External User Security: How to stop users seeing other external users

%3CLINGO-SUB%20id%3D%22lingo-sub-719501%22%20slang%3D%22en-US%22%3EExternal%20User%20Security%3A%20How%20to%20stop%20users%20seeing%20other%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719501%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Good%20People%2C%3C%2FP%3E%3CP%3EI%20am%20building%20a%20Sharepoint%20365%20site%20to%20replicate%20the%20structure%20of%20our%20existing%20Sharepoint%20Foundation%20site.%3C%2FP%3E%3CP%3E%3CSTRONG%3EBackground%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EWe%20upload%20documentation%20to%20Sharepoint%20for%20our%20clients%20to%20collect.%3C%2FP%3E%3CP%3EEach%20client%20has%20their%20own%20subsite%20and%20they%20use%20this%20to%20upload%20documentation%20for%20us%20to%20process%20and%20download%20information%20provided%20from%20us.%26nbsp%3B%20It%20is%20a%20daily%20occurrence.%3C%2FP%3E%3CP%3EThere%20is%20also%20a%20top%20level%20site%20'ClientHub'%20where%20clients%20can%20download%20standard%20form%2C%20read%20notices%20from%20us%2C%20keep%20up%20to%20date%20with%20news.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EEach%20user%20has%20'read'%20only%20access%20to%20ClientHub.%26nbsp%3B%20They%20cannot%20see%20who%20else%20has%20access%20to%20this%20site.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESimple%20structure%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClient%20Hub%20-%20read%20only%20to%20all%20users%20(Clients%20can%20access%20standard%20docs%20and%20notices)%3C%2FP%3E%3CP%3E-%20ClientA%20-%20ClientA%20users%20can%20upload%20and%20download%20into%20their%20own%20private%20subsite%3C%2FP%3E%3CP%3E-%20ClientB%20-%26nbsp%3BClientB%20users%20can%20upload%20and%20download%20into%20their%20own%20private%20subsite%3C%2FP%3E%3CP%3E-%20ClientC%20-%26nbsp%3BClientC%20users%20can%20upload%20and%20download%20into%20their%20own%20private%20subsite%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EProblem%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EI%20want%20to%20replicate%20this%20secure%20setup%20and%20at%20the%20moment%20I%20can%20only%20do%20this%20if%20my%20users%20only%20have%20access%20to%20their%20own%20sub-site.%26nbsp%3B%20If%20I%20add%20users%20as%20'read'%20only%20to%20the%20main%20ClientHub%20site%20each%20user%20can%20view%20all%20users%20and%20bulk%20email%20to%20all%20users%20by%20using%20the%20'share'%20option.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20obviously%20do%20not%20want%20our%20users%20to%20know%20the%20email%20addresses%20of%20other%20clients%20and%2For%20email%20everyone%20in%20the%20whole%20directory!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20we%20do%20want%20all%20users%20to%20have%20access%20to%20standard%20documents%20and%20news%20announcements%20as%20this%20is%20essential%20to%20our%20business.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20adding%20users%20to%20their%20own%20private%20groups%20and%20adding%20the%20group%20to%20ClientHub%20with%20Read%20only%20access%2C%20but%20the%20directory%20still%20lists%20all%20individual%20users%20for%20all%20to%20see.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20recommend%20a%20workaround%3F%26nbsp%3B%20Surely%2C%20other%20businesses%20do%20not%20want%20users%20seeing%20everyone%20else%20who%20has%20access%20to%20a%20site%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20not%20a%20developer%20-%20just%20a%20lowly%20administrator%20trying%20to%20setup%20up%20Sharepoint%20365%20to%20do%20exactly%20what%20Sharepoint%20Foundation%20was%20capable%20of.%26nbsp%3B%20Much%20appreciated%20to%20any%20advice%20you%20can%20give.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-719501%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719606%22%20slang%3D%22en-US%22%3ERe%3A%20External%20User%20Security%3A%20How%20to%20stop%20users%20seeing%20other%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719606%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F366176%22%20target%3D%22_blank%22%3E%40Spidermonkey168%3C%2FA%3E%26nbsp%3B%20-%20is%20there%20a%20business%20case%20for%20your%20customers%20to%20share%20from%20your%20site%3F%20if%20they%20just%20need%20to%20download%2C%20maybe%20try%20turning%20off%20the%20ability%20for%20non-owners%20to%20share%20items%20they%20don't%20own.%20This%20is%20in%20the%20admin%20center.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719621%22%20slang%3D%22en-US%22%3ERe%3A%20External%20User%20Security%3A%20How%20to%20stop%20users%20seeing%20other%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719621%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19689%22%20target%3D%22_blank%22%3E%40Kelly%20E%3C%2FA%3E%26nbsp%3B%20Hi%2C%20thank%20you%20for%20your%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExternal%20users%20are%20not%20permitted%20to%20share.%26nbsp%3B%20Only%20Admin%20users%20within%20a%20security%20group%20at%20AD%20have%20permission%20to%20share.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20attached%20a%20screenshot%20of%20the%20current%20settings.