Default new SharePoint online permissions / change default Sharepoint online for new sites

Hi @Nerdioman,Thank you for posting your question on Microsoft Q&A Community.

Regarding to your question, by default, new SharePoint Online sites (especially those created via Microsoft Teams or as Communication sites) often include the “Everyone except external users” group in the Members group. This grants edit permissions to all internal users in the tenant, which may not be desirable for all scenarios.

You can disable the default inclusion of the “Everyone except external users” group across your tenant using PowerShell:

Connect-SPOService -Url https://<YourTenant>-admin.sharepoint.com

Set-SPOTenant -ShowEveryoneExceptExternalUsersClaim $False

This command hides the group from SharePoint Online interfaces and prevents it from being automatically added to new sites. It does not remove the group from existing sites or affect current permissions already granted.

Hope my information helps.

If any part of the information I’ve provided doesn’t align with your expectations or doesn’t fully address your needs, please don’t hesitate to reach out again. I’ll be happy to assist further.

Looking forward to hearing from you.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Hi @Nerdioman,

Thank you for your response.

Regarding to your extra questions:

Question 1: Drawbacks of disabling “Everyone except external users”

Disabling the default inclusion of the “Everyone except external users” group using either Set-SPOTenant or Set-PnPTenant is generally safe and aligns with tighter permission governance. However, here are a few considerations:

• Existing Sites Unaffected: This change only applies to newly created sites. Existing sites will retain the group unless manually removed.
• User Expectations: Some users may expect broad access by default. Removing this group could lead to access issues if not communicated properly.
• Automation Impact: If you have scripts or provisioning processes that rely on this group being present, they may need to be updated.

Question 2: Hiding the group in the People Picker

Using:

Set-PnPTenant -ShowEveryoneExceptExternalUsersClaim $false

will hide the group from the People Picker, which can help prevent accidental assignment of broad permissions. This is a good practice if your organization prefers explicit access control and wants to avoid unintended exposure.

That said, if your team occasionally uses this group for broad internal collaboration, hiding it might reduce convenience. It’s a balance between security and usability.

Let me know if you need any further concern. I'm happy to help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.