SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Everyone Except External Users (EEEU) Sweep
description: Find SharePoint sites and files shared with Everyone Except External Users, the top Microsoft 365 Copilot oversharing vector, and risk-rank them.
---
# Everyone Except External Users (EEEU) Sweep
> **TL;DR:** This skill inspects SharePoint Online for content shared with the broad "Everyone Except External Users" or "Everyone" claims, produces a risk-ranked list of affected sites and files, and shows where Microsoft 365 Copilot could surface oversharing.
## What does the EEEU sweep check in SharePoint Online?
This skill scans SharePoint Online and Microsoft Graph for permissions granted to the "Everyone Except External Users" (EEEU) and "Everyone" claims, which silently give every internal account access to content. Because Microsoft 365 Copilot honours existing permissions, these broad grants are the leading oversharing vector during a Copilot rollout. The sweep maps each grant back to its site, library and item so you can apply least-privilege remediation. It reads from Data Access Governance signals and Graph permission data without changing anything.
## When should you run this skill?
- "Find Everyone Except External Users links across our tenant"
- "Show me where EEEU gives broad access before we enable Copilot"
- "Which sites grant access to Everyone or all internal users?"
- "Audit our oversharing risk for Microsoft 365 Copilot readiness"
- "List files anyone in the organisation can open"
- "Where are the worst least-privilege violations in SharePoint?"
## How this skill works, step by step
1. Connect read-only to Microsoft Graph and SharePoint Online with delegated assessment scopes.
2. Enumerate sites in scope, prioritising those flagged in Data Access Governance reports.
3. Inspect site, library and item permissions for the EEEU and "Everyone" claims.
4. Resolve each claim to the principals it actually grants (all internal users, or all users).
5. Detect sensitivity labels and content type signals on affected items to gauge impact.
6. Score each finding by reach (number of users), content sensitivity and exposure breadth.
7. Aggregate findings per site and rank from highest to lowest residual risk.
8. Recommend a least-privilege remediation action for each finding.
9. Compile the risk-ranked output without writing any change to the tenant.
## Output format
The skill returns a ranked table of EEEU and Everyone exposures, one row per affected site or item.
| Site | Claim | Sensitivity | Risk | Recommended action |
| --- | --- | --- | --- | --- |
| Finance Hub | EEEU | Confidential | High | Replace EEEU with named owners group |
| Project Atlas | Everyone | General | Medium | Scope to project members only |
| Team Wiki | EEEU | General | Low | Confirm intent; document exception |
Summary:
- Total sites reviewed: 142
- Sites with EEEU or Everyone grants: 37
- High risk: 9
- Medium risk: 14
- Low risk: 14
## Scope and safety
This skill is read-only by default and makes no changes to permissions, sharing settings or content.
This skill does NOT:
- Remove, modify or replace any EEEU, Everyone or other permission grant.
- Alter sharing policies, sensitivity labels or site configuration.
- Notify users or site owners of the findings.
- Access file content beyond the metadata needed to score risk.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Read SharePoint and Graph permissions, sensitivity labels | Microsoft 365 E3 (E5 for richer sensitivity label signals) |
| Data Access Governance reports (EEEU and Everyone oversharing) | SharePoint Advanced Management (SAM), included with Microsoft 365 E5 or sold as an add-on |
### Least-privilege roles
- Global Reader (read-only tenant-wide visibility)
- SharePoint Administrator (read-only use; required to open Data Access Governance reports)
### Microsoft Graph permissions (read-only)
- `Sites.Read.All` — enumerate sites and read their permission grants
- `Files.Read.All` — read library and item permissions and metadata
- `Group.Read.All` — resolve group-based principals behind EEEU and Everyone claims
- `InformationProtectionPolicy.Read.All` — read sensitivity label definitions to gauge content impact
The Data Access Governance reports themselves are viewed in the SharePoint admin centre and are not exposed through Microsoft Graph; open them with a SharePoint Administrator or Global Reader role.
## Sources and compliance
- [Data access governance reports](https://learn.microsoft.com/en-us/sharepoint/data-access-governance-reports)
- [Build a secure and governed data foundation for Microsoft 365 Copilot](https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-secure-governed-data)
- Maps to Essential Eight: Restrict administrative privileges (least privilege over broad access grants).
