"Everyone except external users" has read permission on many personal OD sites

%3CLINGO-SUB%20id%3D%22lingo-sub-1532885%22%20slang%3D%22en-US%22%3E%22Everyone%20except%20external%20users%22%20has%20read%20permission%20on%20many%20personal%20OD%20sites%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532885%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20noticed%20that%20the%20group%26nbsp%3B%22Everyone%20except%20external%20users%22%20has%20read%20permission%20on%20many%20personal%20OD%20sites.%26nbsp%3BThe%20permission%20appears%20to%20be%20on%20the%20site%20level%20(not%20a%20specific%20file%20or%20folder).%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EHowever%2C%20when%20I%20try%20to%20browse%20to%20those%20sites%20(%3CA%20href%3D%22https%3A%2F%2Forg-my.sharepoint.com%2Fpersonal%2Fname_org_com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Forg-my.sharepoint.com%2Fpersonal%2Fname_org_com%3C%2FA%3E%26nbsp%3B)%26nbsp%3B%3CSPAN%3EI%20don't%20have%20access%20to%20them.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%3CSPAN%3EI%20reached%20out%20to%20some%20of%20these%20people%20and%20they%20did%20not%20grant%20this%20permission%20intentionally.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3ECan%20anyone%20explain%20this%20behavior%3F%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1532885%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOneDrive%20for%20Business%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1532936%22%20slang%3D%22en-US%22%3ERe%3A%20%22Everyone%20except%20external%20users%22%20has%20read%20permission%20on%20many%20personal%20OD%20sites%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532936%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573037%22%20target%3D%22_blank%22%3E%40roniy%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhere%20are%20you%20seeing%20this%20group%3F%26nbsp%3B%20Has%20it%20been%20added%20to%20the%20visitors%20group%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20a%20wider%20answer%2C%20do%20you%20know%20what%20your%20default%20Sharing%20settings%20are%3F%26nbsp%3B%20I%20suspect%20that%20these%20may%20be%20the%20culprit.%26nbsp%3B%20I've%20seen%20this%20a%20few%20times%20where%20the%20default%20sharing%20settings%20are%20configured%20to%20the%20entire%20organisation.%26nbsp%3B%20Quite%20often%20the%20defaults%20are%20accepted%20and%20that'll%20result%20in%20the%20%22Everyone%20but%20external%22%20group%20being%20added%20to%20an%20item%20%2F%20site.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Sharing_Settings.jpg%22%20style%3D%22width%3A%20984px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F206351i709E8F84865B5442%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Sharing_Settings.jpg%22%20alt%3D%22Sharing_Settings.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1533161%22%20slang%3D%22en-US%22%3ERe%3A%20%22Everyone%20except%20external%20users%22%20has%20read%20permission%20on%20many%20personal%20OD%20sites%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1533161%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11625%22%20target%3D%22_blank%22%3E%40Steven%20Andrews%3C%2FA%3E!%3C%2FP%3E%3CP%3EIt's%20not%20in%20the%20visitors%20group.%3C%2FP%3E%3CP%3ESo%20you're%20saying%20it%20must%20be%20a%20result%20of%20sharing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20still%20wonder%20why%20I%20(an%20internal%20user)%20don't%20have%20access%20while%20the%20group%20is%20there%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22roniy_0-1595253396083.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F206368iCFD49F4802080A38%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22roniy_0-1595253396083.png%22%20alt%3D%22roniy_0-1595253396083.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1533307%22%20slang%3D%22en-US%22%3ERe%3A%20%22Everyone%20except%20external%20users%22%20has%20read%20permission%20on%20many%20personal%20OD%20sites%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1533307%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20probably%20a%20remnant%20from%20back%20in%20the%20day%20where%20we%20had%20the%20%22shared%20with%20everyone%22%20folder.%20You%20can%20still%20provision%20that%20via%20the%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EProvisionSharedWithEveryoneFolder%20%3C%2FFONT%3Eswitch%2C%20but%20it's%20no%20longer%20enabled%20by%20default%20afaik.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1533331%22%20slang%3D%22en-US%22%3ERe%3A%20%22Everyone%20except%20external%20users%22%20has%20read%20permission%20on%20many%20personal%20OD%20sites%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1533331%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BThat's%20a%20very%20good%20tip.%26nbsp%3B%20I'd%20forgotten%20about%20this.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573037%22%20target%3D%22_blank%22%3E%40roniy%3C%2FA%3E%26nbsp%3B%20More%20information%20on%20this%20one%20here%2C%20this%20was%20a%20change%20back%20in%202015%20I%20think.%26nbsp%3B%20I%20wasn't%20able%20to%20find%20the%20Technet%20article%20but%20this%20should%20help%20out.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.markwilson.co.uk%2Fblog%2F2015%2F10%2Frestore-the-shared-with-everyone-folder-in-onedrive-for-business.htm%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.markwilson.co.uk%2Fblog%2F2015%2F10%2Frestore-the-shared-with-everyone-folder-in-onedrive-for-business.htm%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1533451%22%20slang%3D%22en-US%22%3ERe%3A%20%22Everyone%20except%20external%20users%22%20has%20read%20permission%20on%20many%20personal%20OD%20sites%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1533451%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20this%20permission%20is%20still%20there%20but%20doesn't%20grant%20actual%20access%3F%26nbsp%3B%3C%2FP%3E%3CP%3EI%20there%20an%20easy%20way%20to%20clean%20it%20from%20all%20personal%20sites%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

We noticed that the group "Everyone except external users" has read permission on many personal OD sites. The permission appears to be on the site level (not a specific file or folder).

However, when I try to browse to those sites (https://org-my.sharepoint.com/personal/name_org_com ) I don't have access to them. 

I reached out to some of these people and they did not grant this permission intentionally. 

 

Can anyone explain this behavior?

 

5 Replies
Highlighted

@roniy 

Where are you seeing this group?  Has it been added to the visitors group?

 

As a wider answer, do you know what your default Sharing settings are?  I suspect that these may be the culprit.  I've seen this a few times where the default sharing settings are configured to the entire organisation.  Quite often the defaults are accepted and that'll result in the "Everyone but external" group being added to an item / site.

 

Sharing_Settings.jpg

Highlighted

Thanks @Steven Andrews!

It's not in the visitors group.

So you're saying it must be a result of sharing?

 

I still wonder why I (an internal user) don't have access while the group is there:

 

roniy_0-1595253396083.png

 

Highlighted

That's probably a remnant from back in the day where we had the "shared with everyone" folder. You can still provision that via the ProvisionSharedWithEveryoneFolder switch, but it's no longer enabled by default afaik.

Highlighted

@Vasil Michev That's a very good tip.  I'd forgotten about this.  

 

@roniy  More information on this one here, this was a change back in 2015 I think.  I wasn't able to find the Technet article but this should help out.

https://www.markwilson.co.uk/blog/2015/10/restore-the-shared-with-everyone-folder-in-onedrive-for-bu...

 

Highlighted

Thank you @Vasil Michev!

 

So this permission is still there but doesn't grant actual access? 

I there an easy way to clean it from all personal sites?