There is a known problem with Microsoft Delve.
We know SharePoint site permissions are not easy. You can break permissions inheritance at any level – subsite, library, list, folder, list item or specific document. Anybody with full permissions can do that. The worst thing is there
is was (*1) no one place where site owner could get full permissions report to the site. We must have used third-party tools or PowerShell to have all permissions in one document.
So no wonder SharePoint sites were heavily over-exposed. Especially when a site owner tired with complexity of SharePoint permissions system decided to share resource with “Everyone”. That is the real issue.
Now, what happens when sites are migrated to Microsoft 365 SharePoint Online with Microsoft Delve enabled by default? Delve works as it should work – it suggests to you documents it believes related to you (based on Microsoft Graph insights) and you already have access to.
What happens is people start seeing documents they never new they have access to. Where these documents from? Of course from sites shared with Everyone.
So strictly says, it is not Delve’s problem. It’s more human problem than technological.
Delve just does it’s job, and does perfectly.
How do we solve the issue?
- Disable Delve?
- Disable search (stop sites crawling and remove results)?
- Restrict access to Microsoft Graph ?
e.g. Microsoft KBA on how to disable MS Graph for a specific User
Those methods are half-measure. 1-2-3 methods are just hiding the problem – not solving it. Agree it helps stop the deterioration, bud does not fix the issue.
How do we solve the root cause of the issue?
- Of course, we need remove incorrectly provided permissions. How?
- Only site owner (data owner) knows which content should be shared with whom with which access rights. So we need to ask sites owners to review their permissions. How?
- First, we need a list of over-exposed sites. How? There are two methods
(more details – check this article)
- Then we need a list of sites and their owners. How?
- Finally, we need to let every site owner know that his site is Open to everybody and ask to fix it. How?
- Governance tip on finding overshared content in O365/SharePoint by Mikael Svenson
- Report on file and folder sharing in a SharePoint site by Microsoft
- How to determine resources to which all external users have access by Microsoft
- How to get list of sites shared with Everyone
- How to Get full SPO Site Permissions report