New ways to govern access of external users - how does it work?

%3CLINGO-SUB%20id%3D%22lingo-sub-169898%22%20slang%3D%22en-US%22%3ENew%20ways%20to%20govern%20access%20of%20external%20users%20-%20how%20does%20it%20work%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169898%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20in%20relation%20to%20%3CSPAN%3EMC129777.%3C%2FSPAN%3E%26nbsp%3BSorry%20for%20the%20long%20post%2C%20I%20can%20get%20a%20little%20long-winded%20sometimes%20%3A(%3C%2Fimg%3E%20From%20the%20documentation%20provided%2C%20%3CSPAN%3EI'm%20confused%20as%20to%20what%20exactly%20this%20%22new%20way%20to%20govern%20access%22%20is%20doing%2C%20so%20if%20anyone%20has%20a%20technical%20handle%20on%20it%20I'd%20love%20to%20hear%20it!%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESome%20reasons%20for%20my%20confusion%20-%20the%20documentation%20states%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%20x-hidden-focus%22%3E%3CEM%3EAfter%20March%2023%2C%202018%2C%20external%20users%20will%20no%20longer%20be%20granted%20the%26nbsp%3B%3CSTRONG%3EEveryone%3C%2FSTRONG%3E%2C%26nbsp%3B%3CSTRONG%3EAll%20Authenticated%20Users%3C%2FSTRONG%3E%26nbsp%3Bor%26nbsp%3B%3CSTRONG%3EAll%20Forms%20Users%26nbsp%3B%3C%2FSTRONG%3Eclaims%20by%20default.%20Therefore%2C%20external%20users%20will%20be%20granted%20access%20only%20to%20content%20shared%20with%20the%20group%20to%20which%20the%20external%20user%20belongs%2C%20and%20content%20shared%20directly%20with%20the%20external%20user.%20They%20will%20not%20have%20access%20to%20content%20shared%20with%20these%20three%20special%20groups.%3C%2FEM%3E%3C%2FP%3E%0A%3CH3%20class%3D%22ng-scope%20x-hidden-focus%22%20id%3D%22toc-hId-1425255714%22%20id%3D%22toc-hId-1596048377%22%3E%3CEM%3ENew%20choice%20to%20govern%20the%20access%20given%20to%20external%20users%3C%2FEM%3E%3C%2FH3%3E%0A%3CP%20class%3D%22ng-scope%22%3E%3CEM%3EIf%20your%20organization%20wants%20external%20users%20to%20access%20content%20shared%20with%26nbsp%3B%3CSTRONG%3EEveryone%3C%2FSTRONG%3E%2C%20you%20may%20configure%20your%20tenant%20to%20grant%20the%20Everyone%20claim%20to%20external%20users.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%22%3E%3CEM%3ETo%20configure%20your%20tenant%20to%20grant%20the%26nbsp%3B%3CSTRONG%3EEveryone%3C%2FSTRONG%3E%26nbsp%3Bclaim%20to%20external%20users%2C%20use%20the%20following%20Windows%20PowerShell%20cmdlet%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22ng-scope%22%3E%3CEM%3ESet-SPOTenant%20-ShowEveryoneClaim%20%24true%3C%2FEM%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22ng-scope%22%3E%3CEM%3EAfter%20you%20run%20the%20cmdlet%2C%20external%20users%20will%20be%20granted%20the%20Everyone%20claim%20and%20will%20have%20access%20to%20content%20shared%20with%20the%20Everyone%20group.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%22%3E%3CEM%3EIf%20your%20organization%20wants%20users%20to%20have%20access%20to%20content%20shared%20with%26nbsp%3B%3CSTRONG%3EAll%20Authenticated%20Users%3C%2FSTRONG%3E%26nbsp%3Bor%26nbsp%3B%3CSTRONG%3EAll%20%3C%2FSTRONG%3E%3CSTRONG%3EForms%20Users%3C%2FSTRONG%3E%2C%20you%20may%20configure%20your%20tenant%20to%20grant%20these%20two%20claims%20to%20external%20users.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%22%3E%3CEM%3ETo%20configure%20your%20tenant%20to%20grant%20the%26nbsp%3B%3CSTRONG%3EAll%20Authenticated%20Users%3C%2FSTRONG%3E%26nbsp%3Band%26nbsp%3B%3CSTRONG%3EAll%20Forms%20Users%3C%2FSTRONG%3E%26nbsp%3Bclaims%20to%20external%20users%2C%20use%20the%20following%20Windows%20PowerShell%20cmdlet%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22ng-scope%22%3E%3CEM%3ESet-SPOTenant%20-ShowAllUsersClaim%20%24true%3C%2FEM%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22ng-scope%20x-hidden-focus%22%3E%3CEM%3EAfter%20you%20run%20the%20cmdlet%2C%20external%20users%20will%20be%20granted%20the%20All%20Authenticated%20Users%20and%20All%20Forms%20Users%20claims%20and%20will%20have%20access%20to%20content%20shared%20with%20these%20two%20groups.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%20x-hidden-focus%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%20x-hidden-focus%22%3EWhen%20looking%20at%20the%20support%20documentation%20for%20the%20PowerShell%20cmdlet%20-ShowAllUsersClaim%20it%20says%20the%20cmdlet%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%20x-hidden-focus%22%3E%3CEM%3EEnables%20the%20administrator%20to%20hide%20the%20All%20Users%20claim%20groups%20in%20People%20Picker.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%20x-hidden-focus%22%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%20x-hidden-focus%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%20x-hidden-focus%22%3EPart%20of%20my%20confusion%20is%20it%20seems%20this%20PowerShell%20cmdlet%20only%20hides%2Fshows%20the%20Everyone%20or%20All%20Users%20security%20claim%20as%20an%20available%20option%20when%20sharing%20resources.