What is Everyone Except External Users (EEEU)?
Also known as
Definition
EEEU is a built-in SharePoint security group that includes every internal user in your organization, except guests. When it's added to a site, list, library, or file, anyone inside your organization can access that content. No one has to be specifically invited. Anyone who searches for it or gets a link can open it.
It's automatically added to Microsoft 365 groups when a site or team is set to public. It can also be applied manually to individual items. The problem isn't that EEEU exists. The problem is that it gets applied without site owners realizing how broadly it opens things up. A site that feels like a team site can be accessible to thousands of people, and the owner has no idea.
To learn more about EEEU, refer to Microsoft’s official documentation on monitoring EEEU sharing with the EEEU activity report.
tip
Microsoft recommends disabling EEEU at the tenant level before rolling out Copilot. identifying and reviewing EEEU access before enabling Copilot. That's because Copilot surfaces content based on what users can access. If EEEU is applied to a site, every internal user can reach that content through Copilot, whether they should or not.
Why it matters
EEEU is useful. It's how you make content available to your whole organization without managing individual access.
- Governance & security: Sensitive content with EEEU applied is reachable by every employee, including people with no business need to see it.
- AI readiness: Copilot surfaces whatever users can access. EEEU on a sensitive site means the whole organization can reach that content through AI responses.
Commonly confused with: External sharing
External sharing gives access to people outside your organization. EEEU does the opposite: it explicitly excludes external users. But it grants access just as broadly within your organization. Blocking external sharing while leaving EEEU in place still leaves content open to internal users.
What we see out there
EEEU blocking Copilot rollouts.
Organizations with EEEU applied broadly across SharePoint find they can't safely roll out Copilot. Content that was always technically accessible to everyone suddenly becomes discoverable through AI responses. Fixing the access problem becomes a prerequisite to the rollout.
Site owners don't know it's there.
EEEU gets added automatically when a team or group is set to public. Most site owners don't realize their site is open to the whole organization until someone raises a concern or an audit surfaces it.
It carries over in migrations.
Broad internal access set up in the source environment moves to the target. Teams that don't review EEEU before a migration end up with the same oversharing problem in the new tenant, often with no clear record of why it was there in the first place.
Frequently asked questions
Is EEEU the same as external sharing?
No. EEEU gives access to all internal users and specifically excludes external guests. External sharing gives access to people outside your organization. They're separate controls. A site can have EEEU access without any external sharing, and that still means every employee in your organization can reach it.
Should EEEU be removed?
Not always. EEEU makes sense for genuinely public content: a company intranet, a shared resource hub, a news site. The question is whether it belongs on the site it's on. If the answer is yes, keep it. If the site contains anything sensitive, confidential, or meant for a specific team, EEEU should be replaced with a more specific group.
How do I find where EEEU access exists?
Microsoft's SharePoint admin center includes EEEU reports under Data access governance (requires SharePoint Advanced Management). These show which sites have EEEU in their membership and which items have been shared with EEEU in the last 28 days. ShareGate Protect's Workspaces with EEEU access report gives you the same visibility across your tenant, with EEEU permission levels (Read, Edit, Full Control) for each workspace.
How does EEEU affect Copilot?
Copilot surfaces content based on what users can access. If a site or file has EEEU access, every internal user can reach it through Copilot, including through search and AI-generated responses. Microsoft's own Copilot setup guidance recommends disabling EEEU at the tenant level as a step to take before rolling out Copilot, specifically to reduce the risk of broad internal content surfacing unexpectedly.
