External guests in O365 groups have access to people directory and other sites w/o invitation

Question

We have guest access to Office 365 Groups enabled at tenant level. So group owners can invite people outside the organization to their Office 365 group. The external guest can access the SharePoint site of the group to which he was invited as expected. However, we actually had assumed that these external guest won't get access to sites to which they were NOT invited.

But it turned out that with some simple steps external guests get access to the following information that was never intended to be shared with these guests:

Browse access to the entire people directory of that tenant (via search)
Visitor access to other internal SharePoint sites that were never intended to be shared with these external guests. Some of those sites even provide edit rights on the sites homepage to these guests.

Follow these simple steps as external guest to get this unwanted level of access:

Open the SharePoint Site of the Group to which you have been invited as external guest
A click on "home" in the left hand navigation (sometimes it's called "start") brings you to the site's homepage
Start a search with the search field in the upper left corner
At the search result page change the scope filter to "all sites" and "all result types"
The result page will show lots of websites, documents, and people. For each type you can click on "show all" which will expose even more sites and people
Actually the entire corporate people directory can be searched through and contact details of individuals can be accessed

This behaviour is not a specific behaviour of one of our site collection or our tenant, it can be reproduced with other tenants and site collections. I happened to be invited as a guest to a group by Microsoft, same behaviour here. I have access to the full people directory of Microsofts production tenant and a number of internal sites that were never meant to be shared with me.

Any ideas out there how to security-trim the external user experience to the required level? I.e. provide access exclusively to the site and people to which the group owner had invited?

david rosenthal · Answer

If you do some investigation, I'm guessing you'll find a lot of these sites that your guests can get to have been shared with 'Everyone' when they should have been shared with 'Everyone except External Users'.

We disabled the 'Everyone' claim in the people picker and then iterated through the entire tenant to remove all occurrences of it where it was not required by the system. You can do this via PowerShell with the Set-SPOTenant cmdlet - specificially the ShowEveryoneClaim parameter:

ShowEveryoneClaim

Optional

System.Boolean

Enables the administrator to hide the Everyone claim in the People Picker, but it doesn’t prevent resolving of Everyone claim when fully typed. When users share an item with Everyone, it is accessible to all authenticated users in the tenant’s Azure Active Directory, including any active external users who have previously accepted invitations.

The valid values are:

True- The Everyone claim group is displayed in People Picker.
False- The Everyone claim group is hidden in People Picker.
Note:
Some SharePoint system resources such as templates and pages are required by be shared to Everyone, and this type of sharing does not expose any user data or metadata.

The default value is True.

Full info here: https://technet.microsoft.com/en-us/library/fp161390.aspx

tobiasat · Answer

We disabled the 'Everyone' claim in the people picker and then iterated through the entire tenant to remove all occurrences of it where it was not required by the system. Hello David, does this also limit the people search results? Or do we have another option to hide people results for guests?&nbsp;

david rosenthal · Answer

Look at this parameter available in the same cmdlet, but look closely and think about the impact of setting this to True as then sharing will get more difficult for your internal users as well:

SearchResolveExactEmailOrUPN

Optional

System.Boolean

Removes the search capability from People Picker.

The valid values are:

True- Removes search functionality from People Picker. Users will be required to enter a full email address or UPN for a person in People Picker to resolve.
For more information about how to remove search functionality, see Manage Query Rules, Add and edit user profile properties, or Plan to disable people discovery in OneDrive for Business and SharePoint Online
Note:
Recently resolved names will still appear in the list.
False- Restores default search functionality.

haraldrau · Answer

Thanks, David, for your reply! I understand this setting will remove the search option from the People Picker such that users can't search for people anymore.&nbsp;However, the original concern was more regarding the native SharePoint search - it returns sites, documents, and people as a search result. And the people results list shows the full contact details and other properties of the individuals such that an external&nbsp;guest can perform some&nbsp;intensive research on our internal staff. Is there a way to change this behaviour? Can those people information be restricted to "everyone except external"?Thanks for your great help!

Forum Discussion

External guests in O365 groups have access to people directory and other sites w/o invitation

4 Replies

Resources