Visitors gaining access even though they aren't approved?

Copper Contributor

We have found an issue where users in our environment have access to our Team Sharepoint site even though we have not specifically granted access to them. 


We have been asking other users that we know that are part of the same environment, but have never been granted access to our team or site to see if they can indeed access our site, and some have access, some do not.  We have noticed, regardless if they can access our site or not, that when using the Check Permissions feature in Site Permissions all of them state they have access through the Visitors group, even though they are not listed within visitors group.


We have cross-referenced all settings with other sites we have that DO require you to request access, everything appears to be configured correctly. This is very strange and we can not find what may be causing it. Hoping someone here has experienced this same thing and can point us in the right direction.


EDIT: We found the group for "Everyone except outside users" in our Visitors group. We are unsure how it was added, we suspect higher level admins were messing around and may have accidentally blanket added it without us knowing.

3 Replies

@ww-mn It's alarming that unauthorized users can access your SharePoint team site without explicit approval, potentially jeopardizing security. The anomaly of users appearing in the Visitors group without being listed is concerning.


Start by reviewing Site Permissions, ensuring only authorized users are in the Visitors group and checking for unusual permissions. Examine Permission inheritance to see if it unintentionally grants access to the Visitors group. Analyze user accounts for unusual access tokens or shared credentials granting unauthorized access.


Conduct a security scan of the SharePoint environment, looking for vulnerabilities. Check access request history for any recent unauthorized grants. Implement user activity monitoring to identify suspicious access attempts. Configure stricter access controls, requiring explicit access requests even for visitors.


Educate users on proper access practices and the importance of reporting unauthorized access. Use SharePoint tools like Access Audit to monitor and investigate user behavior.


If challenges persist, consult SharePoint security experts or Microsoft support for in-depth analysis and guidance. By taking these steps, you can effectively address unauthorized access and enhance the security of your SharePoint team site.

After a few scrubs of the visitors group we found "Everyone except external users" listed. We missed it the first couple checks through the list so we were quite confused as to what was happening.

We aren't sure how it ended up in there because none of us in our departments managers added it. Our org requires our top level content and knowledge managers to be part of our owners groups even if they aren't part of our department, so our only guess is they were messing around with something and added it without us knowing, possibly without them even realizing it. Regardless, we found it, removed it, and all is well again.

@ww-mn It's good you were eventually able to identify the root cause of the unauthorized access to your SharePoint site - the "Everyone except external users" group being erroneously added to the Visitors group. Even if done accidentally by a top-level content manager, it likely happened through tinkering with permissions without understanding the broader implications.


While you've addressed the immediate issue by removing that group from Visitors, a few additional steps could help prevent such accidents in the future.


Lock down permission settings so only Site Owners can modify access groups. This prevents unintended changes. Implement an approval workflow for permission changes so multiple owners validate additions. Extra guardrails. Expand on the audit capabilities to track permission and access changes by user. Improves accountability.


Better educate content managers on your access approval processes and how groups relate to inheritance. Reduces guesswork. It's an understandable oversight given the complexity of SharePoint permissions.


But doubling down on change controls, auditing, and security training makes unwanted modifications less likely moving forward. Keep making incremental improvements to tighten up administration and prevent confusion over who should have access.