- Aligns with ISM controls for access control and need-to-know data handling.
- Reference: [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Everyone Except External Users (EEEU) Sweep
TL;DR: This skill inspects SharePoint Online for content shared with the broad “Everyone Except External Users” or “Everyone” claims, produces a risk-ranked list of affected sites and files, and shows where Microsoft 365 Copilot could surface oversharing.
What does the EEEU sweep check in SharePoint Online?
This skill scans SharePoint Online and Microsoft Graph for permissions granted to the “Everyone Except External Users” (EEEU) and “Everyone” claims, which silently give every internal account access to content. Because Microsoft 365 Copilot honours existing permissions, these broad grants are the leading oversharing vector during a Copilot rollout. The sweep maps each grant back to its site, library and item so you can apply least-privilege remediation. It reads from Data Access Governance signals and Graph permission data without changing anything.
When should you run this skill?
- “Find Everyone Except External Users links across our tenant”
- “Show me where EEEU gives broad access before we enable Copilot”
- “Which sites grant access to Everyone or all internal users?”
- “Audit our oversharing risk for Microsoft 365 Copilot readiness”
- “List files anyone in the organisation can open”
- “Where are the worst least-privilege violations in SharePoint?”
How this skill works, step by step
- Connect read-only to Microsoft Graph and SharePoint Online with delegated assessment scopes.
- Enumerate sites in scope, prioritising those flagged in Data Access Governance reports.
- Inspect site, library and item permissions for the EEEU and “Everyone” claims.
- Resolve each claim to the principals it actually grants (all internal users, or all users).
- Detect sensitivity labels and content type signals on affected items to gauge impact.
- Score each finding by reach (number of users), content sensitivity and exposure breadth.
- Aggregate findings per site and rank from highest to lowest residual risk.
- Recommend a least-privilege remediation action for each finding.
- Compile the risk-ranked output without writing any change to the tenant.
Output format
The skill returns a ranked table of EEEU and Everyone exposures, one row per affected site or item.
| Site | Claim | Sensitivity | Risk | Recommended action |
|---|---|---|---|---|
| Finance Hub | EEEU | Confidential | High | Replace EEEU with named owners group |
| Project Atlas | Everyone | General | Medium | Scope to project members only |
| Team Wiki | EEEU | General | Low | Confirm intent; document exception |
Summary:
- Total sites reviewed: 142
- Sites with EEEU or Everyone grants: 37
- High risk: 9
- Medium risk: 14
- Low risk: 14
Scope and safety
This skill is read-only by default and makes no changes to permissions, sharing settings or content.
This skill does NOT:
- Remove, modify or replace any EEEU, Everyone or other permission grant.
- Alter sharing policies, sensitivity labels or site configuration.
- Notify users or site owners of the findings.
- Access file content beyond the metadata needed to score risk.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Read SharePoint and Graph permissions, sensitivity labels | Microsoft 365 E3 (E5 for richer sensitivity label signals) |
| Data Access Governance reports (EEEU and Everyone oversharing) | SharePoint Advanced Management (SAM), included with Microsoft 365 E5 or sold as an add-on |
Least-privilege roles
- Global Reader (read-only tenant-wide visibility)
- SharePoint Administrator (read-only use; required to open Data Access Governance reports)
Microsoft Graph permissions (read-only)
Sites.Read.All— enumerate sites and read their permission grantsFiles.Read.All— read library and item permissions and metadataGroup.Read.All— resolve group-based principals behind EEEU and Everyone claimsInformationProtectionPolicy.Read.All— read sensitivity label definitions to gauge content impact
The Data Access Governance reports themselves are viewed in the SharePoint admin centre and are not exposed through Microsoft Graph; open them with a SharePoint Administrator or Global Reader role.
Sources and compliance
- Data access governance reports
- Build a secure and governed data foundation for Microsoft 365 Copilot
- Maps to Essential Eight: Restrict administrative privileges (least privilege over broad access grants).
- Aligns with ISM controls for access control and need-to-know data handling.
- Reference: ASD Essential Eight Maturity Model
- Output in Australian English
Last updated on