SOLVED

Guest users can browse groups and its members

%3CLINGO-SUB%20id%3D%22lingo-sub-523154%22%20slang%3D%22en-US%22%3EGuest%20users%20can%20browse%20groups%20and%20its%20members%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-523154%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20recently%20started%20to%20use%20Office365%20and%20especially%20with%20external%20sharing%20we%20took%20a%20cautious%20approach.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHowever%2C%20there%20was%20now%20a%20need%20to%20invite%20some%20guests%20to%20work%20on%20a%20project.%20In%20Sharepoint%20Admin%20Center%20we%20have%20the%20External%20Sharing%20option%20set%20to%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EExisting%20guests%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E(only%20users%20already%20in%20your%20organization's%20directory).%20We%20also%20have%20domain%20restrictions%20set%20so%20only%20persons%20belonging%20to%20certain%20domains%20can%20be%20invited.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETurned%20out%20that%20the%20when%20the%20guests%20log%20on%20to%20our%20tenant%20based%20on%20the%20invitation%20email%20they%20receive%20they%20are%20able%20to%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Ea)%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ebrowse%20existing%20groups%20in%20our%20tenant%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E(that%20they%20are%20not%20a%20member%20of)%20and%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Eb)%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Elist%20the%20individuals%20belonging%20to%20these%20groups%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20severe.%20Please%2C%20where%20have%20we%20gone%20wrong%3F%20Appreciate%20any%20advice.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20groups%20that%20guest%20can%20view%20are%20mostly%20security%20groups%20but%20I%20also%20found%20some%20Office365%20group%20in%20the%20list.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3ETony%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-523154%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Groups%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-523182%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20users%20can%20browse%20groups%20and%20its%20members%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-523182%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20it's%20that%20big%20of%20a%20problem%2C%20don't%20invite%20guests%2C%20as%20we%20don't%20have%20any%20means%20to%20completely%20prevent%20them%20from%20seeing%20other%20objects%20in%20the%20directory.%20We%20have%20options%20to%20hide%20groups%20from%20the%20GAL%2C%20hide%20the%20membership%20of%20O365%20groups%2C%20use%20dynamic%20groups%20that%20don't%20show%20a%20membership%20list%20and%20some%20other%20things%20to%20consider%2C%20but%20there%20isn't%20a%20100%25%20solid%20solution%20to%20this.%20So%20if%20you%20have%20reasons%20to%20hide%20groups%20and%20their%20membership%20from%20guests%2C%20perhaps%20you%20should%20reconsider%20inviting%20them%20in%20the%20first%20place.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-532193%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20users%20can%20browse%20groups%20and%20its%20members%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-532193%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BOK%2C%20so%20this%20feature%20is%20%22by%20design%22%20in%20other%20words.%20I%20thought%20reason%20was%20some%20setting%20we%20had.%20Thanks%20for%20your%20confirmation.%3C%2FP%3E%3CP%3Ebr%2C%20Tony%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

We have recently started to use Office365 and especially with external sharing we took a cautious approach.

 

However, there was now a need to invite some guests to work on a project. In Sharepoint Admin Center we have the External Sharing option set to Existing guests (only users already in your organization's directory). We also have domain restrictions set so only persons belonging to certain domains can be invited.

 

Turned out that the when the guests log on to our tenant based on the invitation email they receive they are able to 

 

a) browse existing groups in our tenant (that they are not a member of) and

b) list the individuals belonging to these groups

 

This is severe. Please, where have we gone wrong? Appreciate any advice.

 

The groups that guest can view are mostly security groups but I also found some Office365 group in the list. 

 

Thanks,

Tony

2 Replies
Highlighted
Solution

If it's that big of a problem, don't invite guests, as we don't have any means to completely prevent them from seeing other objects in the directory. We have options to hide groups from the GAL, hide the membership of O365 groups, use dynamic groups that don't show a membership list and some other things to consider, but there isn't a 100% solid solution to this. So if you have reasons to hide groups and their membership from guests, perhaps you should reconsider inviting them in the first place.

Highlighted

@Vasil Michev OK, so this feature is "by design" in other words. I thought reason was some setting we had. Thanks for your confirmation.

br, Tony