In recent years, Microsoft has improved its collaboration tools, particularly in collaborating not only inside, but also outside of your organization. With this expansion, the concept of cross-organizational access has become increasingly important from a technical and governance perspective.
In this article, we are going to step through what a guest is, how they get access, and how they differ from a regular internal user within Microsoft 365 (M365).
What is a guest?
In M365, a guest account is an account that is external to your organization, managed outside of your instance of Entra ID (previously known as Azure Active Directory) or on-premises Active Directory (AD).
Guest access allows external users who are not members of your organization to access and collaborate on resources within your M365 environment.
How does a guest receive access?
There are several methods that can be used to add a guest to your environment. Among the most common ways external users are created as guests on a tenant are through a Microsoft Entra invite, being added to a team, or receiving a sharing link.
1 - Microsoft Entra Invitation
In a more controlled and strictly governed environment, guest users can be invited to collaborate on your tenant directly from within Microsoft Entra ID. Typically, an administrator would perform these steps by generating an invite, completing information such as email address, name, groups the person should be a member of, and other properties that are typical to a regular user account that is managed in Entra ID.
This is the most detailed approach for inviting guests to your environment, because you can add the most user details during the creation of the account.
2 - M365 Group membership through Teams
When working in a team, it’s common to have external consultants involved in projects, with a need for the project members to collaborate and share content with one another. Team owners within your organization can invite guests through the standard member management functionality (external users will automatically display as guests).
3 - Sharing
One of the most common scenarios is direct sharing of content. Typically, this can be done by any of your users to share files and folders, both internally and externally.
All these methods result in an account being created in Entra ID, that can then be managed directly on the tenant.
It will be marked as a guest user and the User Principal Name will look similar to the following example: joesoap_example_com#EXT#@[tenantname].onmicrosoft.com
What are guest accounts used for?
By default, SharePoint has a sharing mechanism that allows users to generate an ‘Anyone’ or anonymous link. This means that specific files or folders can be shared with anyone on the Internet, even without requiring sign-in. From a governance perspective, this is extremely risky, as you won’t know who is accessing the ‘Anyone’ links, and it could lead to unauthorized access to sensitive information.
Guest accounts are used in place of anonymous access to give external users a way to collaborate on your organization’s resources whilst retaining the ability to audit and govern the account as you would a regular user account within your environment.
Guest accounts also allow for a greater host of functionality beyond collaborating on files and folders. Once the external user accepts the invitation, they will be authenticated using their guest account and their access will be managed within your environment. It is important to note that because there is an account, you can monitor and audit their actions. This means that, unlike anonymous access, you can govern their access and actions in the same way as you would for your regular user accounts.
What does a guest get access to?
Guest users in M365 can gain access to various resources and services depending on the level of permissions granted to them. The access level is typically determined by the inviting user or M365 administrators. Here are some common resources and services that guest users can access:
- SharePoint Online Sites - Guest users can be granted access to specific SharePoint sites, allowing them to view, edit, and collaborate on documents and content within those sites.
- OneDrive for Business - Guest users can access shared OneDrive folders or files, enabling them to collaborate with internal users on documents.
- Microsoft Teams - Guest users can be added to Microsoft Teams as guests, participating in team conversations, accessing shared files, joining meetings, and collaborating with team members.
- Viva Engage (Yammer) - Guest users can participate in Viva Engage communities, sharing their ideas, comments, and collaborating with members of the community.
- Office 365 Groups - When invited to an Office 365 Group, guest users can access the group's shared mailbox, calendar, files, and other resources associated with the group.
- Microsoft Planner - Guest users can collaborate on tasks within Microsoft Planner, providing project updates and progress tracking.
- Microsoft Forms - Guest users can access and respond to forms and surveys shared with them.
- Microsoft Stream - Guest users can view videos shared with them through Microsoft Stream.
- Power BI - Guest users can access Power BI reports and dashboards shared with them, enabling data analysis and visualization.
- Project Online - In organizations using Project Online for project management, guest users can be invited to collaborate on specific projects.
It's important to note that while guest users can access and collaborate on the shared resources mentioned above, their access is typically limited to the specific items they have been invited to. Administrators can set the level of permissions and control the scope of access for guest users to ensure data security and privacy. Additionally, guest users do not have the same administrative rights and privileges as internal users within the hosting organization.