I’m working through a scenario to provide a limited number of external users access into an O365 sharepoint site (2013 version) and seem to have found a security hole I cannot yet figure out. My scenario is as such:
1. I’ve created an “External Users” security group.
2. I’ve populated this group with users who have an @live.com email address for access.
3. I’ve assigned this security group to have contribute rights to a sub-site of the main site collection.
The above scenario all works well, the user can access the site, contribute content, schedule alerts, etc. The problem is this is also giving those users “visitor” access to the parent and sibling sites as well, even though the sub-site has unique permissions. Yet, my Group Permission Settings seem correct – users have contribute rights only to the sub-site.
Browsing through other security options and documentation, I cannot find a way to successfully restrict access to only the sub-site (I tested this with an individual library and it was the same scenario – users could contribute to the library, but they could also still see all the other content across the site collection).
Has anyone had success in segmenting out external access to only a specific area / site of a site collection, without the ability to view any other content?
Here’s my final follow-up based on what else I’ve learned about this scenario:
When an external user gets added to the site, they do indeed get synched within the “All Users (membership)” group.
If this security group is used in a SharePoint group, it will include the external users. THIS IS THE CASE EVEN IF EXTERNAL SHARING IS DISABLED FOR A GIVEN SITE COLLECTION. This is where the logic to me seems illogical – I would think that if I have external sharing disabled, but add the “All Users (membership)” group to a site collection Visitors group, that external users would NOT have access, but based on my testing they do.
What I did:
– I created an “All Users – Staff” security group which will have to be maintained in Exchange to provide our internal staff visitor access at root levels of site collections.
– I’m creating parallel security groups for any sites requiring external access (i.e. Team Site Members External) and applying them to the sites directly.
– I’m ceasing to use the “All Users (membership)” group altogether to help mitigate the risk of unwanted access by external users.
I think I figured this out – I had ‘Membership – All Users’ as part of my Visitors Group on the site collection. Once I took this group out, the permissions for the external user are applied correctly.
Though I don’t have any confirmation, based on this it’s my assumption that if any external user gets added to a site collection they automatically get added to the “Membership – All Users” group out of Active Directory. This is a pretty big deal as I use this AD group to populate the ‘Viewers’ group on other site collections, including our intranet. After testing, sure enough the external user is granted access to our intranet and these other SCs by default as becoming a member of this group.
I have a ticket in to MS Support to try to get a better understanding – has anyone else encountered this and if so, how did you address it?
