In this post I point out what you can do to secure your Microsoft 365 guest access or guest identities for a secured collaboration experience. Guests in Microsoft 365 are external persons or identities which you can enabled to access defined Microsoft 365 resources, e.g. to work together in a project by using a Microsoft Teams Team. This is very beneficial for a more in-depth collaboration in project teams which include several external stakeholders from other companies like external project managers, subject matter experts, suppliers or others. By enabling guest access for specific scenarios and workloads you can easily work together across companies, if required. So, your employees do not need to find another way or a (#ShadowIT) workaround to do this which does not align with your company’s compliance.
I often have discussions regarding collaboration security on external (guest) access. So, what’s the answer to convince all from guest access? Well, let me put it that way, there is never an “one size fits all” answer, definitely not. Company A is not the same as company B. There might be similar processes, requirements, collaboration strategy goals or else but it’s still different, of course. The people, the services, the products, the vertical etc. are different. To keep it short, B2B collaboration with guest access is an excellent feature but usually requires a different implementation approach depending on the company. Sometimes a basic implementation is sufficient, sometimes you need to establish a new organizational process in varying complexity including B2B collaboration governance and so on.
Please note, that is is just one of many measures to secure your communication and collaboration in Microsoft 365. This is only a single part of a more holistic and required security architecture concept. Moreover, the below description, configuration etc. might change at anytime and is just an example, demo piece.
Limitations for guests
Guest are a “special” member type in Azure AD and M365. So, there are some limitations by design for guests you should know of. For more please read What are the default user permissions in Azure Active Directory? and Guest access in Microsoft Teams [links at the bottom].
- Per licensed user you can add up to five guests (1:5 ratio)
- Guest user permissions in Azure AD are limited by default*
- cannot browse other tenant information
- but can view their own profile
- but can retrieve input on other users if he/she searches for a UPN or object ID
- Guest user permissions in Office 365 groups are limited
- Guest user permissions in Teams are limited
- no One Drive for Business
- no people search outside of Teams
- no calendar
- no meeting scheduling
- no pstn/telephony
- no org chart
- no teams creation/revision
- no teams browsing
- no file upload in P2P chats
*unless you assign any admin role to a guest. So be cautions. Don’t.
What you can do to secure your Microsoft 365 guest identities?
Microsoft added a very good article in the documentation Create a secure guest sharing environment [link at the bottom] which describes the key elements you must take into account for your B2B collaboration and guest access configuration.
- enforce multi-factor authentication for guests
- provide terms which guests musts agree on
- regularly review permission needs are still valid
- restrict access for guest to web-only / browser-only
- set session timeout to enforce regular/daily authentication by guests
- classify content by using sensitivity labels
- auto classify defined sensitive information to highly confidential
- auto remove guests access from files labeled high confidential
Conclusion, opinion and summary
Guest access can be vital for your company and employees to easily work together with external stakeholders. If required. It must be secured.
To provide guest access, I think it is a good idea to establish a organizational process that internal employees must request guest access for an external person via an approval process. The latter could be accomplished by using Power Automate with Forms or Power Apps. Onboarding or adding a new guest should be based on the approach which Microsoft provides in Create a secure guest sharing environment [link at the bottom]. To complete the guest user life cycle the identity should be audited and monitored regarding permission needs and activities, so that either certain permissions can be removed or that an guest account gets disabled or even deleted depending on usage/activity/last logon or other criteria.
- Create a secure guest sharing environment
- Enable B2B external collaboration and manage who can invite guests
- Add Azure Active Directory B2B collaboration users in the Azure portal
- Auditing and reporting a B2B collaboration user
- Manage guest access with Azure AD access reviews
- Microsoft 365 guest sharing settings reference
- Microsoft Teams guest access checklist
- What are the default user permissions in Azure Active Directory?
- Azure Active Directory B2B collaboration licensing guidance
- Guest access in Microsoft Teams
- What the guest experience is like
- How to secure Microsoft Teams? Some thoughts.
- Safe attachments and links to protect your Office 365 collaboration