3 Policy Considerations for Microsoft 365 Guest Access
03/29/2021
Before configuring Microsoft 365 to enable access to outsiders, several basic policy decision points must be addressed first.
While there are many ways to develop and tailor the appropriate policies for your department’s unique needs at a granular level, here are a few of the most important top-line considerations.
Who should be allowed to be invited as a guest?
Determine if the agility, regulatory, and sensitivity levels of your work environment are more appropriate for a policy that is “everyone except” or a policy that is “no one except” those from specific departments or domains.
Once that determination has been made, coordinate with stakeholders to either build a list of common collaborators (such as vendors) to whitelist or to identify external organizations that may need to be blacklisted.
In general, most departments operating in the public sector will want to deploy a “no one except” policy while other departments will want to deploy an “everyone except” policy while layering on more protections for specific workspaces and files downstream.
Note: The allow/deny list is NOT infinite. The entire policy can consist of only 25,000 characters. This means if you’re part of a large department and want to granularly specify hundreds of allowed domains, you will likely run into this limitation.
Should guests be allowed to see the organizational directory?
In most cases, it would be inappropriate for guests to be able to look up or contact anyone within the department. The best practice is to limit access to only those who are members of the same Team as the guest.
Who should be allowed to admit new guests to the Microsoft Teams environment?
When a user would like to have a guest added, there needs to be a process for admitting them into the environment. There are two people who can add an external user to a Team using Microsoft 365 native functionality: an IT admin or the owner of the Team.
Microsoft 365 will never let a member of a Team invite a net new external guest. Depending on the selected settings, however, members could add and share with guests who are already in Active Directory but not members of that specific Team.
The challenge with having only IT admins add new guest users creates a bottleneck. They’re also not as close to the needs of the Team, so managing the lifecycle of a guest — when they need to be onboarded and offboarded — can be a challenge.
On the other hand, not every department is comfortable with enabling any Team owner to admit new guests which then presents two options:
-
Enable Team owners to invite guests and then lock down specific Teams where sensitive work is being done. This requires coding through Powershell or configuring sensitivity labels so they can be applied to Groups and workspaces. Both options can be tedious to maintain at scale and could require upgraded licenses, depending on the application.
-
Deploy a third-party solution such as AvePoint’s Cloud Governance to enable an approval process for admitting. Because Cloud Governance can guide users to correctly categorize the purpose during the creation process, specific types of Teams can be permitted or prohibited from allowing guests.
For more policy considerations such as how guests can be offboarded and what type of guests should be able to access files in SharePoint and OneDrive, download the full ebook here!