Orchestry logo

how to Guest Management in Microsoft 365

The ultimate guide to reviewing your Guests’ Access in Microsoft 365

David Francoeur October 13, 2022

6 MIN READ

According to IBM’s Cost of a data breach 2022 report, the global average cost of a data breach is $4.35M. Some 45% of data breaches occur in the cloud and cloud misconfigurations and vulnerabilities are some of the top key cost factors. 

There is, however, a silver lining – there are some clear steps that can be taken to protect your organization from data breaches. 

With the increasing amount and value of data being hosted in cloud environments, organizations should take steps to protect cloud-hosted databases. Mature cloud security practices were associated with breach cost savings of USD$720,000 compared to organizations without cloud security practices. One of the many cloud security practices that are worth implementing is identity and access management mitigation which reduces the cost of an average potential data breach by a whopping USD$224,396! 

Throughout conversations with many organizations using Microsoft 365, we’ve heard a consistent refrain about Guest Management – for most, it’s simply not a “manageable” task to oversee guests with the tools they have. Most administrators feel ill-equipped to get a full understanding of the extent of Guest Access within their Tenant, let alone make decisions on whether current Guests and their access are still legitimate, or not. As collaboration scenarios grow in complexity, organizations mature in their usage patterns of the M365 platform, and digital security becomes an increasingly scrutinized part of the enterprise – the challenge of managing Guests is reaching a tipping point where it can no longer be ignored.

What You’ll Take Away

This article will go over some of the reasons why you should consider reviewing your Guests’ Access, how to set up recurring Reviews of your Guests using Azure Identity Governance within Microsoft365 and highlight some of the challenges and difficulties one may face in using these processes.

Why Review Guests?

There are a host of reasons justifying the need to review an organization’s Guest accounts, but a short summary will serve the purposes of this article. Some of these reasons include:

  • Guests are easily “forgotten” and retain lingering access to Teams, Sites, Apps, and Content long after they need it. This presents a significant possible security risk, especially as new users join the workspaces and begin to add content to workspaces they assumed were private.
  • We often know little to nothing about Guest accounts, meaning it is easy for users to share the wrong content with the wrong person. This again presents a significant possible security risk. 
  • Many organizations do not archive or decommission workspaces that are no longer active. For internal users, this amounts to noise, but for guest users who retain their access, this can have more serious consequences.
  • Many guests never even redeem their invitation to collaborate with your tenant, but by virtue of being invited, they exist in your Azure Active Directory and can be selected again as a Guest via search.
  • Lack of controls and governance policies at the Tenant or Group levels may have led Guests to be inadvertently granted access to more than the sender realized.
  • In the vast majority of cases, there is a lack of a “reporting structure” for guests, meaning no one within an organization is assigned the role of managing/sponsoring/overseeing a particular Guest. This general lack of responsibility and accountability often means disorder.
  • Even once Guest policies are put in effect (e.g., Guest Group Setting in PowerShell, or Sensitivity Labels), existing Guest users are left behind in these workspaces. 

What is Required to Set Up a Guest Review Process

The Features discussed below required Azure AD Premium P2 licenses. 

See What are access reviews | Microsoft Learn and MAU billing model for Azure AD External Identities | Microsoft Learn.

How to Set Up A Guest Review Process

  • Navigate to Portal.Azure.com
  • Locate Identity Governance under Services

  • Navigate to Access Reviews and click New Access Review

  • Under the Review Type tab, select the Type of Review being created (Teams + Groups, or Applications) 

  • Configure the Review Scope and if desired, choose whether to include only Inactive Users and specify an inactivity day threshold (e.g., 30 days) 

  • Under the Reviews tab, select the way the Reviews shall be carried out. For the purposes of this blog, I will begin a review immediately on all workspaces with Guests, and subsequently, repeat the process on a Quarterly basis. I’ve opted for a multi-stage review (Note: Multi-Stage access reviews are currently in Preview) where my first stage will ask Guests to perform a Self-Review, followed by a second stage performed by Team Owners. I also specify a Fallback Reviewer (Adele Vance) if a Team Owner cannot be found. 

At the bottom of the tab, select the scenarios that can progress from Stage 1 to Stage 2. In my case any guest that has decided during the self-review that their access can be removed need not continue to the second stage – only guests who believe they still need access or did not provide an authoritative answer should proceed to the second stage. 

  • Under Settings, determine whether you wish to use ‘Decision Helpers’ and what should occur if reviewers do not respond to the process. 

  • On the Confirmation Screen, confirm and Create the Access Review. 

