I will be saving my personal gotchas on Microsoft 365 External Access and Guest Access in SharePoint and Teams

We configure external/guest access in AAD, m365 Admin Center, Teams Admin Center, SharePoint Admin Center, specific Group, Team or SharePoint site.

We can configure external guest access directly, or can configure sensitivity labels and policies in Purview (Compliance Admin Center). Configuring sensitivity labels for sites/groups we configure external guest access settings. Configuring sensitivity labels policies we apply labels.

External access via “All Users” group

Be careful with “All users” group created as part of the process.
Microsoft: “The dedicated All Users group includes all users in the directory, including guests and external users.” And indeed, “All Users” group by default include external users.

So here is the scenario: we have a site where external sharing is enabled, and someone is sharing a specific file1 or folder1 with some external users. The other site/group member is sharing another file2/folder2 with “All Users” assuming All Users means all this group member. This gives external users access to file2/folder2.

Remediation

Option 0: remove “All Users” group

Option 1: exclude External users or Guest users from “All Users” group:

(user.userPrincipalName -notContains "#EXT#@")
or 
(user.userType -ne "Guest")

(explained here).

Option 2: schedule a job that removes “All Users” from all sites UIL. Optionally inform site owners not to use “All Users” but use “Everyone except external users”.