Everyone except external users disappears form Group Visitors

MVP

Hi,

 For the group site when we add "Everyone except external users" to the "Site visitors" to grant people R/O access, it disappears in a while from the Site visitors and people lost access. Adding "Everyone except external users" as domain group in parallel with Site visitors/members/owners groups works.

 

Is that default behaviour or something is wrong in our configuration?

33 Replies

Hi @Abhimanyu Singh , thank you for the link, will add my question to that place as well. I tried to find something similar in Discussions but missed the blog.

 

Sounds like a bug. Maybe report it to MS Support?

Kevin, as far as workaround works plus there is no such effect on isolated sites - we will survive. Opening of the support ticket is usually quite time consuming for us. I mean not opening itself, but all following communications and tests.  That's for critical cases. 

Slightly related to this, I have issue with the "Everyone except external users" on Public groups! I want to make an exception and give them Read permissions. As a result, "Everyone except external users" is stored in the underlying Visitors (Read) group. After a couple of days, "Everyone except external users" is back in the Members group and have back their Edit permissions. 
This is not a single event - this is the case for all our Public O365 Groups where we want to give them only Read permissions. Anyone has the same issues on their tenant? Ours is located in W-Europe.

Interesting, didn't see such. Based on discussion here https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/Modernize-your-SharePoint-team-site... 'everyone' shall not work with Members/Visitors for public/private groups by design. Instead we have unpredictable behaviour of 'everyone' being added to one of these groups.

@Pieter Op De BeéckWe have the same problem (in a Dutch company, so also W-Europe tenant). I thought it must have been a single event changing the group permissions of dozens of our SharePoint sites from read to contribute for the "Everyone except external users" group. But in the audit logs I cannot find anything that happened there, and indeed it can be the case that it happens automatically after some time.

Earlier I found out the Privacy setting of the Group in Teams (in the Edit Team menu) configured after the group permission in the SharePoint site was set effects the private/public setting of the SharePoint site so it can be the cause of our problems. In that case there is no possibility to have SharePoint site where everyone can read, the project team can contribute, and where only the project team can chat in Teams without others reading/editing in Teams as well. Then you have to make private groups, because in the end O365 syncs the different privacy settings on different spots.

@Pieter Op De Beéck 

 

I have the exact same issue where I change the permission from edit to read for "Everyone Except External Users" on  a "Public" goup site. Sometime after 1 minute or a 1 day it goes back to Edit. At the begining I thought it was related to SP groups I was adding to the site permissions but I noticed it was occurng also on sites where I was just switching permission from edit to read for "Everyone Except External Users".

For me this is a huge security issue. One of my customer found out the issue and do not trust permissions in SharePoint anymore. Issue observed in US and Canada tenants.

I've submitted a case to Microsoft today...

Just a precision, this post is for Private group, not Public group.

@Sergei Baklan 

 

When site is Private, and you want to give access to the site to "Everyone except external users" read only, we cannot.  I too had a same issue and had opened a ticket with Microsoft.  They said that it is by design and you cannot use "Everyone except external users" in the Visitors group.  A background process is run by Microsoft, that removes this from the Visitors group.  You may search your Audit logs in the Security and Compliance center and will get hold of this information.  I was able to find this in the Audit logs and hence was sure that it was not done by anyone in my team but Microsoft did it.

 

For time being the solution, I see is to create your own Security group (or may be a Dynamic group) and add users into that security group.  Later, use the security group to add it into your SharePoint Visitors group.

Hi @ainnani ,

 

Yes, it was discussed in the comments to this blog https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/Modernize-your-SharePoint-team-site... and support article was published https://support.microsoft.com/en-us/help/4492201/everyone-except-external-users-group-is-removed

 

We add 'everyopne' as domain group in Sharepoint, not as part of any Groups group.

@Pieter Op De Beéck 

I finally got a confirmation by Microsoft support of this issue where changing permission of "Everyone except external users" from "Edit" to "Read" is change back to "Edit" after a period of time on Public O365 group site. 

 

Hello Martin,

Hope you doing well.

 

We are following up with you for the issue related to the Modern Sharepoint site and we have reproduced the issue on multiple tenants and found that it is a known issue. We have also discussed your case with my supervisior, also escalated your case to the escalations team and will update you once i will recieve a reply from them.

 

Thank you for choosing Microsoft online services.

@Pieter Op De Beéck , did you find the issue or get information from Microsoft?

 

On my side I had the worst experience with the escalation team ever... First line of support tells me they can replicate the issue. Then another level of support tell me they can't replicate the issue. Then the escalation team say that this is a known behavior and it is how public group site should work!! So I start to feel they are making fun of me because in my last discussion they tell me they can't reproduce the issue BUT it is a know behavior and it is how it should work...... So how come they can't reproduce the behavior?? So the end of the story is 

1) The UI gives you the ability to change permissions for Everyone Except External Users from Edit To Read in public group site

2) If the permissions are set back to edit, well this is how it should work but they can't do it on their side!!

 

Also, there is a thread on PowerShell PnP where someone creating a public site and setting EEEU from edit to read change back after a couple of minutes after....  https://techcommunity.microsoft.com/t5/SharePoint/Pnp-provisoning-issue-with-permissions-for-Everyon...

 

What a mess...

@nenonix , Escalation team is saying that setting read permissions on "Everyone Except External Users" may (or will ??) revert to Edit caused by a background job on public group site and is a normal behavior..... Ticket closed!!!

 

It's a none sense to me. I asked them to document this behavior because it is not documented. They said they will... I'm eager to read user comments when they will document this !!

 

So why providing the option to change permissions on public group site if everyone will always have  edit access anyway? Go find out....

@Martin Coupal I think you should join the discussion on GitHub or add feedback on the document in question. The docs are opensource now, so anyone can contribute. (I work on the freelance team that helps to resolve issues on GitHub and I saw this discussion while trying to figure out a change that mentioned this, but did not explain it very well). You can open a new issue on the content page that should be changed - perhaps this one: https://docs.microsoft.com/en-us/sharepoint/understanding-permission-levels (scroll to the bottom and add your feedback to "this page" to open an issue on GitHub) is where to request that this be documented. 

@nenonix , thanks for the link. I've just post a feedback on the page.

@Pieter Op De Beéck Hi Pieter, i have the exact same issue! After creating a new site the  "Everyone except external users" group is member of the Members group instead of the Visitors Group. Also West-Europe (The Netherlands). So far i haven't found a solution.