%20The%20way%20the%20documentation%20for%20this%20change%20is%20worded%2C%20it%20sounds%20like%20existing%20external%20users%20who%20were%20accessing%20a%20resource%20using%20the%20%22everyone%22%20claim%20as%20opposed%20to%20being%20directly%20shared%20to%20the%20item%20will%20no%20longer%20be%20able%20to%20access%20that%20resource%20(for%20example%2C%20a%20team%20site%20landing%20page).%20It%20doesn't%20seem%20like%20showing%20or%20hiding%20the%20Everyone%20security%20claim%20as%20a%20sharing%20option%20should%20make%20any%20difference%20to%20this.%20Is%20it%20changing%20what%20this%20PowerShell%20cmdlet%20does%3F%20And%20if%20so%2C%20does%20this%20change%20the%20value%20from%26nbsp%3B%3CEM%3Etrue%3C%2FEM%3Eto%26nbsp%3B%3CEM%3Efalse%3C%2FEM%3Ein%20tenants%20where%20it%20is%20set%20to%26nbsp%3B%3CEM%3Etrue%3C%2FEM%3E%2C%20requiring%20us%20to%20go%20back%20and%20set%20it%20to%26nbsp%3B%3CEM%3Etrue%26nbsp%3B%3C%2FEM%3Eafter%20March%2023rd%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%20x-hidden-focus%22%3EAnother%20part%20of%20my%20confusion%20comes%20from%20me%20quickly%20reading%20the%20message%20when%20it%20first%20came%20out%20and%20believing%20the%20change%20had%20to%20do%20with%20the%20new%20changes%20to%20guest%2Fexternal%20user%20sharing.%20It%20makes%20sense%20that%20external%20users%20who%20are%20not%20being%20added%20as%20a%20guest%20user%20to%20our%20tenant%20and%20using%20the%20new%20%22verification%20code%22%20authentication%20would%20see%20not%20items%20shared%20with%20%22everyone%22.%20But%20after%20a%20closer%20reading%20of%20this%20message%20and%20the%20documentation%2C%20it%20is%20clear%20this%20is%20not%20what%20is%20meant.%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%20x-hidden-focus%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%20x-hidden-focus%22%3EIf%20I%20can%20get%20any%20clarification%20on%20what%20is%20actually%20going%20on%20behind%20the%20scenes%2C%20that%20would%20help!%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22ng-scope%20x-hidden-focus%22%3E-%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-169898%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-170085%22%20slang%3D%22en-US%22%3ERe%3A%20New%20ways%20to%20govern%20access%20of%20external%20users%20-%20how%20does%20it%20work%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-170085%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20a%20look%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FOffice-365%2FEveryone-external-Share-permission-in-SharePoint-Online-per-note%2Fm-p%2F165305%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FOffice-365%2FEveryone-external-Share-permission-in-SharePoint-Online-per-note%2Fm-p%2F165305%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F181%22%20target%3D%22_blank%22%3E%40Stephen%20Rice%3C%2FA%3E%2C%20can%20you%20please%20shed%20some%20light%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-169967%22%20slang%3D%22en-US%22%3ERe%3A%20New%20ways%20to%20govern%20access%20of%20external%20users%20-%20how%20does%20it%20work%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169967%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Salvatore%2C%20I%20did%20see%20that%20other%20conversation%20on%20this%20but%20it%20doesn't%20quite%20clear%20it%20up%20for%20me.%26nbsp%3BMaybe%20a%20better%20question%20(and%20much%20more%20direct%2Fshorter%20question)%20would%20be%2C%20does%20this%20change%20what%26nbsp%3Bthe%20-ShowAllUsersClaim%20and%20-ShowEveryoneClaim%20cmdlets%20do%20and%20change%20their%20defaults%20from%20%24true%20to%20%24false%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-169954%22%20slang%3D%22en-US%22%3ERe%3A%20New%20ways%20to%20govern%20access%20of%20external%20users%20-%20how%20does%20it%20work%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169954%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20shortly%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EExternal%20users%20will%20not%20be%20any%20more%20members%20of%20the%20Everyone%20(etc.)%20group(s).%3C%2FLI%3E%0A%3CLI%3EThe%20Everyone%20(etc.)%20group(s)%20will%20continue%20to%20be%20visible%20and%20will%20contain%20all%20and%20only%20internal%20users.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ESee%20also%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FOffice-365%2FWill-anonymous-external-sharing-be-disabled-New-ways-to-govern%2Fm-p%2F164890%23M11087%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FOffice-365%2FWill-anonymous-external-sharing-be-disabled-New-ways-to-govern%2Fm-p%2F164890%23M11087%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20it%20helps...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