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20I%20have%20is%20if%20users%20are%20added%20to%20the%20top%20site%20so%20they%20can%20rightly%20access%20standard%20documentation%2C%20policies%20etc%20they%20can%20view%20all%20users%20of%20that%20site%20by%20clicking%20on%20the%20'Share'%20icon%20at%20the%20top%20of%20the%20screen.%26nbsp%3B%20%26nbsp%3BAn%20option%20is%20to%20email%20'everyone'!!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20provide%20access%20to%20standard%20documents%20for%20all%20clients%20without%20them%20seeing%20who%20else%20has%20access%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719917%22%20slang%3D%22en-US%22%3ERe%3A%20External%20User%20Security%3A%20How%20to%20stop%20users%20seeing%20other%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719917%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F366176%22%20target%3D%22_blank%22%3E%40Spidermonkey168%3C%2FA%3E%26nbsp%3B-%20oh%20ok%2C%20I%20don't%20see%20that%20option%20on%20any%20of%20my%20sites.%20I%20know%20it's%20not%20ideal%2C%20but%20could%20you%20use%20CSS%20to%20hide%20the%20share%20button%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719933%22%20slang%3D%22en-US%22%3ERe%3A%20External%20User%20Security%3A%20How%20to%20stop%20users%20seeing%20other%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719933%22%20slang%3D%22en-US%22%3E%3CP%3EI%20haven't%20tried%20it%20for%20this%20scenario%2C%20but%20you%20could%20look%20into%20using%20the%20Restricted%20Read%2C%20View-only%2C%20or%20a%20custom%20permission%20level%20instead%20of%20the%20default%20Read%20permission%20level%20that%20is%20assigned%20to%20the%20Visitors%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPermission%20levels%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Funderstanding-permission-levels%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Funderstanding-permission-levels%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20might%20take%20a%20look%20into%20the%20%22Browse%20User%20Information%22%20permission%20setting.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-721610%22%20slang%3D%22en-US%22%3ERe%3A%20External%20User%20Security%3A%20How%20to%20stop%20users%20seeing%20other%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-721610%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F62361%22%20target%3D%22_blank%22%3E%40Kevin%20McKeown%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20this%2C%20and%20like%20you%20I%20thought%20this%20would%20sort%20out%20my%20problem.%20But%20the%20permission%20level%20allocated%20to%20the%20users%20already%20has%20this%20option%20removed.%26nbsp%3B%20Still%20they%20can%20view%20all%20users%20of%20the%20root%20directory%20despite%20whether%20in%20their%20own%20group%20or%20not.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20further%20options%20gratefully%20received%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-721613%22%20slang%3D%22en-US%22%3ERe%3A%20External%20User%20Security%3A%20How%20to%20stop%20users%20seeing%20other%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-721613%22%20slang%3D%22en-US%22%3E%3CP%3EHI%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19689%22%20target%3D%22_blank%22%3E%40Kelly%20E%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20certainly%20is%20an%20idea.%26nbsp%3B%20Do%20I%20need%20a%20developer%20to%20modify%20in%20CSS%3F%26nbsp%3B%20I%20would%20need%20just%20the%20root%20site%20changed%20to%20remove%20the%20share%20button.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-721863%22%20slang%3D%22en-US%22%3ERe%3A%20External%20User%20Security%3A%20How%20to%20stop%20users%20seeing%20other%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-721863%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F366176%22%20target%3D%22_blank%22%3E%40Spidermonkey168%3C%2FA%3E%26nbsp%3B-%20yes%2C%20that's%20likely%20needed.%20it's%20not%20like%20the%20old%20days%20when%20we%20could%20just%20add%20a%20web%20part%20and%20add%20our%20CSS%20and%20be%20done.%20Check%20out%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftahoeninjas.blog%2F2018%2F10%2F29%2Fupdate-inject-custom-css-on-sharepoint-modern-pages-using-spfx-application-extensions%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftahoeninjas.blog%2F2018%2F10%2F29%2Fupdate-inject-custom-css-on-sharepoint-modern-pages-using-spfx-application-extensions%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-721867%22%20slang%3D%22en-US%22%3ERe%3A%20External%20User%20Security%3A%20How%20to%20stop%20users%20seeing%20other%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-721867%22%20slang%3D%22en-US%22%3Eanother%20option%20-%20I've%20noticed%20that%20when%20I%20create%20a%20new%20TEAM%2C%20the%20SharePoint%20site%20that%20supports%20it%20doesn't%20have%20the%20share%20button%20on%20the%20home%20page.%20you%20could%20maybe%20try%20recreating%20as%20a%20TEAM%20and%20then%20inviting%20them%20to%20the%20SharePoint%20library%20that%20lives%20behind%20it.%20Could%20be%20faster%20than%20a%20devleoper%20depending%20on%20how%20much%20data%20you'd%20need%20to%20move.%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi Good People,

