Introduction
Whenever you want to remove the users completely from your site you may think that removing from current site permissions group, will remove the users. But please note that the user entries are marked in a hidden user entry list called User Information list.
The only way to clean up the user permissions completely from the site collection is by going to User Information list and cleaning up. The following are some of the cases where we might need to remove the users from user information list,
- If the user properties like last name changes
- User location changes
- User division changes
- The latest properties from the AD are not reflecting in Office 365
Once you clean up the user and add the users back to Office 365 in my case, SPO sites, all the latest user properties should reflect. Unfortunately, the profile sync will not work well with UIL properties, the only way as of today is to clean up from UIL and add them back either by using ensure SPO user command or by using Site permissions.
Here is the path how the profile sync takes place,
- The local AD properties sync to Azure AD
- Azure AD, the O365 sites picks them up.
One thing to note, whenever content is added to SharePoint sites, the properties of user created by, modified by are picked up from the User Information List not from the Azure AD.
User Information List
Whenever user is added to the site, as a member, visitor, owner and if the user tries to access the site then an entry for that user is created at SharePoint hidden list called ‘User Information List’. To get to the UIL, it requires your account to have Site Collection Admin rights. By going to user information list of site collection and finding out the user and removing the user permissions. You can go to the user information list by navigating to any SharePoint groups within the site collection and in the URL replace the group ID with zero. For instance, here I am going to Members and the URL to the group is
/sites/SITENAME/_Layouts/15/people.aspx?MembershipGroupID=42
In the URL replace group ID with 0 and hit enter and it should take you to all people and groups.
/sites/SITENAME/_Layouts/15/people.aspx?MembershipGroupID=0
The caveat here is that, it is hard to find the users going page by page, and moreover if there are more than 20,000 users the filter option will not work.
Cleaning Up Users
Powershell gives us the power and ease to find the users easily no matter how large the UIL is and also cleans up the permission fast. Below are the 4 lines of command to run in sequence. Please note that. It also requires SharePoint admin or Tenant Admin for the account to connect to admin tenant first. Your account need to have Site Collection Admin access to perform the user cleanup.
Step 1
Connect to Pnp Online SharePoint admin url using SharePoint Admin or global admin credentials
Connect-PnPOnline-Urlhttps://company-admin.sharepoint.com-UseWebLogin
Step 2
Connect to Pnp online SPO where the user needs to be cleaned up using site collection admin permissions
$siteUrl=https://company.sharepoint.com/sites/sitename
Connect-PnPOnline-url$siteUrl-UseWebLogin
Step 3
Run the remove-pnpuser command by filtering using the user’s UPN
Get-PnPUser|?Email-eq"UserUPN"|Remove-PnPUser
Please note user UPN will be in form of emailID. In most cases, it is email ID.
Complete Script
- $siteUrl = 'https://company.sharepoint.com/sites/sitename'
- Connect-PnPOnline -Url https://company-admin.sharepoint.com -UseWebLogin
- Connect-PnPOnline -url $siteUrl -UseWebLogin
- Get-PnPUser | ? Email -eq "UserUPN" | Remove-PnPUser
Note
- Replace variable $siteURL with correct site name
- Substitute correct tenant admin URL
- substitute correct user UPN
In this article, we have seen what the UIL is and how it interacts with SharePoint online and Office 365.
References
- https://sharepointdiv.wordpress.com/2018/04/09/user-information-list-in-sharepoint-all-details/
- https://www.sharepointdiary.com/2018/09/sharepoint-online-powershell-ensureuser.html