What the Guest Review Participants Will Receive

Participants in a Guest Review process will receive an email from Microsoft and direct them to the My Access portal to action the review. The user experience is not bad, but is likely to require some adoption and change management efforts to be successful.

Monitoring A Guest Review Process

To monitor an ongoing Access Review, the Access Review can be opened, and individual Groups can then be expanded. This can be quite challenging when done at scale and it is difficult to get an overall sense of individual guests and their current access reviews across the environment.

Challenges and Costs

If you’ve gotten this far you can likely ascertain that there is a great deal of complexity to navigate to put this in place, to oversee its execution, as well as to prepare and onboard users to receive these requests and make sense of them.

Another significant challenge can be figuring out licensing and costing which can be extremely complicated. Microsoft provides a table of example license scenarios but even this is not altogether clear. How you choose to set up the Reviews has a clear impact on the licensing count that will be required. Furthermore, how do you know if you will fall over or under the first 50,000 MAU? Are you accounting for the extra fees for SMS/Phone-based multi-factor?

With the Azure P2 Premium license costing a whopping 11.50 per user/per month, incremental costs can add up fast! It is not hard to imagine a large organization with 1,000 unique Team Owners all wanting to perform access reviews for Guests in their Teams – this would amount to an annual cost of $138,000. 

All this could be on top of existing license SKUs such as an E3 license (CAD 47.90 per user/month) for each user. Another option would be to bump these users from an E3 to an E5 (CAD 73.00 per user/month) but unless this is required for other functionality, this is a steep cost that many organizations are not ready to bear. 

Is There Another Way?

With Orchestry, there is! Our latest Guest Governance and Guest Insights features allow you to set up comprehensive Guest Review policies in minutes, and effectively delegate and automate the entire Guest review process. Curious about what the Guest Review process looks like with Orchestry and how much money and time it can save you? 

New call-to-action

What’s more important, Guest Governance and Guest Insights features not only allow for much simpler, more efficient, and well-informed Guest reviews but also offer unprecedented insights into all Guests in your tenant and give you granular control over Guest Access. 

More Details About Guests

Unlike the out-of-the-box Microsoft 365 Guest addition functionality, Orchestry requires users to capture additional information on Guests before sharing access to assets in your tenant, including their first and last name, their company name, and country, and add a justification as to why the Guest needs access. 

With the additional context on hand, reviewing Guests becomes a significantly simpler process. 

We have put together a comprehensive blog on everything you want to know about Guests in your tenant and how to capture this information, so have a read!

New call-to-action

Guest Review & Guest Request Policies

Orchestry’s beautiful interface allows you to easily create Guest Review policies of any level of complexity and apply them to the existing workspaces in minutes.  

Guest Request policies allow you to create granular rules around Guest requests. You can create policies that restrict Guest Access to certain types of Workspaces altogether. These policies can be applied to Workspaces that hold highly confidential information. More lenient policies can also be created, requiring users to collect additional information about Guests, or approval by a group of members or individuals within your organization before Guest Access is granted.  

But that’s only a small portion of what Orchestry can do. On top of Guest Governance and Guest Insights features, it is full of other functionality including Workspace Template features which lets you get the most out of your Microsoft 365 license. These features allow you to leverage the existing library of business-first scenario templates created by Microsoft 365 MVPs, or create your own templates and, of course, apply Guest Review and Guest Request policies to those templates. Now every time an end-user requests a new workspace from an existing template, the policies will be automatically embedded and put into action in that workspace once provisioned.

Guest Insights

Orchestry’s Guest Insights lift the lid on all the Guests within your tenant and provides you with an unprecedented view of the total number of Guests, the number and list of Workspaces that have been shared with Guests, the number and list of unique domains the Guests in your tenant come from, access violations, growth in Guest numbers over time and so much more! These actionable insights allow your organization to make educated decisions on potential changes to the Guest Request and Review policies, revoking access and removing Guests, and the overall security of your tenant. 

Want to See Orchestry’s Guest Governance and Guest Insights in Action? Watch our on-demand webinar “Gain control over M365 Guest Access with Orchestry”.

What will you learn in this 60-minute webinar?

    • Review of common security, financial, and data risks, and challenges associated with Guest Access.
    • Discussion around some of the gaps in the existing Guest Access reporting, provisioning, and lifecycle management.
    • Presentation of the latest Guest Insights and Lifecycle Management features and how they can address your organization’s risks.

New call-to-action

Want more insights like this one?

