A Quick Look at Configuring Guest Access in Azure AD
04/12/2021
Configuring external sharing in Microsoft 365 is complicated with interdependent settings across six different admin interfaces. So, we will use an analogy to simplify the process — the security precautions many organizations take to access their physical environments.
If you invite an outsider to come to your office for a meeting, they will go through several levels of security checks in order to gain access to the meeting room and sensitive information being shared within that room. We’ll represent the first level as approaching the building’s campus.
Azure AD: Accessing the Campus
Microsoft’s layered model of security settings for securing and controlling outsider access to Microsoft Teams and Microsoft 365 begins with organization-wide settings in the Azure AD Admin Center.
These global settings focus on verifying identity and setting the rules under which outsiders can be added to the directory (and by whom), along with their rights once established. An organization can have 5 guest users for every paid license.
The Microsoft 365 external sharing model is set up so that guests need to verify with their own identity provider and then you can choose to add on more stringent requirements for signing into your environment. This is a great feature, as it means that when a user leaves their department (perhaps for an outside vendor) their account is no longer active, and they no longer have the means to log in as a guest to your environment.
As we depicted on our cheat sheet, the key settings at the Azure AD level are to determine if guests can see your entire membership directory or just the members of Teams to which they belong.
This is also where you can select the “Admins and users in the guest inviter role can invite” toggle to determine if administrators can invite guests through the admin interface. It will need to be toggled on to allow Team Owners to invite guests through additional settings downstream. You could also choose to allow guests to invite other guests, but most departments don’t do this.
One-Time Passcode
As of March 2021, a one-time passcode option was made available to guests by default. This means if a resource like a document is shared with them and they are not currently in the directory or have a Microsoft account, they will be provided a one-time passcode for identity verification. Using our physical security analogy, those housed in larger buildings or campuses may enforce entry requirements to the entry road, car park, or campus perimeter for outsiders arriving by vehicle. A security guard checks that the outsider has valid identification from a trusted authority before lifting the entrance barrier.
Some highly secured sites will only allow certain organizations onto the premises while others may just have a list of blacklisted organizations that can never enter. In other words, someone cannot get access to a meeting room if they can’t get inside the campus but being allowed inside the campus does not provide them with access to every meeting room.
For more insights on configuring guest access settings across the Microsoft 365 Global Admin Center and Microsoft Teams Admin Center, be sure to download the full ebook here!