A common question in SharePoint Online is: How can we block access for a specific user to all sites? In SharePoint Server (On-Premises), this was relatively simple—we could apply a “Deny” policy at the web application level. However, SharePoint Online doesn’t expose web application settings, so there’s no direct way to say, “Block this user from accessing SharePoint.”
In SharePoint Online, access is granted—not explicitly denied. To prevent a user from accessing SharePoint content, you must ensure they are not granted access in the first place. This becomes tricky due to the built-in group “Everyone except external users”, which automatically includes all internal users. If a site or resource is shared with this group, the user in question will also gain access—there’s no way to exclude them from this group.
Despite this limitation, there is a workaround. While you can’t remove a user from the “Everyone except external users” group, there are strategies to restrict their access effectively. Consider the following options (and we’ll deep dive in all options, discussing pros and cons):
- Stop Using “Everyone except external users” for Permissions and
- Assign Permissions Using Custom Groups
- Block Access via Conditional Access
- Make the user “External”
- Validate the user does not access SharePoint
Stop Using “Everyone except external users” for Permissions
To exclude (hide) “Everyone Except External Users” claim in People Picker – you’d use
Set-SPOTenant -ShowEveryoneExceptExternalUsersClaim $falseThis option though looks simple – would require some extra work, because
- you’d need to deal with existing shares with “Everyone Except External Users”
- you’d need to deal with “public” groups, teams, sites
- you’d need to provide an alternative for scanarious where sharing with everyone is a requirement
TBC…