Guest sees page for 2 seconds then access denied to Group SP site

Iron Contributor
So you may have seen my posts over the months as I try to use GROUPS to support external users (my customers). It has now been over a week on my latest support ticket with no response or even attempt at diagnosing the issues our tenant is facing. HUNDREDS of my external users are unable to access content (and yes they are all set correctly in AzureAD). All the permissions have been checked with PS. Why am I mad? Well this morning, I get an email from my support "ambassador" recommending I read a THIRD PARTY website on SharePoint permissions. It may be a good article but is that the best support can do? And anyway, it is the (expletive deleted) auto-provisioned site for a GROUP, I had nothing todo with how it is setup and the users permissioned. I just add someone to a GROUP and it all should work, well it did until abot two weeks ago. So I have tried the support route and it is not working so can someone tell me what these errors in the browser console log indicate? blah, blah ... 18. Ignored setting non-registered setting 'searchux.strings.RefinerPane.ariaRemoveRefinerLabel'. 12.sp-pages-search_a6bd02ab633026ef31aa.js (1,8979) 19. 2 HTTP400: BAD REQUEST - The request could not be processed by the server due to invalid syntax. (XHR)GET - https://iasahome.sharepoint.com/sites/cita-p003/_api/SP.Directory.DirectorySession/Group('13cb6371-f... 20. HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfill it. (XHR)GET - https://iasahome.sharepoint.com/_vti_bin/DelveApi.ashx/authtoken/loki?d=1521330891068 21. HTML1300: Navigation occurred. AccessDenied.aspx (1,1) 22. HTTP400: BAD REQUEST - The request could not be processed by the server due to invalid syntax. (XHR)GET - https://iasahome.sharepoint.com/sites/cita-p003/_api/SP.Directory.DirectorySession/Group('13cb6371-f... 23. HTML1506: Unexpected token. NB: I see the article that mentions this but after a quick review it doesn;t tell me how to fix the situation https://techcommunity.microsoft.com/t5/SharePoint-Support-Blog/Unexpected-Access-Denied-Invitations-...
21 Replies
Can you share more details about the page your users are accessing? Apparently you have there a custom development...can you confirm this?

Hi David,

Thanks for reading my blog.  Unfortunately, mine was targeted to a group of support requests that we've been working in SharePoint support.  Based on the errors, what seems to be happening is that there are some delve queries that your external users do not have access to.

Unfortunately, I can't speak to anything further than that; what is interesting is that I have another customer with something that looks similar.  However, they aren't getting an access denied, but rather are being prompted to sign in. 

I'd be interested to know if you've got anything on these groups sites that leverage Delve.

Hi Toby, thanks for responding. Nothing using Delve other than what is built into a standard site provisioned by GROUP creation, what ever that may be. Search/Delve is running on the site ( I have about 20 such GROUPS ) and I confirmed that Search and Delve are active and working on the tenant. I cannot stress enough that this is just a site setup by creating a Group using the Office 365 Outlook interface. Nothing else has been done. Create Group, add guest members, access using the link in the email sent, they see the site for two seconds and then some script or part on the page is failing and redirecting to accessdenied.aspx I have added two support engineers to the group already (admin@infostorage.onmicrosoft.com and melvincraft@outlook.com) to demonstrate - totally reproducible. Can add you as well if you send me an account to use - @Pernille-Eskebo.com or @outlook.com to dslight@iasaoffice.org ....
No no no, no custom dev it is just the site created for an Office 365 Group. site URL is https://iasahome.sharepoint.com/sites/cita-p003/ and I can add you as an external guest of you want ...
Is there a simple way to turn off Delve? Looking through SP admin looks like I would have to turn off search?
Thanks for responding. Nothing leveraging Delve, although I guess it is active on the tenant.
Latest update for those interested; we have confirmed this behaviour on new Group sites; interestingly the site is accessible to the GUEST when it is empty but as soon as the first item is added to the document library the issue occurs and AccessDenied.aspx appears again. The Support engineers don't seem to be very familiar with Groups so would really help if someone could lend them a hand 🙂 [Ticket #:7689974] [Ticket #:7608078]
Bump - hope you get this sorted out.
Nope, ticket still open [Ticket #:7689974]. Seems several customers have the issue - completely reproducible .

Any update on this issue? We're just starting to test out external sharing for some of our content and while external users can sign in successfully and see content, they are constantly plagued with pop-ups asking for credentials and this appears to be the culprit   HTTP401: DENIED - The requested resource requires user authentication. (XHR)GET - https://xxxxx.sharepoint.com/_vti_bin/DelveApi.ashx/authtoken/loki?d=XXXXXXXXXXXX.

Isn't there a way to prevent external users from registering or attempting to contact Delve? I know it's not exactly the same issue as what you've described above, but maybe partially related. Thanks.. 

A quick update here: @TonyRedmond and myself have experiencing this issue. We know is a problem in the guest access to sites that should be fixed, but no news about when this will happen

Can you access the SharePoint library from Teams?
[Ticket #:7689974] has only been open 6 weeks so you have a while to wait yet.

Just run into this problem this morning. The guest has access to other groups, but the one they have just been added to is throwing up the Access Denied page for the account. Putting in a ticket now as this group needs to be ready for Monday, but your time frame has got me worried...

I'm seeing what I think is the same issue for a guest user - when initially added to the Group, checking their effective SharePoint permissions, it all looks fine - then a couple of minutes later, their effective permissions include a long list of 'Deny' entries.

This issue was fixed according to my ticket [Ticket #:7689974] and confirmed by testing 5/29 

Hi David - do you know if they did something specific to your tenant in order to fix, or a wider rolled out fix / update - and also would it still affect Groups created before 5/29 ?
I was told it was a full roll-out to every tenant - nothing special done to mine. Groups created before that date just started working. I would open a ticket and quote my ticket number for reference. HTH

I may have missed it, but what is your ticket number?  I have had multiple tickets open over the past 6 months regarding this issue.  I give external access.  When I check permissions for that user, they have their permissions however below is a very long list of Deny permissions which is preventing anyone external from accessing our sharepoint site.  I've received multiple solutions from Microsoft.  I even heard that Microsoft removed the ability for guests to collaborate due to security reasons.  If I have a ticket I can reference, that may possible help them resolve this for me.

 

Thanks,

Jeff