Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Microsoft 365 Guest Users and External Access

Microsoft 365 Guest Users and External Access

Organizations increasingly need to collaborate and communicate with people outside their internal teams. These can be independent contractors, remote workers, vendors, clients, consultants, etc. The pandemic accelerated collaboration and automation trends in the modern workplace.

One of the best platforms to facilitate communication and collaboration is Microsoft 365 and its family of applications. It is easy for the internal team to connect with people outside of the organization and work on projects with guest users and external access features.

By creating guest users or granting external access, someone from outside the organization can participate in meetings, view and share files, access group notebooks, etc.

But just like with many technologies, Microsoft 365 guest users and external access create a security risk that CISOs should be aware of.

In this comprehensive guide, we take you through the process of setting up guest users and external access in Microsoft 365 and how to mitigate some of the security risks that may arise while doing so.

Microsoft 365 Guest Users

The main reason to set up someone as a guest user is to grant them access to files that you hold in the 365 loud for collaboration. Guest users can also attend Teams meetings and are supported in the Azure Active Directory, SharePoint Online, and Microsoft Teams.

The right to add guest users is reserved for group owners. Using an email address that the guest user provides, they can grant access to the group’s files, notebook, conversations, and calendar invitations by adding them to a channel’s membership list.

Anybody with an email can be granted guest access. (It doesn’t matter whether the email is student, personal, or business)

They must ensure that guest access is first enabled at the tenant or organizational domain level to add their email.

Another way a guest user can be added to a Microsoft 365 group is through nomination by a current group member, and the group owner then proceeds to approve or decline the request.

Once granted access, the guest will receive a welcome email and join the group. If they need to exit the group at any point, there is a link in the footer on all group emails that allows them to leave.

The interaction of the guest user and the group will be through email since they don’t have access to the group site. They can receive calendar invitations, links to files, and any attachments and conversations through email. They engage the group by replying to the email.

Guest Users Privileges and Restrictions

Guest users are limited to what the group owner has given them access to. But generally, they can view and edit files, receive calendar links, attend meetings, and access Notebook. They can start and reply to conversations and also delete conversations.

On the other hand, 365 guest users cannot add or remove group members or manage meetings.

Microsoft 365 External Access

External access is very different from guest access in that it gives permissions to an entire domain. It allows Microsoft Team users from other domains to collaborate with users in your domain.

It is defined as “a way for Teams users from an entire external domain to find, call, chat, and set up meetings with you in Teams.” It is an important tool when organizations want to collaborate with other organizations.

Guest user access is more of granting access to an individual, while external access grants access to another team. But you can use both options if need be.

External access should not be confused with External sharing, which is the ability of site owners to make content available to people outside the organization by sharing access links to files and folders.

Setting up External Access

External Access is straightforward to set up. It has three settings to choose from:

Open federation

This is the default setting in Teams. It allows users to find, call, chat and set up meetings with people from other domains external to the organization.

Allow specific domains

This option applies when an organization collaborates with just one or two other organizations. Then only these specific domains are granted external access. (this option is great from a security point of view)

Block specific domains

This feature limits prescribed domains from the external access feature.

Guest Users and External Access Security Best Practices

IT admins who are typically the group owners in Microsoft 365 should always remain vigilant of the guest access feature and its deployment within the organization. This is to ensure sensitive, and proprietary information is only handled by authorized people.

As a start, group owners must decide whether to have the guest user feature turned off or on for their organization. (it is on by default)

Secondly, if turned on and guest users invited to collaborate, you should limit the guest users to access certain groups. You can also lock guests from any particular domain.

Another best practice is to keep sensitive files on a site whose external sharing is turned off.

For External Access, the allow specific domains is a powerful feature to give you control over which domains to allow t collaborate with your organization.

Closing Thoughts

While we all can agree that Microsoft 365 guest users and external access are great features for collaboration in the modern workplace, there is the undeniable fact that they introduce some security and business risks. The most critical is the risk of sensitive information getting to unauthorized hands.

CISOs must be proactive in developing and implementing file sharing, and collaboration policies that ensure sensitive files and data are safeguarded. A periodic review of all guest accounts and levels of access granted should be done to detect any loopholes.

If you’d like to see how the Lepide Data Security Platform can help you detect and react to security threats within Microsoft 365, schedule a demo with one of our engineers.