By default, SharePoint grants everyone expect external users to all your SharePoint sites across your org.
There are exceptions to this – if a private channel is created in Teams, all users won’t have access to this SharePoint site.
Permissions and Copilot
If you want to prevent users from accessing information from certain SharePoint sites, you may want to find out which of your sites currently have the “Everyone Except External Users” permission set.
You could use the GUI within the SharePoint admin center to check each site individually, but that may take a considerable amount of time if you have a large number of SharePoint sites.
Instead, you can use PowerShell to produce a report in CSV format of every site that has the “Everyone Except External Users” permission set, so you can then decide if you want to remove it or not.
The Code
First, ensure you’ve installed the SharePoint Online PowerShell module, and you’ve logged in via a global administrator.
First, you’re going to need to add your user account as a site admin to each site you want to check.
You can do this in PowerShell to add your user account to all SharePoint sites at the same time. Update user@teamsdemoau.com with your user account to add it as a site administrator.
$sites = Get-SPOSite -Limit All
foreach ($site in $sites)
{
set-spouser -Site $site.url -IsSiteCollectionAdmin $true -LoginName user@teamsdemoau.com
}
Next, we need to locate the user object GUID of the “Everyone Except External Users” user. The GUID of this user is a little different, but easy to find.
First, Locate a SharePoint Site that definitely has the “Everyone Except External Users” user assigned to it as a Site Member. You can use the SharePoint Administrator portal to locate this:
The site i’m going to use is called Remote Living
In PowerShell, run the following (be sure to update the URL with the site you’re using):
$site = Get-SPOSite -Identity https://m365x53191864.sharepoint.com/sites/remoteliving
Get-SPOSiteGroup -Site $site
PowerShell will return a bunch of details, including a GUID similar to the user I’ve highlighted in yellow below:
Make a note of this GUID, we’re going to need it in the next step.
Performing The Search
Once you have located your unique “Everyone Except External Users” user object GUID, you can then use it to run the following code to generate a CSV file that contains a list of all SharePoint sites that currently have the “Everyone Except External Users” permission set
Update the FlaggedUser variable with your own user object GUID
Update SPURLBase with your own SharePoint URL
The CSV file named SPSites.CSV will be stored on your machine in c:\temp
# Get all SPO sites
$sites = Get-SPOSite -Limit All
$count = $sites.Count
$FlaggedUser = "spo-grid-all-users/b6d57dc2-3a13-4763-b860-f9e98a50a937"
$SPURLBase = "https://m365x53191864.sharepoint.com/sites/"
$i = 0
# Ensure the output file is cleared before appending to it
if (Test-Path "c:\temp\SPSites.csv") {
Remove-Item "c:\temp\SPSites.csv"
}
foreach ($site in $sites) {
# Display progress
$progressParams = @{
Activity = "Processing SharePoint sites"
Status = "Checking site $($i + 1) of $count"
PercentComplete = ($i / $count) * 100
}
Write-Progress @progressParams
# Search for the flagged user within the site groups
$SPSiteSearch = Get-SPOSiteGroup -Site $site.Url | Where-Object { $_.Users -contains $FlaggedUser } | Select-Object Title
# Filter the name by removing 'Members' and spaces
$FilteredName = $SPSiteSearch.Title -replace "Members", ""
$FilteredName = $FilteredName -replace "\s", ""
# Construct the full SharePoint URL
$FullSPURL = $SPURL, $FilteredName -join ''
# Check if the constructed URL matches any site and export to CSV
try {
Get-SPOSite -Limit All | Where-Object { $_.Url -contains $FullSPURL } | Select-Object Url | Export-Csv -Path c:\temp\SPSites.csv -Append -NoTypeInformation
} catch {
Write-Error "Error exporting to CSV for site: $FullSPURL"
}
$i++
}
# Close the progress bar once done
Write-Progress @progressParams -Completed
The Results
Once the script has finished, check your c:\temp folder for the SPSites.CSV file:
Removing the Everyone Except External Users Permission
Now that you know which sites have the “Everyone Except External Users” permission, you can either manually remove the permission from the SharePoint Admin Center for each site, or use PowerShell to remove it:
Again, be sure to replace the spo-grid-all-users GUID with your own from above, and update the site name with the site you want to remove it from.
$remove = ("c:0-.f|rolemanager|spo-grid-all-users/b6d57dc2-3a13-4763-b860-f9e98a50a937")
Remove-SPOUser -Site https://m365x53191864.sharepoint.com/sites/ceoconnection -LoginName $remove -verbose
And that’s it! Once the Everyone permission is removed, users who are not part of the site team won’t have access to the site, meaning Copilot won’t utilise data there for that user.