Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1 Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1
Office|Office 365|SharePoint|SharePoint Online

Understanding External Access to Documents in an Office 365 Tenant (Part 2)

Office 365 with Teams

Understanding Office 365 Sharing

In part 1 of this series, we explore how document sharing occurs within Office 365 and how to use two cmdlets in the SharePoint Online PowerShell module to understand with whom outside the tenant we share documents.

As noted, the Get-SPOUser and Get-SPOExternalUser cmdlets have some problems when processing group-enabled SharePoint sites. These sites use Office 365 Groups to manage membership, and the results returned by the cmdlets do not necessarily reflect the view of Office 365 Groups.

Given the popularity of Teams and Groups, it is likely that most sites now running inside Office 365 tenants use Groups for their membership. We can absolutely use the SharePoint cmdlets to process sites that are not group-enabled, but we need another solution to deal with the sites owned by Office 365 Groups.

Examining Group Guests

The solution is to examine the membership of Office 365 Groups with guest members. Fortunately, Groups gives use a filterable property (GroupExternalMemberCount) that makes it easy to extract the set of groups with guest members. A similar property (GroupMemberCount) holds the total number of members in a group. Groups updates the two properties automatically as membership changes occur, including changes made through Teams.

Once we know what groups to examine, we can loop through each group to extract details of guest members. Here’s some code to do the trick.

$Groups = (Get-UnifiedGroup -Filter {GroupExternalMemberCount -gt 0} | Select Alias, DisplayName, SharePointSiteURL, GroupExternalMemberCount)
If ($Groups.Count -gt 0) {
   Write-Host "Processing" $Groups.Count "groups with guest members"
   $Report = @()
   $NumExt = 0
   $LargestGroup = $Null
   $LargestGroupNum = 0
   ForEach ($G in $Groups) {
      Write-Host "Processing" $G.DisplayName
      $Users = Get-UnifiedGroupLinks -Identity $G.Alias -LinkType Members
      ForEach ($U in $Users) {
         If ($U.Name -Match "#EXT#" -and $U.Name -NotLike "*teams.ms*") {
            $NumExt++
            $CheckName = $U.Name + "@yourtenant.onmicrosoft.com"
            $User = (Get-AzureADUser -ObjectId $CheckName).DisplayName 
            $ReportLine = [PSCustomObject][Ordered]@{
               Email           = $U.Name
               User            = $User
               Group           = $G.DisplayName
               Site            = $G.SharePointSiteURL }
            $Report += $ReportLine }         
            } 
    If ($G.GroupExternalMemberCount -gt $LargestGroupNum) {
       $LargestGroupNum = $G.GroupExternalMemberCount
       $LargestGroup = $G.DisplayName}
    }
Write-Host $NumExt "guest user memberships found in" $Groups.Count "groups"
Write-Host "Largest external group is" $LargestGroup "with" $LargestGroupNum "guests"

Guest Statistics

At the end of the script, we have a couple of lines to report statistics. As you can see in Figure 1, 37 groups have guest users in their membership when we scan these groups, we find 224 instances of guest membership. The group with most guests has 63.

Office 365 Groups with Guests
Figure 1: Reporting guests in Office 365 Groups (image credit: Tony Redmond)

Analyzing Guests

The script creates an ordered array of guests found in group membership. It is easy to sort the array and look at the data in whatever way you like. For example, you could sort by user to be able to see what groups each user belongs to.

$Report | Sort User | Format-Table User, Group, Site -AutoSize

User                    Group                    Site
---                     -----                    ----
Ailbhe Smith (Hotmail)  Office 365 Tenant Health https://tenant.sharepoint.com/sites/office365Health
Ian Byrne               Dynamic Passion          https://tenant.sharepoint.com/sites/DynamicPass
Ian Byrne               Exchange Trades          https://tenant.sharepoint.com/sites/exchangetrades

Of course, not all guest users will access documents as many will collaborate via email (for Office 365 Groups) or channel and private conversations (Teams). It’s possible that no one ever puts anything in the document library in the site collection. But if they do, those documents are accessible to guest users, who enjoy exactly the same rights over the documents as do users who belong to the tenant

The Next Step

We now have methods to extract details about who can share documents in old-style and new-style SharePoint sites. This is good information for tenant administrators to have because you never know when someone might ask who can access documents. It’s knowledge of sharing that might happen if a guest user accesses a document library.

However, SharePoint and OneDrive for Business also support sharing for individual documents and folders. To understand when this kind of sharing occurs, we must look elsewhere. That’s the subject of the third part of this series.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.

Register for the Hybrid Identity Protection (HIP) Europe Conference!

Hybrid Identity Protection (HIP) Europe 2021 - Virtual Conference

Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. And with radical transformation come new business risks. Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric practitioners. At the inaugural HIP Europe, join your local IAM experts and Microsoft MVPs to learn all the latest from the Hybrid Identity world.