Array
(
    [post_type] => post
    [posts_per_page] => 6
    [order] => DESC
    [orderby] => date
    [ignore_sticky_posts] => 1
    [post__not_in] => Array
        (
            [0] => 43647
        )

    [category__in] => Array
        (
        )

    [tax_query] => Array
        (
            [relation] => OR
            [0] => Array
                (
                    [taxonomy] => category
                    [field] => slug
                    [terms] => Array
                        (
                            [0] => sharepoint-management
                        )

                    [operator] => IN
                )

        )

)

Permissions is an area which can be a bit of a hot potato where the meanings of different permission settings can be easily misunderstood.

A good example of where things can go wrong is when using ‘Everyone Except External Users’ (EEEU) group when setting access permissions.

EEEU is a default group that can be applied to SharePoint and OneDrive, although Microsoft is actively in the throes of removing it from OneDrive and it should finally be gone by September 30th 2025 (it was originally announced to be withdrawn back in 2019).

According to Microsoft:

The EEEU permission is being removed from the root site and default document library of each OneDrive account to prevent inadvertent oversharing and improve security.

To be honest, it’s no surprise that EEEU has been removed as a permission option in OneDrive. For example, if an individual elects to apply a ‘share with everyone except outsiders’ setting on their OneDrive, it can mean thousands of colleagues suddenly have access, even if they were only trying to share with a small team.

But even experienced IT or site managers aren’t immune to slip-ups when it comes to EEEU settings on SharePoint. Sometimes oversharing is a consequence of inherited settings or assumptions rather than deliberate action. Add to that the fact that people often don’t realise EEEU is applied in the background, and it’s clear how easily the risk can creep in.

In this article, we explore why EEEU exists, what’s at stake when it’s used incorrectly, and how to fix the security risks it can introduce in SharePoint.  

What is ‘Everyone Except External Users’? 

The ‘Everyone Except External Users’ group (I’ll call it just EEEU from now on) is a Microsoft 365 group that includes every licensed user in the tenant. So it’s basically a group that comprises all your employees, but it also potentially includes service accounts (i.e., non-human identities used for automation processes and integrations).

Permissions using the EEEU group can be applied at all the different levels you might expect – local sites, document libraries, folders.  

In short, the setting was designed as a convenient way to give ‘open access’ to employees, but without giving access to users with guest accounts.  

Why the EEEU group is a such a security risk 

There’s many reasons why the EEEU group is a big security risk – here’s just a few I can thing of:

Folk get confused over what EEEU means:

Sensitive files might get uploaded to ‘open’ sites

Let’s say that a departmental or team site owner applies a site-wide EEEU permission. Members of that site might not know about the implications of the EEEU setting and may make the reasonable assumption that only members of their department or team can see it, as this is what the site has been set up for.

This creates is an obvious risk of oversharing.  

Following on from the previous point, the fact that there’s an EEEU group on a site’s permissions list might be overlooked and/or misunderstood. As such, sensitive files can easily get mixed in with content that is intended for wider sharing.

EEEU is at odds with what GDPR demands

By using EEEU you may be breaching GDPR – or industry – regulations by not having the ‘principle of least privilege’ in place, which requires that users should only have access to the data necessary for their role.

As you might imagine, EEEU is fundamentally at odds with the principle of least privilege. Using it raises the risk of data privacy incidents and could put your organisation in breach of GDPR or other industry-specific compliance frameworks.

Risk of surfacing sensitive stuff through search & CoPilot

Depending on the scope of a search, Microsoft Search will surface documents that are not permission-trimmed, so documents accessed via EEEU permissions will show up in the results, again making oversharing more likely. 

Ditto with Microsoft Copilot, in that it may surface content to users you didn’t intend to include, simply because your permissions were too open.

Lack of EEEU ‘mis-use’ visibility until the proverbial hits the fan

3 steps to fixing the EEEU risk 

If you think the EEEU group has access to sensitive – or potentially sensitive – SharePoint sites, folders and libraries, there are 3 fundamental steps to fixing the issue:  

1. Check the permissions 
2. Remove and replace EEEU permissions 
3. Prevent it happening again!

Check permissions  

Checking the permissions for EEEU needs to be comprehensive and cover all bases:   

• Use the SharePoint Admin Centre to review site permissions. 

• Run a permissions report for any sensitive libraries and folders. Treat ‘potentially sensitive’ as sensitive, particularly if this is the first time checking for EEEU permissions.  

• Use Microsoft Search & Purview Content Explorer to find and identify data and content accessible to EEEU. 

• Use PowerShell scripts to scan at scale – especially if you’re dealing with widespread SharePoint site sprawl or working in a larger organisation where manual checks simply aren’t practical.

• Consider using third-party tools (e.g., AvePoint Policies & Insights) if you need to carry out large scale scans.

Remove and replace EEEU permissions 

• You may have a lot of EEEU permissions which potentially is a lot of admin work. If this is the case, take a practical approach and remove EEEU from sensitive sites as the priority.

• Replace these with specific Microsoft 365 Groups or Microsoft Entra ID Security Groups aligned to defined business roles. A clean-up exercise like this can be a good trigger to clean up or update Security Groups if there is a need.  

Prevent it happening again 

• As a principle apply the ‘principle of least privilege’ so that only the people who truly need access to a SharePoint site or library have permissions. 

• Apply sensitivity labels to sites and libraries and align data loss policies (DLP) to provide clarity on which sites are sensitive, helping to prevent accidental sharing. This will also identify sites where EEEU permissions must not be applied.  

• Carry out the whole process for EEEU permissions on a regular basis, for example, every three or six months. 

• Run this new Microsoft EEEU Report on a regular basis.