I’m working through a scenario to provide a limited number of external users access into an O365 sharepoint site (2013 version) and seem to have found a security hole I cannot yet figure out. My scenario is as such:
1. I’ve created an “External Users” security group.
2. I’ve populated this group with users who have an @live.com email address for access.
3. I’ve assigned this security group to have contribute rights to a sub-site of the main site collection.
The above scenario all works well, the user can access the site, contribute content, schedule alerts, etc. The problem is this is also giving those users “visitor” access to the parent and sibling sites as well, even though the sub-site has unique permissions. Yet, my Group Permission Settings seem correct – users have contribute rights only to the sub-site.
Browsing through other security options and documentation, I cannot find a way to successfully restrict access to only the sub-site (I tested this with an individual library and it was the same scenario – users could contribute to the library, but they could also still see all the other content across the site collection).
Has anyone had success in segmenting out external access to only a specific area / site of a site collection, without the ability to view any other content?
I think I figured this out – I had ‘Membership – All Users’ as part of my Visitors Group on the site collection. Once I took this group out, the permissions for the external user are applied correctly.
Though I don’t have any confirmation, based on this it’s my assumption that if any external user gets added to a site collection they automatically get added to the “Membership – All Users” group out of Active Directory. This is a pretty big deal as I use this AD group to populate the ‘Viewers’ group on other site collections, including our intranet. After testing, sure enough the external user is granted access to our intranet and these other SCs by default as becoming a member of this group.
I have a ticket in to MS Support to try to get a better understanding – has anyone else encountered this and if so, how did you address it?
