Best approach to prevent external users from accessing sharepoint online

Steel Contributor

We have a classic team site collection, which contain 70 sub-sites (where each sub-site has unique permission), and some sub-sites have been shared with external users (mainly by adding the external user to the site member group or visitor group). now we need to remove 3 external users and prevent them from accessing sharepoint. But we are not sure which sub-sites has been shared with these users, so what is the best way to globally remove the external user and prevent them from accessing office 365 and specifically the sharepoint sites that have been shared with them?

Thanks

8 Replies

Hi @john john - you can go to your Office 365 admin center, click on Users in the left nav, then Guest Users. You can remove them all from there regardless of what SPO site has been shared.

 


@Kelly_Edinger wrote:

Hi @john john - you can go to your Office 365 admin center, click on Users in the left nav, then Guest Users. You can remove them all from there regardless of what SPO site has been shared.


@Kelly_Edingerthanks for your reply. i saw this option, but i am not sure if we can disable the user account instead of removing it?

 

second question, now let say i remove the user account from the Office 365 admin center >> Guest users.. then i think the user account will still exists inside the sharepoint groups which have been shared with the user? if this is the case, then let say in the future we re-share a new/exsisting site with the deleted user account, then will the user get access  to the old sites which have been shared with her/him , as at the end the external user email will be the same?

oh wow @john john, I just tested this. Added a personal email to a SPO site, then removed it from the admin center.  2 things are now scary - I'm no longer listed in the admin center as a guest, and the site itself shows 2 members (neither of which are my personal email) - if I was doing a quick check, I would think my personal account is gone. But if I go into Advanced Permissions on the site, my personal account is still there, and I can still log in with my personal account. 

 

So, it's clear I don't have any good answers for you but I do thank you for raising this issue. I thought this was pretty cut and dry.

 

Would love to hear from a MVP or a Product Manager on this issue.

Are you familiar with the All People page/All Users List for a site collection? You can get to it by appending this to your site collection URL: /_layouts/15/people.aspx?MembershipGroupId=0

 

You can delete users from the entire site collection from this page.

 


@Kelly_Edinger wrote:

oh wow @john john, I just tested this. Added a personal email to a SPO site, then removed it from the admin center.  2 things are now scary - I'm no longer listed in the admin center as a guest, and the site itself shows 2 members (neither of which are my personal email) - if I was doing a quick check, I would think my personal account is gone. But if I go into Advanced Permissions on the site, my personal account is still there, and I can still log in with my personal account. 

 

So, it's clear I don't have any good answers for you but I do thank you for raising this issue. I thought this was pretty cut and dry.

 

Would love to hear from a MVP or a Product Manager on this issue.


@Kelly_Edinger  now i did a test on a classic sharepoint team site. where i shared a site with my Hotmail account >> i got an invitation link >> click on the link >> i access the site as guest >> my Hotmail account where added to the Office 365 guest accounts list.

 

Then using the office 365 global admin >> i deleted my Hotmail account from the list of Guest accounts >> but i can still access the site using my hotmil account. but i were sure that office 365 will not allow any internal or external to access a site if his/her user is disabled or deleted, so i logout from sharepoint using my Hotmail account>> try to login again using my Hotmail where i got access denied, although my Hotmail account is still listed inside the sharepoint members group (i think this account will be orphan).. so maybe the issue we are facing is a timing issue, but sooner or later you will not be allowed to access sharepoint or office 365 using a deleted guest account.. but i am not sure if i did not logout from sharepoint, then for how long i can access a site using a delete guest account.. i am sure will not be more than 30 minutes..but can not verify this.

 


@Kevin McKeown wrote:

Are you familiar with the All People page/All Users List for a site collection? You can get to it by appending this to your site collection URL: /_layouts/15/people.aspx?MembershipGroupId=0

 

You can delete users from the entire site collection from this page.


@Kevin McKeownYes i know about this list, but you mean we can remove a guest account from this list instead of removing the Guest from Office 365 admin >> Guest accounts? if this is the case, then the issue will  be that i will need to check this list on all the site collections... unlike removing the Guest from Office 365 admin >> Guest accounts, which should remove the Guest account globally.. is my points valid?

Based on results of your own testing described above, it sounds like you would need to remove the user in both places regardless of where you delete them first, SharePoint and Office 365 Admin. 

 

And yes, since these All People pages are specific to a site collection, you would need to check it on all site collections. 

 


@Kevin McKeown wrote:

Based on results of your own testing described above, it sounds like you would need to remove the user in both places regardless of where you delete them first, SharePoint and Office 365 Admin. 

 


@Kevin McKeown  the test i did showed that removed user can still access the site, but when i logout >> re-login i got Access Denied. but i am sure that if we remove Guest account from Office 365 Guest account list, then the gust account will not be able to access the site after a specific period of time (1/2 hour for example).. i did not find any official documentation talking about this, an all the official docs mentioned if we want to prevent a Guest account from accessing SP online and office 365 then we can remove the Guest account from Office 365 admin center >> Guest accounts list... and no one mentioned that we need to remove it from the user list under each site collection.