The scope of this article is to take you through different topics related to guest user access in Office 365 and Azure AD.
- Definition of Guest User and Terminology used
- Adding Guest Users
- Manage Guest Users in SharePoint, OneDrive, Teams and O365 groups
- Remove Guest Users
- Definition of guest users and Terminology
The concept of Guest user in O365 and Azure AD has changed and has been enriched in the past years.
The following are used – sometimes interchangeably – external user, guest user, Microsoft account, B2B user. The current definition here – an AD business-to-business (B2B) collaboration user is a user with UserType=Guest. This guest user typically is from a partner organization and has limited privileges in the inviting directory.
Everyone /All Users identity
Everyone identity has been reworked. Starting with 23rd of March, Guest accounts can no longer be granted permissions through this identity.
The permissions for guest users will need to be assigned specifically to the guest user or through an Azure AD group (dynamic or assigned).
- Adding Guest users to O365 / Azure AD
By default Guest users do not receive / require any type of license in inviting Azure AD/O365.
- Why invite Guest users?
The answer to this question is straight forward, O365 is a collaboration platform, and in most of the projects external partners are involved. If external user functionality would not be used, the adoption of the platform would be severely limited, and ad hoc insecure communication channel would be used instead.
- How to invite ?
Depending on the O365 product, a different approach to inviting guest users can be used.
It can use either:
- A centralized approach where guest users are invited from Azure AD by a User Management Admin;
- A decentralized approach where guest users are invited directly by the site owners;
- A hybrid approach where the 2 above options are combined.
The options above are based on the configurations at the tenant and site collection level. The setting at the tenant level presents the baseline, and the setting at the site collection level can restrict further.
- Current setting at the tenant level is to allow invitation for guest users even if they are not in the Azure AD;
- Classic SharePoint sites and Communication site come by default with guest access Disabled;
- Modern Team Site come by default with possibility of inviting guest users even if they are not in Azure AD;
- OneDrive sites come by default with possibility of inviting guest users even if they are not in Azure AD. Also by default invited members in OneDrive sites can send invites as well;
- Teams come by default with possibility of inviting guest users even if they are not in Azure AD;
- O365 guest invite is not yet activated in production. If we are to allow group owner to invite guest users, they can be invited even if they are not yet in Azure AD.
Site owners have requested changes of these settings at the site collection level from default. The OneDrive sites have the default settings. Modern SharePoint sites settings were restricted at creation time to add only existing Azure AD guest users.
- Manage Guest Users in SharePoint, OneDrive, Teams and O365 groups
- Manage the lifecycle of the accounts
The lifecycle of the guest accounts needs to be managed for each of the above applications in the context of the access to a SharePoint site, OneDrive, Teams or O365 groups and it needs to be managed at the Azure AD level as well.
In order to access a SharePoint site or resource, the guest account must exist in the Azure AD, either by:
- direct invitation from site owner or
- in staged manner, invitation to Azure AD then add into permissions.
If the guest account already exists in Azure AD, it can be added easily in any of the SharePoint, OneDrive sites and as well in Teams.
- Control access to resources and applications
The permission to access resources must be granted or requested by the site owner, and the site owner is the only one that knows for how long or how much of the resources a guest user can access.
The same guest user can be accessing different resources, sites which have different owners, therefore it is mandatory that each site owner manages the guest access for his site, team, O365 group. This applies as well for OneDrive site, as they are a particular type of SharePoint site.
- Monitoring account activities and granting access privileges
Azure AD proposes Access review proposes a way to review access for groups. This feature is accessible for GA, security readers and security administrators once activated.
As well, the O365 groups can be identified in PowerShell, and if they contain guest users, and email can be send to the group owner to review guest site members.
- MFA for guest accounts
It is safe to consider guest accounts as having the same or less security constraints when compared to the main user accounts. Therefore, adding MFA for all the guest users it is necessary to ensure a secure access to resources.
This should be enabled and coordinated with IRM/AIP to improve the security posture.
- Remove Guest Users
To complete lifecycle of the guest accounts, removal of these accounts must be as well considered. Guest accounts must be removed from sites or groups when their access to resources is no longer justified. When the guest account no longer has access to any resources, the account must be removed as well from the Azure AD.
Guest access in Office 365 and Azure offers a great flexibility and has become a very important part of proper collaboration in any organization by enabling teams to collaborate with people from outside the organization. Nevertheless, appropriate management of access privileges is required by managing the lifecycle of these accounts and overseeing the type of resources that are being shared.
