Pnp provisoning issue with permissions for Everyone except external users

Copper Contributor

Basically, I've setup a Pnp powershell script that is triggered by a site design (site design/script -> flow -> azure queue -> azure function ...) to provision a newly created public Team site in my organization.

 

This Pnp script adjust, among others, the permission settings for "Everyone except external user" from the standard one (being in the Members group with edit permission) to the Visitor group with read permission.

 

Here is the part of the provisioning script that set the permission :

Add-PnPUserToGroup -LoginName $everyone_except_external_user_login -Identity 4
Remove-PnPUserFromGroup -LoginName $everyone_except_external_user_login -Identity 5

 

While the permission is effectively applied and visible in the newly provisioned site, it is somehow reset after a few minutes to the original setting.

 

What am I missing here ? Any hints ?

 

 

 

5 Replies

@Auren10 , I have the exact same issue without using PnP (Just using the UI). After setting permissions for EEEU from edit to read, it will change back to edit after a while.

 

I've check the audit log and sometimes the change is done by the Microsoft\ServiceAccount or the site owner (knowing the site owner did not change the permission on the site).

 

This does not occurs in team site not connected to O365 group. I'm sure there is a job issue related to Azure O365 groups doing some changes in SharePoint. I'm struggling with Microsoft to find what is the issue... For now looks to be tenants related (because Microsoft say they can't replicate the issue) but I have customers in Canada and US where the issue occurs... I look forward to see if you will get more details on this.

@Auren10 this is what I've been told by the escalation team regarding permissions reverting back from read to edit for "Everyone Except External Users" on public group site (which does not makes any sense to me):

 

Hello Martin,

I just had a discussion with Escalation Team and got to know that this is a known behavior globally. This has been confirmed that this is how a Public Group Site collection should work. In order to get this resolved we can follow either of the following step.

 

  1. Remove the Members Group from Public Group Site collection

OR

  1. Rename the Members Group and then change the permission.

OR

  1. If we explicitly wants all users not to have EDIT permission then we can create new SPO Site Collection and make required changes.

Your patience is highly appreciated

@Martin Coupalthanks for the reply !

 

I finally get to a similar solution but on a private team site:

  1. Create a new group with the desired permissions (Read" permission in my case)
  2. Add "Everyone Except External Users" on this group

For info:

Adding "Everyone Except External Users" in the "Visitors" group on a private site has a similar behavior as on public site. After some time "Everyone Except External Users" is removed from the "Visitors" group ...

@Martin Coupal   thanks for the reply !

 

I finally get to a similar solution but on a private team site:

  1. Create a new group with the desired permissions (Read" permission in my case)
  2. Add "Everyone Except External Users" on this group

For info:

Adding "Everyone Except External Users" in the "Visitors" group on a private site has a similar behavior as on public site. After some time "Everyone Except External Users" is removed from the "Visitors" group ...

@Auren10 , For private group site, this is a "By Design" behavior. Personnaly I think this is causing confusion as site owner are allowed to add EEEU and set the permission but a background process "play" with permission. IMO, this is not good.

https://support.microsoft.com/en-us/help/4492201/everyone-except-external-users-group-is-removed

 

But for public group site I never saw this was a "By design" behavior (And It would not make sense if it was). I'm still in discussion with Microsoft on this. I'm waiting for an answer. Apparently it's not happening on all tenants but surely other people are having the issue (on my side I have the problems with my customers tenants in Canada and my tenant in the US).