This Q&A is in response to our recent webinar “Solving The Microsoft 365 Guest User Puzzle.” Watch it on-demand today!
If our latest webinar taught us one thing, it’s that people have a ton of questions about external access in Microsoft 365. After reviewing the laundry list of inquiries Dux and John received during the presentation, we hand-picked 25 of the best questions to answer right in this post. Without further ado, let’s get into it!
Does AvePoint Cloud Governance cover the whole user lifecycle? With onboarding, review/renew, and offboarding?
Yes! Cloud Governance offers full user lifecycle management for external users.
If a user has an E3 or E5 license in Fabricam and is added as a guest user in Contoso, will they still be using a guest license in Contoso?
Yes, the licenses from the tenant of origin do not carry into the tenant where a user is a guest.
Does the AvePoint solution require a P2 license?
Nope! Technically it only requires basic enterprise or business licenses for Microsoft/Office 365.
Are there any limitations to adding guest users that have a .org or .gov email address?
Not from Office 365, but you can create limitations in Azure AD based on user domains if so desired. There may be restrictions from the tenant of the invited user if you’re experiencing difficulties.
What happens to guest accounts if we cut licenses and that puts the guest users total above the 5:1 ratio? Would some guest users be automatically disabled?
In theory, yes, but based on testing, this is not the case. Also, remember that if the users have their own Microsoft 365 account or Microsoft account this limitation may not apply to them; it’s primarily for guest users who’s accounts were created from scratch within AD.
Would these guest renewal flows only work for guests invited using your invitation flow or would it work for existing guests in a tenancy?
It’s possible to import existing users to be managed by the Cloud Governance solution. Sponsors can certify ongoing need for the Guest to remain in the directory, remove the user from select Groups and Teams, or even choose to remove the user from the directory if appropriate.
How would you recommend guests in Groups be maintained? Letting Group owners add guests seems likely to give away control.
This is a question we get all the time, and it is a difficult one that needs to take in many considerations. AvePoint builds a lot into our governance tool like enforcing who owners can be, building in oversight, applying automated policies in our provisioning process, and maintaining reviews for admin teams.
Natively, the most straightforward way to manage this is either to just have a few Teams/Groups that have external sharing enabled for specific purposes or be very strict organization-wide with who can be an owner of a Group or Team. There is not really a more simple way to manage this process.
Is there a way to find out if users of my tenant/Azure AD are invited as guest users to other tenants?
There are some capabilities around reporting and restricting this. More on that here.
Is there any setting that allows anonymous sharing in OneDrive but not in SharePoint?
No, not at this time.
Is there an external API that can create the Teams (e.g. from Dynamics 365 if an opportunity is created)?
Yes! This is possible via Power Automate connecters now, and it’s also possible to use AvePoint’s Cloud Governance to kick of service requests for Teams via connectors in Power Automate as well.
Please discuss the differences between external access to SharePoint sites that are not attached to Teams/Groups vs. sites that are the backbones of Teams. How is the external user experience different from those with direct access to SharePoint sites?
The only difference is that when someone is a guest user in a Group or Team, they also have access to some of if not all of the additional applications connected via Groups and Teams. The SharePoint site access will be the same.
If user B is deleted from Fabrikam AD, is the reference to this user also deleted from Contoso’s guest users?
No, that will still have to be done on the Contoso side.
Is there a way to have everything default to having External Sharing disabled, but only enable certain Teams/SharePoint sites?
This can be easily accomplished using AvePoint’s Cloud Governance solution or by restricting user provisioning for Teams and having access adjusted as part of an organizational process.
Is there a way to block only one department from using guest access anywhere (a per-user setting instead of a peer group/team/site setting)?
This can be done by setting up a service in AvePoint’s Cloud Governance solution.
To invite a guest, does the guest only needs an email address? No Microsoft account or similar is required?
That is correct!
Can you align policies to the business functions of the organization? Does AvePoint have tools for business classification that complement this service?
Yes, absolutely. AvePoint’s Cloud Governance allows for the tailoring of controls so that the reasons why a workspace is being created are visible via the metadata and naming conventions. Enforcement around external sharing and many other settings is then properly applied and enforced for the organization. Policies are applied dynamically via a combination of which and why users need services from Microsoft 365.
All of this is done automatically via the simple request filled out by the user, which makes users’ lives much easier and reduces the burden of setup and maintenance from the organization side. This is why so many enterprise customers rely on this tool for their organization-wide governance and adoption of Teams!
If a guest is a member of a Microsoft Teams workspace, would that guest be able to access the PowerApps shared with this Office 365 Group?
Potentially, yes. It would depend on the security settings of the hosting tenant, but the likelihood is that they would be able to access the app.
Knowing that guest users do not have access to OneDrive, what would happen if they try to share a file in a 1:1 chat? I assume they will get an error about OneDrive not being available?
Technically when a user puts a file in a 1-1 chat with the guest user that file is then shared with the guest user directly, so the guest would indeed be able to access the file in this scenario.
How do I authorize someone as a guest inviter? I only want managers to be able to create Teams and invite guests.
This is restricted to owners of Teams/Groups (where guest access is enabled); there is not a definite way to control this outside of limiting who can be an owner in your organization. AvePoint can enforce this limitation proactively and revert ownership of Groups and Teams from unauthorized users automatically (or just send notifications as well).
Can members invite existing guests to Microsoft 365 Groups?
If guest access is enabled for the Groups/Teams in question then yes, but membership would still have to be approved by an owner.
The options are different, but is SharePoint using Azure as the repository for user information or does it have a different repository for users?
SharePoint pulls user information from Active Directory, and the access in SharePoint is stored as a combination of SharePoint security records for users and groups and Active Directory/other group types in Microsoft 365. The GUID for the user is stored in AD and synchronized to Microsoft 365.
Do you feel like that may be something you want to have a separate SharePoint site for? External collaboration really breaks down security.
AvePoint’s solution enables organizations to tackle these controls from many angles, like restricting the ability to share information externally to only the appropriate users, departments, and situations. The real power behind the solution is enabling organizations to enforce these policies to scale with minimal effort.
Without this, most organizations limit external sharing to a small number of sites or document libraries and heavily control access. From our experience and literally thousands of customer conversations, over and over again we see this leading to unhappy user experiences and users simply collaborating via “shadow IT” or other methods outside the control of the organization.
Can you disable inviting guests for admin but still allow guest creation from graph API (handled by the company identity management system)?
Yes, this is possible. API access is governed by the permissions granted by the account/Azure app interacting with the API, not necessarily by the settings in Microsoft 365. You would need to keep track of any such apps/access granted and definitely have a system in place to govern app/user access for these use cases.
AvePoint is very transparent about the access that we require and utilize for our applications and we provide features like custom encryption and MFA support to ensure the highest level of security for our cloud platform.
So we can add a guest user to a Team and have them access the chat, but then block them from accessing files in the Team by modifying the SharePoint settings?
Yup! This is possible, just like removing even admin access to files within document libraries in SharePoint is possible via controls like breaking inheritance.
What if they are a Google customer?
You can still invite them as a guest user, no problem!
Didn’t get your question answered? Check out our second Q&A here.