question

IvanMaria-3338 avatar image
0 Votes"
IvanMaria-3338 asked IvanMaria-3338 commented

Fetching Real-time Permissions in SharePoint Online via REST API using App Token

We are trying to fetch real-time user effective permissions of a user on a file. We cannot use the following API as it does not update the user effective permissions in real-time when the user is either added or removed from the O365 group (Until the user login into the site):

/getusereffectivepermissions(userName=@user)?@user='<url_encoded_login_name>'

Note that we are using SharePoint Application Access Token.

Therefore, we are using the following APIs to get the real time results:

/RoleAssignments?$expand=Member/Users,RoleDefinitionBindings

We read the responses having 'principal type = 4' such as

"LoginName": "c:0o.c|federateddirectoryclaimprovider|d20ae4c3-3429-4f75-8895-793407836d5e_o",
"LoginName": "c:0o.c|federateddirectoryclaimprovider|<group_uid>",
"LoginName": "c:0(.s|true",
"LoginName": "c:0-.f|rolemanager|spo-grid-all-users/<tenant_id>", etc.

and then we fetch the owners of the group by taking'<owner_group_guid>_o' and also fetch the transitive members of the group by taking <group_uid> using Graph API.


How do we check if a user is a member of the following SharePoint groups?:

Everyone: c:0(.s|true
Everyone except external users: c:0-.f|rolemanager|spo-grid-all-users/<tenant_id>

Also, is there any other similar SharePoint internal groups that should be taken into consideration while fetching the real-time user effective permissions?



office-sharepoint-online
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MichaelHan-MSFT avatar image
0 Votes"
MichaelHan-MSFT answered IvanMaria-3338 commented

Hi @IvanMaria-3338,

The All Users claim groups, Everyone claim group and Everyone except external users claim group are SharePoint internal groups.

These groups can be displayed/hidden through the command Set-SPOTenant: https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps

The parameters are:

[-ShowAllUsersClaim <Boolean>]
[-ShowEveryoneClaim <Boolean>]
[-ShowEveryoneExceptExternalUsersClaim <Boolean>]

The All Users (authenticated) group is equivalent to the Everyone claim.

Everyone: When users share an item with Everyone, it is accessible to all authenticated users in the tenant's Azure Active Directory, including any active external users who have previously accepted invitations.

Everyone except external users: When users share an item with "Everyone except external users", it is accessible to all organization members in the tenant's Azure Active Directory, but not to any users who have previously accepted invitations.



If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @MichaelHan-MSFT,

Thanks for the information.

Consider the following case, where there are two users:
User A: Internal user
User B: External user (Invited user)

In the case User B should not get access if the file is shared with 'Everyone except external users'

Is there any way via API where we can check if a given user is a member of 'All Users'/'Everyone'/'Everyone except external users'?





0 Votes 0 ·

Hi @IvanMaria-3338,

As far as I know, there is no such api to check if user is member of 'All Users'/'Everyone'/'Everyone except external users'.

0 Votes 0 ·

These groups are built-in identities, there is no method to "check" membership as they're pre-defined. "Everyone except external" is everyone in your organization sans Guest accounts. "Everyone" truly is "everyone".

0 Votes 0 ·

Hi @MichaelHan-MSFT,

After running the following command:

[-ShowAllUsersClaim <Boolean>]

I can see the following behavior from these two groups:
All Users (membership) : Both Internal user & External user gets access
All Users (windows) : Neither Internal nor External users get access

I cannot find 'All Users (authenticated)' group. Could you provide the steps to add this group to a site?

Also, when I assign 'Everyone' group as a member to a SharePoint site, external users were still not able to access the site. I found a link that says external user will not have access from 'Everyone' group. Can you confirm the same?

https://docs.microsoft.com/en-us/office365/troubleshoot/access-management/grant-everyone-claim-to-external-users








0 Votes 0 ·

Hi,

Per my test, [-ShowAllUsersClaim <Boolean>] would add the two groups: All Users (membership) and All Users (windows).

Besides, for everyone group. Please make sure that the external users have previously accepted invitations and access the site.



0 Votes 0 ·

Hi @MichaelHan-MSFT,

In our tenant, I see the following output:
All Users (membership) : Both Internal user & External user gets access
All Users (windows) : Neither Internal nor External users get access
Everyone : Only Internal users get access
Everyone except external users : Only Internal users get access

Could you please verify the above output and answer the following questions:

  1. Does external users(who has previously accepted the invitation) get access with the 'Everyone' group? If not, what is the difference between 'Everyone' and 'Everyone except external users'?

  2. What is the difference between 'All Users (membership)' and 'All Users (windows)' groups?

  3. Which users will have access with the 'All Users (membership)'?

  4. Which users will have access with the 'All Users (windows)'?


0 Votes 0 ·
Show more comments