Is Your Organization Secure from Guest Users? Get to Know About How to Control Guest Access in Microsoft 365

Kaveendra Dhilhan
5h
124
0
0

Article

Introduction

In today’s interconnected business landscape, collaboration with external partners, vendors, and clients is essential for driving productivity and innovation. Microsoft 365 facilitates this through its robust guest access features, enabling organizations to share resources, files, and workspaces with external users via platforms like Microsoft Teams, SharePoint, and OneDrive. However, while guest access enhances collaboration, it also introduces potential security risks, such as unauthorized access or data leaks, particularly when sensitive information is involved. To mitigate these risks, Microsoft 365 provides administrators with powerful tools to manage and secure guest access effectively. This article explores best practices and configuration steps to control guest access, ensuring your organization balances seamless collaboration with robust security to protect sensitive data and maintain compliance.

Guest Access settings in Microsoft Entra Admin Center

User settings

To secure the tenant from guest users, the recommended method is to set the access to Most Restrictive. Which means guest users are restricted from accessing their own directory objects.
Then we can adjust the setting in External Collaboration settings.
In here, we have an option to select guest invite settings. To control guest access, it needs to configure to admin roles. Guest Inviter role can be assigned to users who need to invite guests to the tenant.
And if the organization is working with a few other organizations only, you can configure the collaboration setting to only specified domains (Not Recommended)

External/Guest Access in Microsoft Teams

When we configure the settings from Entra Admin Center, it will override the settings of all other Admin Centers.

However, users can still create Teams meetings with guest users, regardless of the Entra ID guest invitation settings. The act of scheduling a meeting in Teams is not affected by guest access restrictions. But below Guest Access settings should be configured to On.

Guest access

External access

External/Guest Access in Microsoft SharePoint

When it comes to SharePoint, if the organization need to govern a strict policy on sharing, you can restrict OneDrive sharing to outside. Only sharing can be done inside the organization.

Meanwhile you can set SharePoint sharing to existing guests, as we configured the Entra policy of inviting guest to only Admins.

So basically, if a user need to share a document in SharePoint, first the guest user should be enrolled to the tenant by an admin. This gives more secure to the organization.

Sharing

Also you can set the settings to control who can share documents outside by a security group and should be restrict copy link as well.

Sharepoint admin center

Some large organizations including banks follow below steps to control outside sharing

Configure Guest invite settings only to admins with relevant roles
Restrict sharing from OneDrive to outside
Configure SharePoint sharing access to inside and existing guests
Restrict copy link and sharing option
Review all existing SharePoint sites and restrict external sharing from settings of each site
Create a common site (Ex: Public Sharing) and create document libraries to each department and assign access to a person so that user will be able to share the documents to outside. If need that user can be assigned Guest Inviter role too.

Note. If you create any Microsoft 365 group, make sure to restrict external sharing in relevant SharePoint site.

Review existing Guest/External Users

You can check the number of Guest users from Identity Governance slider in Microsoft Entra Admin Centre. Or you can get the guest user list from PowerShell or Microsoft 365 Admin Centre.

To check more capabilities in Identity Governance, you’ll need Microsoft Entra Suite or Microsoft Entra Identity Governance License.

Microsoft Entra ID Governance

MSFT

Here we can check the inactive guests by filtering date range up to 360 days and get a list.

Insights and reporting

Guest account sumary

Edit inactive threshold

Removing inactive guest users

If you don’t have Microsoft Entra Suite or Microsoft Entra Identity Governance License

Review inactive Guest users from Identity Governance slider and get a report by filtering 30 days of inactivity.

If needed to remove after checking/review

Make a CSV format by downloading UPNs.

CSV file format

UserPrincipalName

[email protected]
[email protected]

Connect-MgGraph -Scopes "User.ReadWrite.All"

$csvPath = "C:\Path\To\Your\GuestList.csv"
$guestUsers = Import-Csv -Path $csvPath

foreach ($user in $guestUsers) {
    try {
        $userId = if ($user.UserPrincipalName) { 
            $user.UserPrincipalName 
        } else { 
            $user.Id 
        }

        $existingUser = Get-MgUser -UserId $userId -ErrorAction SilentlyContinue

        if ($existingUser) {
            Remove-MgUser -UserId $userId -ErrorAction Stop
            Write-Host "Successfully deleted user: $userId" -ForegroundColor Green
        } else {
            Write-Host "User not found: $userId" -ForegroundColor Yellow
        }

    } catch {
        Write-Host "Error deleting user $userId : $($_.Exception.Message)" -ForegroundColor Red
    }
}

If you need to permanently remove users.

$deletedUsers = Get-MgDirectoryDeletedItemAsUser

foreach ($deletedUser in $deletedUsers) {
    try {
        Remove-MgDirectoryDeletedItem -DirectoryObjectId $deletedUser.Id -ErrorAction Stop
        Write-Host "Permanently deleted user: $($deletedUser.UserPrincipalName)" -ForegroundColor Green
    } catch {
        Write-Host "Error permanently deleting user $($deletedUser.UserPrincipalName): $($_.Exception.Message)" -ForegroundColor Red
    }
}

You can straightly remove inactive guest users by PowerShell without reviewing.

Connect to Microsoft Graph with the User.ReadWrite.All permission.

Connect-MgGraph -scopes User.Read.All, AuditLog.Read.All

$Date = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")

$Inactiveusers = Get-MgBetaUser -All -Filter "signInActivity/lastSuccessfulSignInDateTime le $Date" -Property Id, displayName, userPrincipalName, signInactivity, userType

$InactiveGuests = $Inactiveusers | Where-Object { $_.UserType -eq 'Guest' }

foreach ($Guest in $InactiveGuests) {

    try {

        Write-Host "Deleting user: $($Guest.userPrincipalName)" -ForegroundColor Yellow

        Remove-MgBetaUser -UserId $Guest.Id

        Write-Host "Successfully deleted user: $($Guest.userPrincipalName)" -ForegroundColor Green

    }

    catch {

        Write-Host "Failed to delete user: $($Guest.displayName) - Error: $($_.Exception.Message)" -ForegroundColor Red

    }

}

If you have Microsoft Entra Suite or Microsoft Entra Identity Governance License

You can create an Access Review from Identity Governance

This can be created to monthly review Guest Users in every Team or Group, and also send a reminder email to the guest users to check whether they do not further require access.

And can remove inactive guest users automatically.

Please refer to the article: https://learn.microsoft.com/en-us/entra/identity/users/clean-up-stale-guest-accounts

Identty goverence

New access review

Conclusion

Effectively managing guest access in Microsoft 365 is critical for organizations seeking to foster collaboration while safeguarding sensitive data. By leveraging built-in tools like Microsoft Entra ID, Conditional Access policies, and sensitivity labels, administrators can fine-tune permissions, enforce security protocols, and monitor external user activities. Implementing these controls ensures that guest users can contribute seamlessly without compromising the organization’s security posture. By staying proactive with regular audits, clear policies, and user training, businesses can confidently embrace external collaboration while maintaining compliance and protecting their digital assets in an increasingly connected world.