For more Microsoft 365, SharePoint Online, and Teams insights, tips and tricks, best practices, and exclusive events delivered straight to your inbox, join our mailing list today and level up your Microsoft 365 game!


 

About the Author

David Francoeur Image

David Francoeur

Orchestry Director of Product Delivery

As a speaker, author, and consultant operating across industries, David brings to Orchestry a diversified perspective on solving problems in the Digital Workplace. Working cross-functionally to guide products from conception to launch, he carefully connects the technical and business worlds. Passionate about user experience and design, David thrives on outcomes that are not only successful from a technological perspective but more critically; adopted, championed, and valued by the business.

Beyond his passion for the digital workplace, David enjoys spending time with his spouse and daughter, playing soccer, or reading a good book.

Related Articles

Introduction

This Privacy Policy explains what information Orchestry Software Inc. and its associated entities (collectively “Orchestry”) collect about you, why, what we do with that information, how we share it and how we handle the content you place in our products and services. It also explains the choices available to you regarding our use of your personal information and how you can access and update this information.

Privacy Policy Scope

Our Privacy Policy applies to the information we collect when you use one of our services, or when you otherwise engage with Orchestry Software, including, but not limited to:
when you visit our websites (“Websites“);
when you contact us for assistance;
when we connect with you as a prospective customer or as a customer;
when you attend customer or prospective customer events;
when you meet us at third party events, gatherings or meetups.
Orchestry is committed to protecting your privacy. This Privacy Policy applies to our websites (Websites), including www.orchestry.com, www.success.orchestry.com and www.app-dev.orchestry.com, owned and controlled by Orchestry.

This Privacy Policy governs our data collection, processing and usage practices. It also describes your choices regarding use, access and correction of your personal information. By using the Websites, you consent to the data practices described in this Privacy Policy. If you do not agree with the data practices described in this Privacy Policy, you should not use the Websites.

Information We Collect

We collect personal data that you submit to us via our website or third-party tools including, for example, when applying for a job via our website or requesting support in relation to one of our services.
You are free to explore the Websites without providing any Personal Information about yourself. When you visit the Websites, we request that you provide Personal Information about yourself, and we collect Navigational Information.

Information Collection & Access

Orchestry acknowledges that you have the right to access your Personal Information. If requested to remove data we will respond within a reasonable timeframe.

We may transfer Personal Information to companies that help us provide our service, such as those organizations as part of our Global Partner Alliance. Transfers to subsequent third parties for the sole purpose of responding to requests from Websites in the appropriate geography service territory.

“Personal Information”
This refers to any information that you voluntarily submit to us and that identifies you personally, including contact information, such as your name, e-mail address, company name, address, phone number, and other information about yourself or your business. Personal Information can also include information that you enter into on the Websites, and information about you that is available on the internet, such as from Facebook, LinkedIn, Twitter and Google, or publicly available information that we acquire from service providers.

“Navigational Information”
This refers to information about your computer and your visits to this website such as your IP address, geographical location, browser type, referral source, length of visit and pages viewed.

We use Navigational Information to operate and improve the Websites. We may also use Navigational Information alone or in combination with Personal Information to provide you with personalized information about Orchestry.

Information About Children

The Websites are not intended for or targeted at children under 13, and we do not knowingly or intentionally collect information about children under 13. If you believe that we have collected information about a child under 13, please contact us at hello@orchestry.com, so that we may delete the information.

Information Usage

We use the information we collect only in compliance with this Privacy Policy.

In addition to the uses identified elsewhere in this Privacy Policy, we may use your Personal Information to: (a) improve your browsing experience by personalizing the Websites; (b) send information to you which we think may be of interest to you by post, email, or other means; (c) send you marketing communications relating to our business.

We will never sell your Personal Information to any third party. However, we may share or disclose your Personal Information as follows:
we may provide your information to our business partners, vendors or service providers who perform functions on our behalf;
in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company;
as required by law, government officials, or other third parties pursuant to a subpoena, court order, or other legal process or requirement applicable to our Company;
when we believe, in our sole discretion, that the disclosure of personal information is necessary to prevent physical harm or financial loss;
to report suspected illegal activity or to investigate violations of our agreements.

Reviewing, Correcting and Removing Your Personal Information
Upon request, Orchestry will provide you with information about whether we hold any of your Personal Information. If you provide us with your Personal Information, you have the following rights with respect to that information:
To review the user information that you have supplied to us.
To request that we correct any errors, outdated information, or omissions in user information that you have supplied to us.
To request that your user information not be used to contact you.
To request that your user information be removed from any solicitation list that we use.
To request that your user information be deleted from our records.
To opt out of being solicited by Orchestry or third parties.

