On March 23, 2018, Microsoft updating behavior and governance of access by external users in Office 365.
After this date, an external user will see only the content that’s shared with that user or with groups to which the user belongs. External users will no longer see content that’s shared with Everyone, All Authenticated Users, or All Forms Users. By default, content that’s granted permissions to these groups will be visible only to your organization's users.
The administrator can change the default behavior to enable external users to see content that's with Everyone, All Authenticated Users, or All Forms Users.
After March 23, 2018, external users will no longer be granted the Everyone, All Authenticated Users or All Forms Users claims by default. Therefore, external users will be granted access only to content shared with the group to which the external user belongs, and content shared directly with the external user. They will not have access to content shared with these three special groups.
On-premises Active Directory domains, the Everyone special group represents all identities in the Active Directory domain, including the domain's guest account, which is disabled by default. By default, the Everyone group effectively includes all user accounts that are added by delegated administrators to the domain.
Before the upcoming change in functionality, Office 365 shared the behavior of on-premises Active Directory domains: every user in a tenant's Azure Active Directory (Azure AD), including external users, was effectively considered "Everyone" by adding a claim representing "Everyone" to the user's security context. The Everyone claim enables a user to access any content shared with the Everyone group.
Similarly, the All Authenticated Users and All Forms Users claims were added automatically to each user’s security context, including external users who have accounts in the tenant's Azure AD. These claims enable users to access any content shared with the All Authenticated Users or All Forms Users groups.
Office 365 is built to enable users to share and collaborate seamlessly with users inside and outside their organizations. When a user in your organization adds an external user to an Office 365 group or shares content with an external user and requires authentication ("sign-in") for access, an account is automatically created in Azure AD to represent the external guest user. There is no need for a delegated administrator to create the account for the external user.
New choice to govern the access given to external users.
If your organization wants external users to access content shared with Everyone, you may configure your tenant to grant the Everyone claim to external users.
To configure your tenant to grant the Everyone claim to external users, use the following Windows PowerShell cmdlet:
Set-SPOTenant -ShowEveryoneClaim $true
After you run the cmdlet, external users will be granted the Everyone claim and will have access to content shared with the Everyone group.
If your organization wants users to have access to content shared with All Authenticated Users or All Forms Users, you may configure your tenant to grant these two claims to external users.
To configure your tenant to grant the All Authenticated Users and All Forms Users claims to external users, use the following Windows PowerShell cmdlet:
Set-SPOTenant -ShowAllUsersClaim $true
After you run the cmdlet, external users will be granted the All Authenticated Users and All Forms Users claims and will have access to content shared with these two groups.
Use Azure AD groups and dynamic membership instead of default claims
Although we continue to support sharing with the Everyone, Everyone Except External Users, All Authenticated Users, and All Forms Users groups, we encourage customers to implement role-based access management by using customer-defined groups in Azure AD, including Office 365 groups. Office 365 groups define the membership and access to content across Office 365 services and experiences. Many Office 365 services already support Azure AD dynamic groups, and these services are defined as a set of rules based on Azure AD properties and business logic. Dynamic groups are the best way to make sure that the correct users have access to the correct content. They let you define a group one time based on rules so that you do not have to add or remove members as your organization changes.
For more information, please refer to the following articles.
- How to govern access of external users in Office 365
- Manage external sharing for your SharePoint Online environment
- Securing a SharePoint Online extranet site
- Set up and manage access requests