This is in relation to MC129777. Sorry for the long post, I can get a little long-winded sometimes :( From the documentation provided, I'm confused as to what exactly this "new way to govern access" is doing, so if anyone has a technical handle on it I'd love to hear it! 

Some reasons for my confusion - the documentation states: 

After March 23, 2018, external users will no longer be granted the EveryoneAll Authenticated Users or All Forms Users claims by default. Therefore, external users will be granted access only to content shared with the group to which the external user belongs, and content shared directly with the external user. They will not have access to content shared with these three special groups.

New choice to govern the access given to external users

If your organization wants external users to access content shared with Everyone, you may configure your tenant to grant the Everyone claim to external users.

To configure your tenant to grant the Everyone claim to external users, use the following Windows PowerShell cmdlet:

Set-SPOTenant -ShowEveryoneClaim $true

After you run the cmdlet, external users will be granted the Everyone claim and will have access to content shared with the Everyone group.

If your organization wants users to have access to content shared with All Authenticated Users or All Forms Users, you may configure your tenant to grant these two claims to external users.

To configure your tenant to grant the All Authenticated Users and All Forms Users claims to external users, use the following Windows PowerShell cmdlet:

Set-SPOTenant -ShowAllUsersClaim $true

After you run the cmdlet, external users will be granted the All Authenticated Users and All Forms Users claims and will have access to content shared with these two groups.

 

When looking at the support documentation for the PowerShell cmdlet -ShowAllUsersClaim it says the cmdlet: 

Enables the administrator to hide the All Users claim groups in People Picker.

 

 

Part of my confusion is it seems this PowerShell cmdlet only hides/shows the Everyone or All Users security claim as an available option when sharing resources. The way the documentation for this change is worded, it sounds like existing external users who were accessing a resource using the "everyone" claim as opposed to being directly shared to the item will no longer be able to access that resource (for example, a team site landing page). It doesn't seem like showing or hiding the Everyone security claim as a sharing option should make any difference to this. Is it changing what this PowerShell cmdlet does? And if so, does this change the value from true to false in tenants where it is set to true, requiring us to go back and set it to true after March 23rd? 

Another part of my confusion comes from me quickly reading the message when it first came out and believing the change had to do with the new changes to guest/external user sharing. It makes sense that external users who are not being added as a guest user to our tenant and using the new "verification code" authentication would see not items shared with "everyone". But after a closer reading of this message and the documentation, it is clear this is not what is meant. 

 

If I can get any clarification on what is actually going on behind the scenes, that would help! 

-

3 Replies

Very shortly:

  • External users will not be any more members of the Everyone (etc.) group(s).
  • The Everyone (etc.) group(s) will continue to be visible and will contain all and only internal users.

See also https://techcommunity.microsoft.com/t5/Office-365/Will-anonymous-external-sharing-be-disabled-New-wa...

 

Hope it helps...

 

Thanks Salvatore, I did see that other conversation on this but it doesn't quite clear it up for me. Maybe a better question (and much more direct/shorter question) would be, does this change what the -ShowAllUsersClaim and -ShowEveryoneClaim cmdlets do and change their defaults from $true to $false?