Well folks, we’re back at it again. After the success of our first Microsoft 365 guest user webinar at the tail end of last year, we recently held another specifically for professionals in the EMEA region. Just like last time, we were absolutely floored by the number of interesting questions we received.
To be able to answer as many queries as possible, we enlisted a crack team of Microsoft 365 experts including Dennis Hoogenraad, Roche Mahomedradja, Damien Hallmark, and Yatindra Ranpura to cover every topic thrown our way. Let’s get right into the Q&A!
Can renewal notifications be in Microsoft Teams and not email?
Dennis: By default, the notification will be sent by email and via a notification in Microsoft Teams. Since AvePoint has a connector for Power Automate, though, it is possible to build a solution to send a notification to your desired endpoint.
Do these insights work on a file-level as well? For instance, would they work when a single file is shared by a user?
Dennis: Yes, every single object in Microsoft 365 is scanned just like a post parcel and will include (when available) the sensitivity label.
Can guest accounts be set to automatically expire at a certain date?
Dennis: When defining the policy for a guest account, there are multiple settings to think of. One of these is what to do when the person who is accountable (a “sponsor”) is not reacting within a specific period. It then can be escalated and an admin can remove the user directly from Azure B2B or block them from signing in and accessing services and data in your Microsoft 365 tenant.
We have a script running to disable guest access. Will this new default setting overwrite our script?
Dennis: With AvePoint Cloud Governance you can define where you would like to have guest user access available, periodically check its status by notifying the person who is accountable for it, and directly give that person insight into who these guest users are. Auditors, admins, and security people can be given these insights into your Microsoft 365 tenant.
Simply running a script will not give you adequate control over your Microsoft 365 environment.
How many guest users are we allowed to have? Is there a limit?
Roche: Microsoft Teams doesn’t restrict the number of guests you can add. However, the total number of guests that can be added to your tenant may be restricted by the paid features of Azure AD.
If I want to hold a Teams meeting and invite “guests,” what happens if I select that only specific domains can be guests? Would unknown users still able to join the Teams meeting from via a link?
Roche: To block anonymous users so that they can’t join a meeting there is a setting that needs to be turned off. You can find more about this in this Microsoft documentation.
When you select “Existing guests only” for SharePoint, how can you add a guest to an environment? Is this through the B2B option?
Roche: Yes, they can be manually added through the B2B option or with AvePoint software.
Is there an easy way to sift through your guest users?
Roche: Yes. This can be done manually, with PowerShell, or via AvePoint software.
What is the limit of domains you can list?
Roche: The limit is 900, including subdomains. More on that here.
If the AD B2B account is e-reference, can an admin block this? Could an admin prevent their users from being guest users in another tenant?
Damian: There is no current native functionality in Microsoft 365 to prevent admins from blocking a user from becoming a guest in another tenant.
What about the PowerShell setting “AllowAdHocSubscriptions?” How is this related?
Damian: If enabled, this global setting prevents ALL users from accessing self-service capabilities and therefore becoming a guest of another tenant. This option turns off self-service sign-up for all Microsoft cloud-based apps and services. Whilst this may have the desired effect, it lacks the granularity needed by businesses for true collaboration on a B2B level.
Though Microsoft Teams is integrated with SharePoint (for file-sharing), can people still have access to a Team without being allowed to collaborate on documents?
Damian: Yes, you can limit Microsoft Teams access to chats only. Within the SharePoint admin center, you can configure whether you want guests to have access to your content.
Does the model “INVITATION REDEMPTION” still work? Because after December 2020, it seems not to work anymore, like it did before.
Damian: Invitation Redemption does still work, but as of January 4, 2021 Google deprecated its WebView sign-in support to avoid the risk of MITMN attacks. If you’re using Google federation or self-service sign-up with Gmail, you should test your line-of-business native applications for compatibility.
Additionally, as of October 2021, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. They recommend customers prepare to opt into email one-time passcode authentication.
Is there a better way to see what guests have access to within SharePoint at the content level?
Yatindra: Yes, we can provide a mechanism to search across the full tenancy for guests, where they have access, and what level of access can be reported on a regular basis.
If you had enabled a Conditional Access Policy for External Users using multi-factor authentication, and then also enabled one-time passwords for external users, would they trigger both when accessing content?
Yatindra: Yes, this is possible where you set up conditional access for users and then select the OTP in the Azure portal:
One thing to bear in mind is that the OTP will be on by default from March 2021.
If using the AvePoint Cloud Governance Process for Guest Users, how do we prevent Team owners from then adding guests outside of this process if Guest Access is on?
Yatindra: We can build policies that will monitor whitelists/blacklists and only authorized guests can be added to workspaces based on these rules.
Would you recommend that users go through the guest user request process to allow them to share a file from SharePoint with an external person?
Yatindra: Yes, we can add a guest user to a project Team and provide a timeline for them to be allowed access before eventually removing them once the project has been completed.
To exert control, you mentioned intervening top to bottom. Is that with AAD at the top and SharePoint sites at the bottom?
Yatindra: Yes, this is correct. AAD would be the topmost layer and SharePoint would provide the granular layers where we can apply control.
What was the operation governance app you were demoing? It looks insanely good for our guest user and Teams management needs.
Yatindra: This governance app was MyHub, an app published on the Microsoft Teams platform that allows us to leverage the capabilities of Cloud Governance and manage guest users in an intuitive format.
Miss the first Q&A? Read it right here.