SharePoint: Find Hidden External Users
Microsoft MVP | Microsoft 365 Architect
Microsoft expert on SharePoint ad hoc OTP users, Entra B to B disruption, OneDrive sharing, PowerShell detection
Key insights
- What ad hoc users are: SharePoint creates Ad hoc users when someone shares a file or folder with a one-time link.
They sign in with a One-time passcode and exist only inside SharePoint or OneDrive, not always in Entra ID. - Guest users vs ad hoc users: Sharing a whole site creates a Guest user that appears in Entra ID.
Sharing a single file or folder creates an Ad hoc user that often stays invisible to Entra ID and tenant user lists. - Security risks: Ad hoc users can still view file history, activity details, and shared email addresses from the details pane, which can expose sensitive information.
Hidden permissions and group inheritance make it hard for admins to see everyone who has access. - Entra B2B integration impact: Turning on Entra B2B integration converts sharing to Entra-managed guests and breaks existing OTP links.
Site owners must re-share affected links after integration, so plan and notify owners before you enable it. - How to find ad hoc users: Use site > Settings > Manage Access and check direct shares; open /_layouts/15/people.aspx?MembershipGroupId=0 on the site to list external entries.
For tenant-wide checks use the SharePoint admin center, audit logs in the compliance portal, or run PowerShell commands that enumerate external users per site. - Mitigation and remediation: Audit external sharing regularly and inform owners before enabling Entra B2B integration so they can re-share links.
Revoke or regenerate links for unwanted access, remove external users from sites, and use audit logs or tools to track hidden permissions.
Today’s briefing covers a YouTube video from Denis Molodtsov [MVP] that examines a little-known aspect of Microsoft SharePoint and OneDrive sharing. In the video, Molodtsov explains how certain external accounts are created during ad hoc sharing and why many administrators overlook them. Consequently, this summary highlights the mechanics, risks, and practical steps for discovery and remediation. The goal is to present the issue clearly for IT teams planning changes or audits.
Video overview and context
Denis Molodtsov frames the problem around everyday sharing behaviors and recent platform integrations that change how guests appear. Specifically, he contrasts explicit guest invitations with transient external access created by one-time codes, noting real-world surprises for administrators. Furthermore, the video timestamps walk viewers through comparison, integration impacts, mitigation, and how to locate these accounts. Overall, the presentation stresses that the behavior can affect access, auditing, and ongoing collaboration.
Importantly, Molodtsov positions the discussion in the context of Microsoft’s broader identity model and SharePoint’s sharing features. For that reason, he highlights how the integration between SharePoint/OneDrive and Entra B2B modifies existing sharing mechanics. Consequently, IT teams must consider both the technical and human elements when they change tenant settings. The video aims to give actionable steps rather than only theory.
How ad hoc external users work
Molodtsov explains that when someone shares a file or folder by link, SharePoint may create what he calls an ad hoc user that does not show in the tenant directory. These accounts authenticate using a one-time passcode, often labeled as OTP, and they live in SharePoint rather than appearing as full guest records in Entra ID. As a result, their existence can escape routine Entra or Microsoft 365 user listings, which creates visibility gaps for administrators. This behavior contrasts with site-level sharing that generally creates a proper guest entry in the directory.
Moreover, these ad hoc users retain access until the link is revoked or the share is otherwise removed, so their access can persist unexpectedly. Thus, the convenience of a quick share trades off against ongoing access that may become hard to audit. Molodtsov shows that file details and the information pane can expose more context to these external viewers than owners expect. Therefore, organizations should treat ad hoc sharing as a policy and control problem, not only a configuration issue.
Security risks and real-world examples
The video outlines several practical risks that stem from hidden external users, including exposure of file history and recipient emails when a viewer opens the details pane. For example, contractors with read access can see collaborators, which may reveal competing contractors or sensitive relationships. Consequently, sensitive projects may unintentionally disclose partner lists or activity timelines, creating confidentiality concerns. Molodtsov warns that these exposures are subtle but real and often overlooked during routine audits.
Additionally, Molodtsov shows that SharePoint’s permission UI can hide group membership and direct shares in ways that complicate remediation. This opacity means admins must use deeper tools to enumerate users and permissions, since the native interface gives a partial view. Therefore, security teams should combine audit logs, site-level checks, and scripted scans to build a complete picture. In short, relying on a single admin console risks missing critical external access points.
Entra B2B integration: benefits and disruption
Molodtsov then discusses the effect of enabling Entra B2B integration for SharePoint and OneDrive. On the one hand, the integration centralizes external identities and improves lifecycle management and governance. On the other hand, he explains that enabling the integration can break existing one-time passcode links, which forces content owners to re-share protected links. Consequently, administrators face a tradeoff between improved long-term control and short-term disruption to operations.
Therefore, Molodtsov recommends planning a staged rollout and communication campaign before enabling the integration. For instance, teams should identify likely impacted shares, warn data owners, and prepare to reissue links where necessary. By weighing these costs against compliance gains, organizations can avoid surprises and maintain user trust. Ultimately, the decision to enable integration should include both technical checks and operational readiness.
Finding and managing ad hoc users
Finally, the video walks through practical methods to discover ad hoc users, including site-level “Manage Access” pages and targeted queries such as the people.aspx membership view. Molodtsov also demonstrates PowerShell commands that enumerate external users per site and shows how audit logs can surface sharing events. In addition, he notes that third-party permission tools can speed inventory and reveal anonymous or hidden links that native tools miss.
For mitigation, the presenter advises clear policies, restricted sharing defaults, and an audit-first approach before broad configuration changes. Moreover, he recommends that tenant administrators communicate with site owners about expected changes when enabling Entra integration and plan link re-sharing windows. To conclude, the video provides a balanced view: while the platform offers improved identity governance, administrators must manage the transitional disruption and invest in discovery tools to maintain security and usability.
Keywords
SharePoint external users, Ad hoc users SharePoint, find external users SharePoint, hidden external users SharePoint, guest access SharePoint Online, external sharing audit Microsoft 365, Azure AD external users, manage external users SharePoint Online