I am building a Sharepoint 365 site to replicate the structure of our existing Sharepoint Foundation site.

Background

We upload documentation to Sharepoint for our clients to collect.

Each client has their own subsite and they use this to upload documentation for us to process and download information provided from us.  It is a daily occurrence.

There is also a top level site 'ClientHub' where clients can download standard form, read notices from us, keep up to date with news.  

Each user has 'read' only access to ClientHub.  They cannot see who else has access to this site.

 

Simple structure below:

 

Client Hub - read only to all users (Clients can access standard docs and notices)

- ClientA - ClientA users can upload and download into their own private subsite

- ClientB - ClientB users can upload and download into their own private subsite

- ClientC - ClientC users can upload and download into their own private subsite

 

Problem

I want to replicate this secure setup and at the moment I can only do this if my users only have access to their own sub-site.  If I add users as 'read' only to the main ClientHub site each user can view all users and bulk email to all users by using the 'share' option.

 

We obviously do not want our users to know the email addresses of other clients and/or email everyone in the whole directory!

 

However, we do want all users to have access to standard documents and news announcements as this is essential to our business.

 

I have tried adding users to their own private groups and adding the group to ClientHub with Read only access, but the directory still lists all individual users for all to see.

 

Can anyone recommend a workaround?  Surely, other businesses do not want users seeing everyone else who has access to a site?

 

I am not a developer - just a lowly administrator trying to setup up Sharepoint 365 to do exactly what Sharepoint Foundation was capable of.  Much appreciated to any advice you can give.

 

Regards

8 Replies
Highlighted

Hi @Spidermonkey168  - is there a business case for your customers to share from your site? if they just need to download, maybe try turning off the ability for non-owners to share items they don't own. This is in the admin center.

Highlighted

@Kelly E  Hi, thank you for your reply.

 

External users are not permitted to share.  Only Admin users within a security group at AD have permission to share.  

 

I have attached a screenshot of the current settings.

 

The problem I have is if users are added to the top site so they can rightly access standard documentation, policies etc they can view all users of that site by clicking on the 'Share' icon at the top of the screen.   An option is to email 'everyone'!!  

 

How can I provide access to standard documents for all clients without them seeing who else has access?

 

 

Highlighted

@Spidermonkey168 - oh ok, I don't see that option on any of my sites. I know it's not ideal, but could you use CSS to hide the share button?

Highlighted

I haven't tried it for this scenario, but you could look into using the Restricted Read, View-only, or a custom permission level instead of the default Read permission level that is assigned to the Visitors group.

 

Permission levels: https://docs.microsoft.com/en-us/sharepoint/understanding-permission-levels

 

You might take a look into the "Browse User Information" permission setting.

Highlighted

Hi @Kevin McKeown 

 

Thank you for this, and like you I thought this would sort out my problem. But the permission level allocated to the users already has this option removed.  Still they can view all users of the root directory despite whether in their own group or not.

 

Any further options gratefully received :)

Highlighted

HI@Kelly E ,

 

This certainly is an idea.  Do I need a developer to modify in CSS?  I would need just the root site changed to remove the share button.

Highlighted

@Spidermonkey168 - yes, that's likely needed. it's not like the old days when we could just add a web part and add our CSS and be done. Check out https://tahoeninjas.blog/2018/10/29/update-inject-custom-css-on-sharepoint-modern-pages-using-spfx-a...

Highlighted
another option - I've noticed that when I create a new TEAM, the SharePoint site that supports it doesn't have the share button on the home page. you could maybe try recreating as a TEAM and then inviting them to the SharePoint library that lives behind it. Could be faster than a devleoper depending on how much data you'd need to move.