Microsoft Copilot – How to Disable Everyone Access to SharePoint sites

Craig Chiffers2

By default, SharePoint grants everyone expect external users to all your SharePoint sites across your org.

There are exceptions to this – if a private channel is created in Teams, all users won’t have access to this SharePoint site.

Permissions and Copilot

If you want to prevent users from accessing information from certain SharePoint sites, you may want to find out which of your sites currently have the “Everyone Except External Users” permission set.

You could use the GUI within the SharePoint admin center to check each site individually, but that may take a considerable amount of time if you have a large number of SharePoint sites.

Instead, you can use PowerShell to produce a report in CSV format of every site that has the “Everyone Except External Users” permission set, so you can then decide if you want to remove it or not.

The Code

First, ensure you’ve installed the SharePoint Online PowerShell module, and you’ve logged in via a global administrator.

First, you’re going to need to add your user account as a site admin to each site you want to check.

You can do this in PowerShell to add your user account to all SharePoint sites at the same time. Update user@teamsdemoau.com with your user account to add it as a site administrator.

$sites = Get-SPOSite -Limit All

foreach ($site in $sites)
    {
        set-spouser -Site $site.url -IsSiteCollectionAdmin $true -LoginName user@teamsdemoau.com
    }

Next, we need to locate the user object GUID of the “Everyone Except External Users” user. The GUID of this user is a little different, but easy to find.

First, Locate a SharePoint Site that definitely has the “Everyone Except External Users” user assigned to it as a Site Member. You can use the SharePoint Administrator portal to locate this:

The site i’m going to use is called Remote Living

In PowerShell, run the following (be sure to update the URL with the site you’re using):

$site = Get-SPOSite -Identity https://m365x53191864.sharepoint.com/sites/remoteliving

Get-SPOSiteGroup -Site $site

PowerShell will return a bunch of details, including a GUID similar to the user I’ve highlighted in yellow below:

Make a note of this GUID, we’re going to need it in the next step.

Performing The Search

Once you have located your unique “Everyone Except External Users” user object GUID, you can then use it to run the following code to generate a CSV file that contains a list of all SharePoint sites that currently have the “Everyone Except External Users” permission set

Update the FlaggedUser variable with your own user object GUID

Update SPURLBase with your own SharePoint URL

The CSV file named SPSites.CSV will be stored on your machine in c:\temp

# Get all SPO sites
$sites = Get-SPOSite -Limit All
$count = $sites.Count

$FlaggedUser = "spo-grid-all-users/b6d57dc2-3a13-4763-b860-f9e98a50a937"
$SPURLBase = "https://m365x53191864.sharepoint.com/sites/"

$i = 0

# Ensure the output file is cleared before appending to it
if (Test-Path "c:\temp\SPSites.csv") {
    Remove-Item "c:\temp\SPSites.csv"
}

foreach ($site in $sites) {
    # Display progress
    $progressParams = @{
        Activity    = "Processing SharePoint sites"
        Status      = "Checking site $($i + 1) of $count"
        PercentComplete = ($i / $count) * 100
    }
    Write-Progress @progressParams

    # Search for the flagged user within the site groups
    $SPSiteSearch = Get-SPOSiteGroup -Site $site.Url | Where-Object { $_.Users -contains $FlaggedUser } | Select-Object Title

    # Filter the name by removing 'Members' and spaces
    $FilteredName = $SPSiteSearch.Title -replace "Members", ""
    $FilteredName = $FilteredName -replace "\s", ""

    # Construct the full SharePoint URL
    $FullSPURL = $SPURL, $FilteredName -join ''

    # Check if the constructed URL matches any site and export to CSV
    try {
        Get-SPOSite -Limit All | Where-Object { $_.Url -contains $FullSPURL } | Select-Object Url | Export-Csv -Path c:\temp\SPSites.csv -Append -NoTypeInformation
    } catch {
        Write-Error "Error exporting to CSV for site: $FullSPURL"
    }

    $i++
}

# Close the progress bar once done
Write-Progress @progressParams -Completed

The Results

Once the script has finished, check your c:\temp folder for the SPSites.CSV file:

Removing the Everyone Except External Users Permission

Now that you know which sites have the “Everyone Except External Users” permission, you can either manually remove the permission from the SharePoint Admin Center for each site, or use PowerShell to remove it:

Again, be sure to replace the spo-grid-all-users GUID with your own from above, and update the site name with the site you want to remove it from.

$remove = ("c:0-.f|rolemanager|spo-grid-all-users/b6d57dc2-3a13-4763-b860-f9e98a50a937")

Remove-SPOUser -Site https://m365x53191864.sharepoint.com/sites/ceoconnection -LoginName $remove -verbose

And that’s it! Once the Everyone permission is removed, users who are not part of the site team won’t have access to the site, meaning Copilot won’t utilise data there for that user.

0 0 votes
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Jeff Damon
Jeff Damon
7 months ago

I’m in the “Performing the Search” section and the script is running against 2800+ sites, yet it hasn’t produced any results which suprises me. It will take another 5 hours to finish, but I’m scared it won’t bring back anything. I’m not a scripting guy, but I see that the “$SPURLBase” value is defined, but I can’t see where it is used. Could that be the problem?

0
Reply
Craig Chiffers
Author
Craig Chiffers
7 months ago
Reply to  Jeff Damon

Be sure to check that your $SPURLBase is correct. It should be something similar to your companyname.sharepoint.com/sites

Also ensure you’ve used the correct $FlaggedUser

0
Reply