To exercise any of these rights, please contact us at hello@orchestry.com or by mail to Orchestry Software Inc., 422 Richards St, Suite 170, Vancouver, BC V6Z 2Z4, Attn: Privacy. We will respond to your request to change, correct, or delete your information within a reasonable timeframe and notify you of the action we have taken.

Retention of Personal Information

We retain Personal Information that you provide us as long as we consider it potentially useful in contacting you our services, or as needed to comply with our legal obligations, resolve disputes and enforce our agreements, and then we securely delete the information. We will delete this information from the servers at an earlier date if you so request, as described in “Unsubscribe from Communication” below.

Customer Testimonials and Comments

We post customer testimonials and comments on our Websites, which may contain Personal Information. We obtain each customer’s consent via email prior to posting the customer’s name and testimonial.

Security of your Personal Information

We use a variety of security technologies and procedures to help protect your Personal Information from unauthorized access, use or disclosure. We secure the Personal Information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure.

Social Media Features

Our Websites include Social Media Features, such as the Facebook Like button and Widgets, such as the Share This button or interactive mini-programs that run on our sites. These features may collect your IP address, which page you are visiting on our sites, and may set a cookie to enable the feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our Websites. This Privacy Policy does not apply to these features.  Your interactions with these features are governed by the privacy policy and other policies of the companies providing them.

External Websites

Our Websites provide links to other websites. We do not control, and are not responsible for, the content or practices of these other websites. Our provision of such links does not constitute our endorsement of these other websites, their content, their owners, or their practices. This Privacy Policy does not apply to these other websites, which are subject to any privacy and other policies they may have.

Public Forums

We offer publicly accessible blogs, message boards and community forums. Please keep in mind that if you directly disclose any information through our public message boards, blogs, or forums, this information may be collected and used by others. We will correct or delete any information you have posted on the Websites if you so request, as described in “Opting Out and Unsubscribing” below.

International Transfer of Information

To facilitate our global operations, we may transfer and access Personal Information from around the world, including the United States. This Privacy Policy shall apply even if we transfer Personal Information to other countries.

Corporate Events

If we (or our assets) are acquired by another company, whether by merger, acquisition, bankruptcy or otherwise, that company would receive all information gathered by Orchestry on the Websites. In this event, you will be notified via email and/or a prominent notice on our website, of any change in ownership, uses of your Personal Information, and choices you may have regarding your Personal Information.

Cookies & Similar Technologies

Orchestry uses cookies or similar technologies to analyze trends, administer the website, track users’ movements around the website, and to gather demographic information about our user base as a whole.

The cookies we use on this website are broadly grouped into the following categories:

Essential: Some of the cookies on our website are essential for us to be able to provide you with a service you have requested. You may not be able to use our website effectively without these cookies.
Analytics: We use analytics cookies to help us understand how users engage with our website. An example of this is for counting the number of different people coming to our website, visiting a particular page or using a particular feature. Without this cookie, if you visited the website once each week for three weeks, we would count you as three separate users and this wouldn’t be a true representation. These cookies do not let us identify specific users as the information is aggregated.
Social sharing: We use cookies to allow you to share content directly to your social networking sites for example Facebook, Twitter and Google+ i.e. clicking Like on Facebook and Share on Twitter.
Interest-based advertising: You may have noticed that when you visit websites, you will be shown advertisements for products and services you may be interested in. Cookie information about certain pages you have visited on our website helps us be more relevant in our advertising. Having these cookies does not increase the number of adverts you will be shown on these specific sites. These ‘persistent’ cookies last no longer than 90 days, or until you clear them. These and the other cookies we use do NOT allow us to see what other sites you have been visiting, they simply act as a record of our web pages and advertisements that you may see.
Opt Out of Cookies
When you first visited the websites you will have been shown a status bar notifying you that this website uses cookies and inviting you to review this cookie policy. Once you have clicked to go further into our website, the cookie prompt will disappear, this confirms that you consent to us using the cookies detailed in this policy.
Please note that we can’t always control third party cookies (such as from social networks) stored on your machine from our website and where this is the case you will need to visit the relevant third party’s website directly to understand their cookies stored on your machine by them. Please see our ‘third party cookies’ section below.
If you want to reject cookies we use from this website you will need to:
Delete the cookies from your browser. Most browsers also allow you to prevent all or some cookies being stored on your machine in the future. For more information on how to delete or disable cookies from your browser please use the ‘help’ function within your browser, or alternatively visit www.allaboutcookies.org. By deleting our cookie preference cookie, the next time you visit our website the cookie status bar will appear again inviting you to again reconsider your preferences.
AND/OR: If you only want to reject the Internet Based Advertising cookies we store on your machine, you can opt-out of receiving these cookies at any time by going to the Internet Advertising Bureau website at http://www.youronlinechoices.com and following the opt-out instructions.
Please do be aware that disabling cookies may impact the functionality of this website.
Third Party Cookies
Some of the cookies described above are stored on your machine by third parties when you use our website. We have no control over these cookies of how the third party uses them. They are used to allow that third party to provide a service to us, for example website analytics. For more information on these cookies and how to disable them, please see:
Internet Advertising Bureau website at http://www.youronlinechoices.com/ where you will be able to opt-out of receiving Internet Based Advertising cookies from some of the third parties, such as Google, LinkedIn, Facebook and Twitter.
The use of cookies and web beacons by any tracking utility company is not covered by our Privacy Policy.

