May 02 2019
10:19 PM
- last edited on
Feb 01 2023
11:52 AM
by
TechCommunityAP
May 02 2019
10:19 PM
- last edited on
Feb 01 2023
11:52 AM
by
TechCommunityAP
Hi,
We have recently started to use Office365 and especially with external sharing we took a cautious approach.
However, there was now a need to invite some guests to work on a project. In Sharepoint Admin Center we have the External Sharing option set to Existing guests (only users already in your organization's directory). We also have domain restrictions set so only persons belonging to certain domains can be invited.
Turned out that the when the guests log on to our tenant based on the invitation email they receive they are able to
a) browse existing groups in our tenant (that they are not a member of) and
b) list the individuals belonging to these groups
This is severe. Please, where have we gone wrong? Appreciate any advice.
The groups that guest can view are mostly security groups but I also found some Office365 group in the list.
Thanks,
Tony
May 02 2019 10:36 PM
SolutionIf it's that big of a problem, don't invite guests, as we don't have any means to completely prevent them from seeing other objects in the directory. We have options to hide groups from the GAL, hide the membership of O365 groups, use dynamic groups that don't show a membership list and some other things to consider, but there isn't a 100% solid solution to this. So if you have reasons to hide groups and their membership from guests, perhaps you should reconsider inviting them in the first place.
May 05 2019 06:08 AM
@Vasil Michev OK, so this feature is "by design" in other words. I thought reason was some setting we had. Thanks for your confirmation.
br, Tony
May 02 2019 10:36 PM
SolutionIf it's that big of a problem, don't invite guests, as we don't have any means to completely prevent them from seeing other objects in the directory. We have options to hide groups from the GAL, hide the membership of O365 groups, use dynamic groups that don't show a membership list and some other things to consider, but there isn't a 100% solid solution to this. So if you have reasons to hide groups and their membership from guests, perhaps you should reconsider inviting them in the first place.