Aug 25 2016 08:35 AM
We've got a situation where we need to block a subset of users from accessing our SPO tenant while still keeping their access to the rest of the O365 suite active. We can't remove them from AD at the moment, so that's not a solution. Any other ideas?
Aug 25 2016 09:08 AM - edited Aug 25 2016 09:09 AM
Can you not just change their licenses to be the Office client only?
You can do it through PowerShell if there's too many for the UI.
https://technet.microsoft.com/en-us/library/dn771769.aspx for more details on the PowerShell option.
Paul.
Aug 25 2016 09:14 AM
We've tried removing their SharePoint license but that didn't seem to remove access to the intranet. Not sure if there's something we were missing.
Aug 25 2016 09:23 AM
Aug 25 2016 09:24 AM
Unfortunately, removing their license will not keep them from accessing SahrePoint online if someone adds them to a site. it used to work that way, but MS took out the license check about two years ago. I am not aware of any way to lock users out of SharePoint and still allow them access to other Office 365 features other than finding and removing all permissions in SharePoint that would give them access.
Aug 25 2016 09:27 AM
Thanks Paul, that was going to be my next suggestion. A lot depends on how people have been given access to the Intranet. If it's a larger group such as Domain Users, then you could create a new group that doesn't include these users and swing the Intranet permissions over.
Kind of a sledge hammer/nut scenario.
I suppose you could block sign-in on the user, but I think that would stop the office client working.
Aug 25 2016 09:30 AM
Aug 25 2016 09:40 AM
Unfortunately, removing their SharePoint permissions is the only way to block them without blocking login to ALL Office 365 features. In an on-premises environment you could create a user Policy setting at the Web App level to deny them access, but that's not an option in a tenated environment like Office 365.
Aug 25 2016 09:43 AM
It might be worth taking a look at something like Metalogix ControlPoint to manage the permissions changes instead then. It would be able to scan the tenant and remove permissions for nominated users.
Not a cheap option though.
Aug 25 2016 10:35 AM
Aug 25 2016 10:11 PM
Aug 26 2016 06:15 AM
Aug 26 2016 07:23 AM
As has already been mentioned, removing their license will not prevent them from accessing a SharePoint Online site to which they have been given permission. Office 365 stopped checking licenses when accessing SharePoint sites about two years ago. The only way to block users is either to Block their login (which will block their access to all Office 365 services) or remove their permissions in SharePoint. Removing the license will NOT work.
Aug 26 2016 08:57 AM
I was hoping that wouldn't be the solution since they've been given permission to a variety of material on the internet, both through the standard sharepoint permission group and individually. What a nightmare.
Aug 26 2016 09:27 AM
Create a powershell script to check the permission level from each site collection from SPO and remove the permissions
https://support.microsoft.com/en-us/kb/3026385 it has to work.
Jan 26 2017 07:06 AM
Jen, we have a similar requirement. How did you end up blocking the users from SPO?
Apr 25 2017 10:22 AM
I've heard recently that you can open a support call and get Microsoft to re-enable license checking in SharePoint. If that gets turned back on then you can just remove their SharePoint Online license to block them from access. But you ahve to specifically request that functionality on your tenant.