This is an excerpt from our Microsoft 365 External Sharing ebook. See the others below:
- 3 Policy Considerations for Microsoft 365 Guest Access
- 4 External Sharing Scenarios to Consider in Microsoft 365
Configuring external sharing in Microsoft 365 is complicated with interdependent settings across six different admin interfaces. So, we will use an analogy to simplify the process — the security precautions many organizations take to access their physical environments.
If you invite an outsider to come to your office building for a meeting, they will go through several levels of security checks in order to gain access to the meeting room and sensitive information being shared within that room. We’ll represent the first level as approaching the building’s campus.
Azure AD: Accessing the Campus
Microsoft’s layered model of security settings for securing and controlling outsider access to Microsoft Teams and Microsoft 365 begins with organization-wide settings in the Azure AD Admin Center.
These global settings focus on verifying identity and setting the rules under which outsiders can be added to the directory (and by whom), along with their rights once established. An organization can have 5 guest users for every paid license.
The Microsoft 365 external sharing model is set up so that guests need to verify with their own identity provider and then you can choose to add on more stringent requirements for signing into your environment. This is a great feature, as it means that when a user leaves their home organization (perhaps from a partner to a competitor) their account is no longer active, and they no longer have the means to log in as a guest to your environment.
As we depicted in our cheat sheet, the key settings at the Azure AD level are to determine if guests can see your entire membership directory or just the members of Teams to which they belong.
This is also where you can select the “Admins and users in the guest inviter role can invite” toggle to determine if administrators can invite guests through the admin interface. It will need to be toggled on to allow Team Owners to invite guests through additional settings downstream. You could also choose to allow guests to invite other guests, but most organizations don’t do this.
As of March 2021, a one-time passcode option was made available to guests by default. This means if a resource like a document is shared with them and they are not currently in the directory or have a Microsoft account, they will be provided a one-time passcode for identity verification. Using our physical security analogy, organizations with larger buildings or campuses may enforce entry requirements to the entry road, car park, or campus perimeter for outsiders arriving by vehicle. A security guard checks that the outsider has valid identification from a trusted authority before lifting the entrance barrier.
Some highly secured sites will only allow certain organizations into the premises while others may just have a list of blacklisted organizations that can never enter. In other words, someone cannot get access to a meeting room if they can’t get inside the campus but being allowed inside the campus does not provide them with access to every meeting room.
For more insights on configuring guest access settings across the Microsoft 365 Global Admin Center and Microsoft Teams Admin Center, be sure to download the full ebook here!