Can we deny a user from accessing all sharepoint online sites, while keeping his account active

%3CLINGO-SUB%20id%3D%22lingo-sub-1388911%22%20slang%3D%22en-US%22%3ECan%20we%20deny%20a%20user%20from%20accessing%20all%20sharepoint%20online%20sites%2C%20while%20keeping%20his%20account%20active%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388911%22%20slang%3D%22en-US%22%3E%3CP%3EI%20got%20a%20requirement%20from%20one%20of%20our%20customers%20is%20that%20they%20want%20to%20prevent%20an%20internal%26nbsp%3B%20user%20from%20accessing%20all%20the%20SharePoint%20online%20site%20collections%20inside%20their%20office%20365%20tenant%2C%20while%20keep%20the%20user%20account%20active%3F%20so%20i%20am%20not%20sure%20if%20SharePoint%20online%20support%20such%20an%20operation..%20of%20course%20we%20have%20many%20sites%20which%20were%20granted%20permission%20through%20the%20%22Everyone%20except%20external%22%20%2C%20so%20this%20user%20is%20granted%20access%20to%20some%20site%20indirectly%20through%20this%20group..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1388911%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1389058%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20deny%20a%20user%20from%20accessing%20all%20sharepoint%20online%20sites%2C%20while%20keeping%20his%20account%20active%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1389058%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F233354%22%20target%3D%22_blank%22%3E%40john%20john%3C%2FA%3E%26nbsp%3B%20you%20might%20remove%20the%20%22%3CSPAN%3EEveryone%20except%20external%22%20and%20create%20a%20security%20group%20to%20manage%20permission%20(I.e%20Sec_Sharepoint_Allowed_users).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdd%20all%20the%20users%20except%20the%20specific%20user%20you%20want%20to%20restrict%20access.%20This%20way%20you%20can%20keep%20a%20track%20of%20all%20the%20users%20who%20have%20access%20to%20sharepoint.%20Further%2C%20if%20you%20got%20additional%20request%2C%20you%20can%20just%20remove%20the%20user%20from%20the%20security%20Group%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1389163%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20deny%20a%20user%20from%20accessing%20all%20sharepoint%20online%20sites%2C%20while%20keeping%20his%20account%20active%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1389163%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F331259%22%20target%3D%22_blank%22%3E%40Prasannaraju%3C%2FA%3Ethis%20will%20work%20on%20paper%20but%20since%20we%20have%20lot%20of%20sites%20and%20sub-sites%20and%20each%20of%20them%20have%20the%20%22Everyone%20Except%20external%20users%22%20%2C%2C%20so%20i%20was%20looking%20for%20a%20simpler%20approach%20to%20prevent%20a%20user%20from%20accessing%20the%20sites%20even%20if%20the%20user%20has%20permission.%26nbsp%3B%20So%20there%20is%20no%20such%20an%20approach%20either%20using%20office%20365%20or%20share%20point%20online%20UI%20or%20powers-hell%3F%20or%20can%20we%20remove%20the%20user%20SharePoint%20online%20license%20(i%20do%20not%20have%20much%20knowledge%20on%20licensing%20but%20i%20am%20thinking%20loudly%26nbsp%3B%20)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1390746%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20deny%20a%20user%20from%20accessing%20all%20sharepoint%20online%20sites%2C%20while%20keeping%20his%20account%20active%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1390746%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F233354%22%20target%3D%22_blank%22%3E%40john%20john%3C%2FA%3E%26nbsp%3B%3CSPAN%3ERemoving%20their%20license%20will%20be%20easiest%20if%20you%20want%20to%20block%20them%20from%20all%20SPO%20sites%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EPlease%20note%20this%20will%20also%20block%20their%20ODfB.%20I%20would%20recommend%20to%20test%20this%20scenario%26nbsp%3Bwith%20test%20user%20first%20and%20then%20apply%20to%20actual%20user.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOther%20option%20if%20you%20dont%20want%20to%20play%20with%20License%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ECreate%20a%20powershell%20script%20to%20check%20the%20permission%20level%20from%20each%20site%20collection%20from%20SPO%26nbsp%3Band%20remove%20the%20permissions%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F3026385%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F3026385%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Valued Contributor

I got a requirement from one of our customers is that they want to prevent an internal  user from accessing all the SharePoint online site collections inside their office 365 tenant, while keep the user account active? so i am not sure if SharePoint online support such an operation.. of course we have many sites which were granted permission through the "Everyone except external" , so this user is granted access to some site indirectly through this group..

3 Replies
Highlighted

@john john  you might remove the "Everyone except external" and create a security group to manage permission (I.e Sec_Sharepoint_Allowed_users).

 

Add all the users except the specific user you want to restrict access. This way you can keep a track of all the users who have access to sharepoint. Further, if you got additional request, you can just remove the user from the security Group :)

 

 

Highlighted

@Prasannarajuthis will work on paper but since we have lot of sites and sub-sites and each of them have the "Everyone Except external users" ,, so i was looking for a simpler approach to prevent a user from accessing the sites even if the user has permission.  So there is no such an approach either using office 365 or share point online UI or powers-hell? or can we remove the user SharePoint online license (i do not have much knowledge on licensing but i am thinking loudly  )

Highlighted

@john john Removing their license will be easiest if you want to block them from all SPO sites,

Please note this will also block their ODfB. I would recommend to test this scenario with test user first and then apply to actual user.

 

Other option if you dont want to play with License,

Create a powershell script to check the permission level from each site collection from SPO and remove the permissions

https://support.microsoft.com/en-us/kb/3026385