This is an excerpt from our Microsoft 365 External Sharing ebook. See the others below:
- A Quick Look at Configuring Guest Access in Azure AD
- 4 External Sharing Scenarios to Consider in Microsoft 365
Before configuring Microsoft 365 to enable access to outsiders, several basic policy decision points must be addressed first.
While there are many ways to develop and tailor the appropriate policies for your organization’s unique needs at a granular level, here are a few of the most important top-line considerations.
Who should be allowed to be invited as a guest?
Determine if the agility, regulatory, and sensitivity levels of your work environment are more appropriate for a policy that is everyone except or a policy that is no one except those from specific organizations or domains.
Once that determination has been made, coordinate with business stakeholders to either build a list of common collaborators (such as vendors) to whitelist or to identify organizations that may need to be blacklisted (such as competitors).
In general, highly regulated and sensitive environments will want to deploy a “no one except” policy while most organizations will want to deploy an “everyone except” policy while layering on more protections for specific workspaces and files downstream.
Note: The allow/deny list is NOT infinite. The entire policy can consist of only 25,000 characters. This means if you are a large organization and want to granularly specify hundreds of allowed domains, you will likely run into this limitation.
Should guests be allowed to see the organizational directory?
In most cases, it would be inappropriate for guests to be able to look up or contact anyone within the organization. The best practice is to limit access to only those who are members of the same Team as the guest.
Who should be allowed to admit new guests to the Microsoft Teams environment?
When a user would like to have a guest added, there needs to be a process for admitting them into the environment. There are two people who can add an external user to a Team using Microsoft 365 native functionality: an IT admin or the owner of the Team.
Microsoft 365 will never let a member of a Team invite a net new external guest. Depending on the selected settings, however, members could add and share with guests who are already in Active Directory but not members of that specific Team.
The challenge with having only IT admins add new guest users creates a bottleneck. They’re also not as close to the business needs, so managing the lifecycle of a guest — when they need to be onboarded and offboarded — can be a challenge.
On the other hand, not every organization is comfortable with enabling any Team owner to admit new guests which then presents two options:
- Enable Team owners to invite guests and then lock down specific Teams where sensitive work is being This requires coding through Powershell or configuring sensitivity labels so they can be applied to Groups and workspaces. Both options can be tedious to maintain at scale and could require upgraded licenses, depending on the application.
- Deploy a third-party solution such as AvePoint’s Cloud Governance to enable an approval process for admitting. Because Cloud Governance can guide users to correctly categorize the purpose during the creation process, specific types of Teams can be permitted or prohibited from allowing guests.
For more policy considerations such as how guests can be offboarded and what type of guests should be able to access files in SharePoint and OneDrive, download the full ebook here!