SharePoint Online: How to Remove External Users using PowerShell?
Requirement: Remove external users from SharePoint Online.
How to Remove an External User from SharePoint Online?
External users are people who are not part of your organization and have been invited to collaborate on a site or document (Such as partners, vendors, etc.). If you are managing SharePoint Online, There may be scenarios when you need to remove an external user. For example, if the user is no longer needed or has left the company. This blog post will show you how to remove external access of the users from your SharePoint Online site using PowerShell.
To remove an external user from SharePoint Online, we must delete the external user permissions from the site and then delete their profile from the SharePoint Online tenant.
Step 1: Delete External user from SharePoint Online Site Collection
How do I remove access from SharePoint to external users? Update the parameters, and run this cmdlet to get all external users of the site collection.
#Parameters
$AdminSiteURL="https://Crescent-admin.sharepoint.com"
#Connect to SharePoint Online Tenant Admin
Connect-SPOService -URL $AdminSiteURL -Credential (Get-Credential)
$SiteUrl = "https://crescent.sharepoint.com"
Get-SPOUser -Limit All -Site $SiteURL | Where {$_.LoginName -like "*#ext#*" -or $_.LoginName -like "*urn:spo:guest*"}
Make a note of the Login Names returned.
Remove External User using PowerShell
Get the external users listed above and run the Remove-SPOUser cmdlet to remove the external user from the SharePoint Online site collection.
$ExternalUserID= "salaudeen_hotmail.com#ext#@crescent.com"
Remove-SPOUser -Site $SiteURL -LoginName $ExternalUserID
This script revokes access for an external user. The particular user’s access, including site, files, and folders, will be lost! You can delete an external user with the below method as well.
Delete External user from SharePoint Online Site Collection
You can also remove an external user in a SharePoint Online site collection from the web browser interface by following these steps:
- Go to site >> Click on the settings gear icon >> Site Settings >> People and Groups. Now the URL should look like https://YourCompany.sharepoint.com/_layouts/15/people.aspx?MembershipGroupId=XX. Edit the URL by changing the XX to “0” and hit Enter (https://YourCompany.sharepoint.com/_layouts/15/people.aspx?MembershipGroupId=0)
- Select the checkbox next to the user and click Actions >> Delete Users from Site Collection
- Confirm the prompt once to remove the external user from SharePoint Online.
This removes the external user from the particular site permissions.
Step 2: Remove External User from SharePoint Online Tenant
Use the Remove-SPOExternalUser cmdlet in SharePoint Online to remove external users using PowerShell. To use this cmdlet, you’ll need the unique ID of the external user.
#Import SharePoint Online Management Shell
Import-Module Microsoft.Online.Sharepoint.PowerShell -DisableNameChecking
#Config Parameters
$AdminSiteURL="https://Crescent-admin.sharepoint.com"
#Get Credentials to connect
$Cred = Get-Credential
#Connect to SharePoint Online Tenant Admin
Connect-SPOService -URL $AdminSiteURL -Credential $Cred
$ExternalUserEmail= "salaudeen@hotmail.com"
#Get the ID of the External User
$ExternalUser = Get-SPOExternalUser -filter $ExternalUserEmail
#remove external user from sharepoint online powershell
Remove-SPOExternalUser -UniqueIDs @($ExternalUser.UniqueId) -Confirm:$false
This removes the given user profile from the SharePoint Online tenant. And that’s it! You’ve successfully removed the external user from your SharePoint Online site. They will no longer have access to any content or resources on your site, ensuring the security and privacy of your data.
PnP PowerShell to Delete External Users
We can also delete external users from the SharePoint Online tenant using the Remove-PnPExternalUser cmdlet.
#Parameters
$TenantAdminURL = "https://crescent-admin.SharePoint.com"
$ExternalUserEmail= "Salaudeen@gmail.com"
#Connect to Admin Center
Connect-PnPOnline -Url $TenantAdminURL -Interactive
#Get the External User
$User = Get-PnPExternalUser -Filter $ExternalUserEmail
If($User -ne $Null)
{
#Remove External User
Remove-PnPExternalUser -UniqueIDs @($User.UniqueId)
Write-host "User '$ExternalUserEmail' Removed Successfully!" -f Geeen
}
Else
{
Write-host "User '$ExternalUserEmail' Not Found!" -f Yellow
}
This removes the external user from the SharePoint Online tenant. However, it leaves the “User Information List” intact. So, We’ll have to use Get-SPOUser and Remove-SPOUser cmdlets to delete the external user completely.
Remove All External Users from a Site using PowerShell
#Define Parameters
$SiteURL= "https://crescent.sharepoint.com/sites/BestPractices"
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -UseWebLogin
$UserCounter = 1
#Get All External users who have permission to the site
$ExternalUsers = Get-PnPUser -WithRightsAssigned | Where {$_.LoginName -like "*#ext#*"}
ForEach ($User in $ExternalUsers) {
$Progress = $UserCounter/$Users.Count*100
Write-Progress -PercentComplete $Progress -Activity "Removing Users from site" -Status "Removing User $UserCounter of $($ExternalUsers.Count)"
Remove-PnPUser -Identity $User.ID -Confirm:$false
Write-Host -f Yellow "Removed User:$($User.Email)"
sleep -Milliseconds 50
$UserCounter++
}
#Export Removed User details to CSV
$ExternalUsers | Select Id, Email, LoginName, Title | Export-CSV -NoTypeInformation "C:\Temp\RemovedExternalUsers.csv"
PowerShell to Delete All External Users in SharePoint Online:
How about deleting all external users in all site collections after you disabled external sharing at the tenant level? To remove an external user from SharePoint Online, we must delete them from both site collection permissions and SharePoint Online tenant levels.
