Today, digitally connecting, communicating, and collaborating with colleagues outside your agency is just as important as working with your internal coworkers. However, before you enable external collaboration in your Microsoft 365 (M365) tenant, there is a litany of tasks you must take on–especially if working within a Zero Trust framework. From properly setting permissions to configuring and provisioning your collaboration spaces and guest access to ensure your environment stays controlled and secure, there’s plenty to consider.
In this post, we’ll discuss considerations for enabling external collaboration without overburdening IT or straying from your Zero Trust Architecture (ZTA) framework.
Note: While Microsoft offers multiple capabilities to enable external collaboration in your M365 tenant, this post focuses on Azure B2B Guest Access because it invites outsiders into your tenant, making it most important to properly provision and configure. Read more about other features to enable external collaboration in this blog post.
Enable External Collaboration with Guest Access in Microsoft 365
Controlled at the individual user level, guest access provides people from outside your organization with access to content inside your Microsoft Teams – such as the channels, chat threads, and shared files – without costly additional licensing traditionally required to add users. Your internal team can have conversations, co-author files, coordinate calendars, and more with these guest users, all while you continue to maintain control and security over the shared information within your environment.
This could be a huge value to your agency. For example, the National Institute of Health could use guest accounts to collaborate with grantees and their site staff or academic researchers, while the Department of Justice could use guest access to coordinate with local law enforcement to plan incident responses or correspondence around special event planning.
Despite the benefits, you need proper policies and reporting in place when utilizing features like guest access to ensure your information stays protected.
Native Options for Securing Guest Access
Natively, securing and controlling guest access can be a bit confusing. First, you have your organization-wide settings where you control guest access at the tenant level. From there, there are more controls within Microsoft Teams, SharePoint, and other apps that determine access at the workspace level. By default, these settings are enabled.
Due to this, it might seem like it makes sense to restrict this ability to IT for consistent and controlled management, but that too has its downsides. Similar to issues discussed in our delegated administration post, having only IT admins add new guest users can create a bottleneck. IT is also generally not as close to the business needs; this makes managing the lifecycle of a guest—when they need to be onboarded and offboarded and if they still need access to the information they have been granted—challenging at best.
Another issue: Maintaining default controls gives Team owners the ability to invite guest users to their team. This leaves the decision of who can have access to what information completely in their hands, which could lead to inconsistent privileges and oversharing. We find ourselves with a double-edged sword: we want the business owners to have control over who can access and collaborate in their workspace since they know it best, but we need to ensure that there’s a consistent application of rules and policies around guest access to protect our data. As our ZTA standards say: never trust, always verify.
Your ideal solution would be to enable Team owners to invite guests to their workspaces but lock down workspaces with sensitive information using sensitivity labels (which admittedly has its own issues). Natively, however, this is still tedious to maintain–especially at scale–and costly if you’re not already using advanced M365 license SKUs.
While sensitivity labels can help lock down specific workspaces, IT is still tasked with both the creation and lifecycle of these guest accounts and the careful configuration necessary to maintain sensitivity labels (let alone the manual task of applying these labels to content and Teams). These are manual, burdensome, and error-prone processes and, frankly, not the best solution for agencies who have been continuously told to do “more with less” year after year for over a decade.
Secure Your Guest Access with AvePoint
To start, AvePoint Cloud Governance enables you to create conditional, multi-stage approval processes for creating new guests based on your agency’s business logic. Because Cloud Governance guides users to correctly categorize the purpose and sensitivity of a Team during its creation process, Teams can be dynamically permitted or prohibited from allowing guests based on the metadata you determine appropriate to support your policies. And like the automation of SharePoint Site and Team lifecycle, Cloud Governance also automates the lifecycle of guests, assigned to a specific business owner instead of IT, which ensures no guests have access longer than they should by providing this owner reporting across all Teams that a guest has access to.
Complementing Cloud Governance’s automation capabilities, AvePoint Insights provides IT with the oversight they need, aggregating information about the guests, what they have access to, and what they are doing with that access. This allows you to track any suspicious activity and identify potential sensitive information exposure tenant-wide without having to look across each individual workspace. Additionally, the Insights dashboard provides the ability to edit in bulk from actionable reports.
Finally, using AvePoint Policies, you can automate rules for access, settings, or other configurations based on your M365 Groups – allowing for proactive, automated policy enforcement. Once established, you can apply these policies dynamically based on the same Team metadata used to determine Guest Access rules, ensuring your collaboration spaces with sensitive information always have the correct security measures in place.
Leveraging the AvePoint Confidence Platform’s suite of solutions described above together allows you to support your Zero Trust policies while enabling easy external collaboration and decreasing the burden on IT.
Final Thoughts on Zero Trust Collaboration
It might feel counterintuitive to grant guest users access to your tenant while implementing ZTA – after all, there is no better way to secure your network and application than by restricting access to your tenant to your vetted employees. However, it’s important to keep in mind that external collaboration has always happened: be it through sanctioned (email, extranets, etc.) or unsanctioned (Shadow IT) methods.
Compared to email, faxing, or any other previous method for sharing with outsiders, the security controls of guest access are significantly better, automatically protecting your data. That, paired with the automation and oversight offered by third-party tools like AvePoint Cloud Governance, Insights, and Policies, should give you peace of mind that you can have both external collaboration and a secure environment.
This post is the final part of AvePoint’s Zero Trust and Your Agency’s M365 Collaboration series. Subscribe to our Microsoft 365 Government Community call for more tips and tricks to utilizing M365 as a Federal agency.