Till when a guest account user can still access a file after completely removing him/her guest account

john john 946 Reputation points
2023-05-13T15:19:24.2666667+00:00

We have shared many files with a guest user account (using his gmail account), using these steps:-

  1. Access the document advance permission page
  2. Stop permission inheritance

enter image description here

  1. "Grant permission" access to the external user account >> with contribute permission

enter image description here

  1. The external user get an email to access the file >> for the first time the external user where asked to create a Microsoft account and can access the file
  2. now we wanted to remove the user access on all the files on all the site >> so from Office 365 admin >> under Guest >> i removed the guest account >> then i removed from the delete user list using this command:- Remove-AzureADMSDeletedDirectoryObject -Id 7******4
  3. but the external user can still access all the files + his username is still mentioned inside the document advanced permission setting.

enter image description here

so till when the guest account can access the files, even that we completely removed him/her guest account?

now for one hour >> the user can directly access the file from the email sent to him >> then after an hour when the user click on the invitation link >> the user will be asked to register again and can access the file. any advice on this scenario?

Thanks

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,055 questions
SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,864 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Haoyan Xue_MSFT 21,241 Reputation points Microsoft Vendor
    2023-05-15T02:15:07.5566667+00:00

    Hi @john john ,

    You also need to remove this user from all files and folders with the help of PnP PowerShell:

    #Config Variables
    $SiteURL = "https://Crescent.sharepoint.com/sites/Marketing"
    $ListName="Branding"
    $UserAccount = "i:0#.f|membership|steve@Crescent.com"
     
    Try {
        #Connect to PnP Online
        Connect-PnPOnline -Url $SiteURL -Interactive
         
        #Get the User
        $User = Get-PnPUser -Identity $UserAccount -ErrorAction Stop
     
        #Get all list items
        $ListItems =  Get-PnPListItem -List $ListName -PageSize 500 -Fields ID
        $ItemCount = $ListItems.Count
     
        #Iterate through each list item
        $Counter=1
        ForEach($ListItem in $ListItems)
        {
            #Display a progress bar
            Write-Progress -PercentComplete ($Counter / $ItemCount * 100) -Activity "Processing Items from List:" -Status "Checking Item '$($ListItem.FieldValues.FileRef)' ($Counter of $ItemCount)"
     
            #Check if the Item has unique permissions
            $HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property "HasUniqueRoleAssignments"
            If($HasUniquePermissions)
            {
                #Get Permissions Assigned to the Item
                $RoleAssignments = Get-PnPProperty -ClientObject $ListItem -Property RoleAssignments
      
                #Remove user from Item permissions - If Found!
                [Bool]$UserFound = $false
                ForEach($RoleAssignment in $RoleAssignments)
                {
                    $Member =  Get-PnPProperty -ClientObject $RoleAssignment -Property Member
                    If($Member.LoginName -eq $User.LoginName)
                    {
                        $UserFound = $True
                        $ListItem.RoleAssignments.GetByPrincipal($User).DeleteObject()
                        Invoke-PnPQuery
                    }
                }
                If($UserFound) { Write-host -f Green "Removed user from $($Listitem.FileSystemObjectType) at '$($ListItem.FieldValues.FileRef)' Permissions!" }
            }
            $Counter++
        }
    }
    Catch {
        write-host -f Red "Error Removing user from List Items:" $_.Exception.Message
    }
    
    
    

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Haoyan Xue_MSFT 21,241 Reputation points Microsoft Vendor
    2023-05-22T02:31:02.2566667+00:00

    Hi @john john ,

    Perhaps you can use PowerShell to Bulk Remove SharePoint Online Users from a CSV File.

    Here are steps:
    Create a CSV file and fill it in according to your requirements, then Format as Table.

    UserID needs to be prefixed: i:0#.f|membership|

    User's image

    Use this PowerShell script:

    #Variables
    $CSVPath  ="C:\UsersToAdd.csv"
     
    #Get data from CSV
    $CSVData = Import-Csv $CSVPath
     
    #Iterate through each row in CSV
    ForEach($Row in $CSVData)
    {
        Try {
            #Connect to SharePoint Online Site
            Write-host "Connecting to Site: "$Row.SiteURL
            Connect-PnPOnline -Url $Row.SiteURL -Interactive
      
            #Remove user 
            Remove-PnPUser -Identity $Row.UserID -Force
            Write-host -f Green "`tRemoveded User $($Row.UserAccount)"
        }
        Catch {
            write-host -f Red "Error Removing User:" $_.Exception.Message
        }
    }
    
    
    
    

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.