#Import SharePoint Online Management Shell
Import-Module Microsoft.Online.Sharepoint.PowerShell -DisableNameChecking
#Config Parameters
$AdminSiteURL="https://crescent-admin.sharepoint.com"
#Connect to SharePoint Online Tenant Admin
Connect-SPOService -URL $AdminSiteURL
#Get all Site Collections - Exclude: Seach Center, Redirect site, Mysite Host, App Catalog, Content Type Hub, eDiscovery and Bot Sites
$SiteCollections = Get-SPOSite -Limit ALL | Where -Property Template -NotIn ("SRCHCEN#0", "REDIRECTSITE#0", "SPSMSITEHOST#0", "APPCATALOG#0", "POINTPUBLISHINGHUB#0", "EDISC#0", "STS#-1")
#Iterate through each site collection
ForEach($Site in $SiteCollections)
{
Write-host -f Yellow "Checking Site Collection:"$Site.URL
#Get All External users of the individual site collection
$ExternalUsers = Get-SPOUser -Limit All -Site $Site.URL | Where {$_.LoginName -like "*#ext#*" -or $_.LoginName -like "*urn:spo:guest*"}
#Loop through each User and remove them from site collection
ForEach($ExtUser in $ExternalUsers)
{
#Remove the user from the site collection
Remove-SPOUser -Site $Site.URL -LoginName $ExtUser.LoginName
Write-host -f Green "`tExternal User $($ExtUser.LoginName) has been removed from site collection"
}
}
#Remove All External Users at Tenenat Level
$TenantExternalUsers=@()
#Get All External Users at Tenant Level
Try {
For ($x=0;;$x+=50) {
$TenantExternalUsers += Get-SPOExternalUser -Position $x -PageSize 50 -ErrorAction Stop
}
}
catch {}
$TenantExternalUsers | ForEach-Object {
Remove-SPOExternalUser @($_.UniqueId) -Confirm:$false
Write-host -f Green "External User $($ExtUser.Email) has been removed from the tenant!"
}
Please note: You may have to clear the browser cache if you can still find the removed external users in places like People Picker! And don’t forget to remove them from Azure AD if they are explicitly invited!
Wrapping up
As a SharePoint administrator, it’s crucial to maintain the security and integrity of your site, and that means controlling who has access to your valuable information. Whether you’re new to SharePoint or just need a quick refresher, I hope this guide has provided you with all the information you need to ensure only the right people have access to your site. If you want to turn off the external collaboration in SharePoint Online, refer to How to Disable External Sharing in SharePoint Online?
To disable the “Everyone” group in SharePoint Online, we can set the “ShowEveryoneExceptExternalUsersClaim” value to “False.” By default, the Everyone except external users claim is added to the Members group on public group sites. This will prevent internal users from accessing the claim while still allowing external users to access it. More info: How to disable everyone except external users?
To disable external sharing for a user’s OneDrive, we can go to the Microsoft 365 admin center and select the user whose OneDrive we want to modify. Under OneDrive >> Sharing, select Manage external sharing. From there, we can select a new external sharing level configuration and save the changes. We can also use the PowerShell cmdlet Set-SPOSite with the parameter -SharingCapability to change the external sharing setting for a user’s OneDrive! More info: How to Disable External Sharing for a OneDrive site?
To provide access to an external user in SharePoint Online, we must first enable external sharing at the organization and site collection levels. Once external sharing is enabled, we can share a SharePoint Online site with guest users by navigating to the site and clicking the “Share” button in the top-right corner. We can then enter the email ID of the external user (Must be a Microsoft account or account under Azure Active Directory), select the permission level, choose whether a sharing invitation is to be sent, and then click on “Share” to add the external user to SharePoint Online. Alternatively, we can use PowerShell to invite external users to a SharePoint site and grant them permission.
More info: How to add External users to SharePoint Online?
To enable external sharing on a SharePoint site, we must first ensure that external sharing is enabled at the organization (tenant) level. We can do this by going to the SharePoint admin center and clicking on Policies >> Sharing in the left navigation. Under “External sharing” settings, we can set the external sharing level to Anyone/New and existing guests/Existing Guests only to turn ON the guest user access. Once external sharing is enabled at the organization level, we can configure site-level SharePoint external sharing settings by going to the SharePoint Online admin center, expanding Sites, and choosing the Active sites. Then we can select the site to enable external sharing and click on Sharing. From there, we can set the external sharing setting to Anything apart from “Only people in your organization”.
More info: How to Enable External Sharing in SharePoint Online?