled -eq true) -and (user.userType -eq "Member") -and -not (user.userPrincipalName -startsWith "svc.") -and -not (user.userPrincipalName -contains "-adm@")

    This query is based on the following assumptions:

    • Service accounts following a naming convention (svc.*@contoso.com)
    • Admin accounts with suffix (-email address removed for privacy reasons)
    • Guest accounts containing #EXT# in the UPN (this is Microsoft OOB behavior) and have userType = Guest
    • Only enabled accounts should be included

     

    If you have additional user attributes available in your tenant (for example, department, company name, or custom attributes), you can further refine this rule to better match your use case.

    I hope this helps.

    Best regards