Log Files

We may collect demographic information, such as your region, preferences, interests and favorites using log files that are not associated with your name or other personal information. There is also information about your computer hardware and software that is automatically collected by us. This information can include: your IP address, browser type, domain names, internet service provider (ISP), the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, clickstream data, access times and referring website addresses. This information is used by Orchestry to provide general statistics regarding use of the Websites. For these purposes, we do link this automatically-collected data to Personal Information such as name, email address, address, and phone number.

Clear Gifs (Web Beacons/Web Bugs)

We employ a software technology called clear gifs (a.k.a. Web Beacons/Web Bugs), that help us better manage the Website by informing us what content is effective. Clear gifs are tiny graphics with a unique identifier, similar in function to cookies, and are used to track the online movements of Web users.  In contrast to cookies, which are stored on a user’s computer hard drive, clear gifs are embedded invisibly on Web pages or in emails and are about the size of the period at the end of this sentence. We use clear gifs in our HTML-based emails to let us know which emails have been opened by recipients.  This allows us to gauge the effectiveness of certain communications and the effectiveness of our marketing campaigns. We tie the information gathered by clear gifs in emails to our customers’ Personal Information. If you would like to opt-out of these emails, please see “Opting Out and Unsubscribing”.

Advertising

We partner with a third-party ad network to either display advertising on our Web site or to manage our advertising on other sites. Our ad network partner uses cookies and Web beacons to collect non-personal information about your activities on this and other Web sites to provide you targeted advertising based upon your interests.  If you wish to not have this information used for the purpose of serving you targeted ads, you may opt-out by clicking here: http://preferences.truste.com/ (or if located in the European Union, by clicking here: http://www.youronlinechoices.eu/). Please note this does not opt you out of being served advertising.  You will continue to receive generic ads.

Unsubscribe from Communications

You may unsubscribe from our marketing communications by clicking on the “unsubscribe” link located on the bottom of our e-mails, or by sending us email us at hello@orchestry.com or by mail to Orchestry Software Inc., 422 Richards St, Suite 170, Vancouver, BC V6Z 2Z4, Attn: Privacy.

Contact Us

If you have any questions about this Privacy Policy or our treatment of the information you provide us, please write to us by email at hello@orchestry.com or by mail to Orchestry Software Inc., 422 Richards St, Suite 170, Vancouver, BC V6Z 2Z4, Attn: Privacy.

Changes

We may amend this Privacy Policy from time to time. When there are changes to this Privacy Policy, we will update this page. The date on the bottom will always indicate when we last made changes.
Last Updated: July 28, 2020

Step 1 of 4

  • Congratulations...

    Congratulatons, you are taking the first step to making work simple in Microsoft 365, Microsoft Teams & SharePoint. Complete this form to see Orchestry in action with a FREE personalized tour of the platform.

In completing this form, you are providing your contact information to Orchestry Software Inc to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.

Step 1 of 4

  • Congratulations...

    Congratulations, you are taking the first step to making work simple in Microsoft 365, Microsoft Teams & SharePoint. Complete this form to get started with FREE access to Orchestry for 28-days

In completing this form, you are providing your contact information to Orchestry Software Inc to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.

Step 1 of 3

  • Congratulations...

    Congratulations, you are taking the first step to join the global Orchestry Partner community, making work simpler in Microsoft 365.

In completing this form, you are providing your contact information to Orchestry Software Inc to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.