October 25, 2022
min read
Roy Martinez
With over 16 years in Microsoft and IT infrastructure, Roy uses his SharePoint, Power Automate, and Microsoft Teams expertise to help organizations develop strategies for adoption, collaboration, automation, and governance.
Man working on computer

Protect your Microsoft 365 Tenant with these Guest User Governance Best Practices

Imagine this: someone from the HR team adds an external user (someone outside your organization) to your Microsoft 365 tenant. Freeing up your admin slug.

Ideal right? 

Not if done incorrectly. Rouge external users can lead to data theft or phishing attacks. 

You need to understand and apply guest governance best practices to prevent these risks.

Guest user governance is the process of ensuring that only the right guests have appropriate access to your organization's Microsoft 365 resources.

You can determine the type of access a guest needs when you review their tasks in a project. 

For example, a contract customer support personnel may need customer order history but doesn't require admin privileges or access to global sales data.

Understanding guest user governance will help you protect your Microsoft 365 resources from increased Cyber threats like phishing attacks and privacy breaches.

How to Manage Office 365 Users?

Office 365 uses the Azure Active Directory to manage users. Azure AD has identity governance features for managing different user types in your Office 365 environment. 

Azure AD Identity Governance Features

Azure AD identity governance features fall into three categories:

  1. Identity lifecycle
  2. Access lifecycle
  3. Privileged access management tools

Identity lifecycle management tools: These tools manage the process of adding external users and employees to your Microsoft 365 tenant. Identity lifecycle tools also cover user deboarding and unused guest account cleanup. 

Access lifecycle management tools: Tools in this category help manage user access to your Microsoft 365 resources. For example, the automatic provisioning and de-provisioning of user access to organization resources. This feature allows you to set resource access rules, timeframe, and authorized channels. 

Azure AD's access review features automate the process of reviewing guest access across your Office 365 org to reduce the risk of unauthorized access.

Privilege access management tools: Azure AD's privileged identity management controls allow you to oversee accounts with privileged access. You can set a timeframe for privileged access, set up workflows for actions, and even remove privileged access. 

Understanding Azure AD User Types

 Accurately defining user roles would help you give secure and relevant permissions to users of your tenant. There are four user types in Azure AD, admins, team members, Guests, and external users.

Azure AD Guest vs. Team Member

 A team member is an internal staff of your organization. Team members are on the company payroll and have a designated portfolio. Your company HR manager is a team member and should have relevant permissions to use the organization's M365 to work.

 On the other hand, a guest is a non-team member who uses your tenant resources temporarily to achieve a specific goal. A guest could be an external partner, collaborator, or customer. So, it is crucial to understand the type of permission you want to give to a guest in a team.

Guest permissions are off by default in the team management settings. You will have to enable guest permission if you want your guests to access collaborative tools like a team member. 

Azure AD Guest Access vs. External User Access

 Guest access is the collaboration permissions for a non-team member invited or added to your M365 tenant. You can configure guest access from the user-guest access control panel. Guest access controls allow you to specify the communication permissions like making private calls, joining teams, chatting, deleting texts, etc.

External access is communication permission that allows you to communicate with people from other organizations. For example, you can set permissions to communicate with external organizations through Skype.

7 Guest Sharing Best Practices to Protect Your Microsoft 365 From Threats

 When it comes to guest user governance, it is always advisable to err on the side of safety. You can protect your Office 365 tenant from collaboration risks with these tips. 

  1. Tighten your Guest Invite Settings
  2. Activate two-factor authentication 
  3. Set Session Timeouts
  4. Create web-only access
  5. Set expiration dates
  6. Change Default Link Permissions to View-Only
  7. Create a dynamic guest group

Tighten your Guest Invite Settings

In the guest invite settings, you can specify the members within the organizations that can invite guests. Ideally, non-team members shouldn't have permission to add people to your organization without clearance. You should set your guest invite settings to allow only members with invite permissions or designated admins to add people to your tenant. 

Activate two-factor (2FA) authentication

As stated earlier, guest governance involves carefully reviewing guest identities to ensure the right guest is accessing the right information. 

However, since identities can be stolen, setting up two-factor authentication for your visitors would reduce the chances of account compromise. It will also prevent unauthorized individuals from accessing your sites and files when a guest account is compromised.

Set Session Timeouts

Requiring frequent visitor authentication is another way to validate the identity of the guests accessing your sites and files.

You can review the identity and device accessing your tenant regularly by setting up session timeouts for guests.

Create web-only access

This is another way to reduce the risk of data loss. When you set a web-only access rule for your organization, you control the channels for using your information.

Set Expiration Dates

You can prevent forgotten visitors and unmonitored guests from viewing private documents that might be subject to retention regulations by setting expiration dates to your Anyone links.

Change Default Link Permission to View-Only

Azure's default editing permissions make collaboration easy, but it may not be ideal for your security. 

You can change the default permission to suit your needs. Consider changing the default link permission from "Anyone with links can edit" to View-Only. This setting will prevent unauthenticated people from modifying your organization's content; however, it allows unauthenticated sharing. 

Create a dynamic guest group

Microsoft recommends creating a dynamic guest access group and then setting up an access review for the group. This way, you can review the access of every guest invited to your organization periodically. 

One of the common challenges of external collaboration is knowing when to remove an external user's access as a project collaboration rounds off.


When done right, guest governance improves productivity and security because team members can securely collaborate with external users.  

You can automate your organization's guest governance and auditing process with CoreView.

Learn how CoreView can help you automate governance and give you complete oversight of your Office 365 security and compliance.

Take a tour of CoreView

Get a personalized demo today

Created by M365 experts, for M365 experts.