What should you know about your Microsoft Teams Guests?

But inviting guests into your tenant is similar to inviting guests into your home. You wouldn’t invite a stranger into your house without first learning a little more about them. And you would expect the same from all the members of your household.

So let’s take a close look at the 4 most common things you should know about MS Teams Guest users. We will take a close look at how you can capture this information, and who can access it.

We will show you how to shift the responsibility of capturing guest information to the content owners in your organization. This way you can empower them to keep your tenant secure and compliant.

This sounds easy enough for the end-user, but what does this process mean for the organization, productivity, and outputs?

Potential security and compliance issues.

You wouldn’t let someone into your house if all you knew was their email. Without context, it is hard for Azure AD admins to decide if the Guest should retain access to your tenant. This context should include:

• Which organization the Guest is part of.
• What is their job title or area of responsibility is.
• Whether they have an appropriate security clearance level to be able to access sensitive information.

Communication and effective collaboration issues.

For the users to collaborate effectively with Guests, they need to know more information about the Guests as well. Some examples include location country/city, company name, preferred language, department and job title, and phone number.

How can additional information on MS Teams Guest Users be captured?

By default, there isn’t a way for users to capture additional information about Guests when adding them to Groups and Teams. This is one of the major Microsoft Teams Guest access limitations.

However, Guest information can be accessed and edited by Azure Active Directory admins. Below you can see what an admin would see on any given Guest after end users add Guests.

The Teams admin can then go ahead and edit the Guest information. Microsoft has dozens of properties that can be populated with pertinent details, as you can see below:

Your organization can communicate a costly process that will facilitate the collection of additional information about Guests. This process would require:

• Content owners are to contact the Administrator right after the invitation has been sent.
• Provide the admin with the additional information required by the organization about the recently added Guest.
• Admin will need to enter the details manually in Azure AD.

This leaves a lot of room for error, where the end-user may forget to contact the Administrator. This also, of course, adds a lot of hours and responsibility to the Admin’s plate.

In organizations where such a process doesn’t exist, IT Admins will have to perform frequent cleanups and data entry.

Since Administrators rarely, if ever hold the additional information about the Guests, they will first need to locate those who do.

The Admin would need to put the investigator hat on and review the list of Groups the Guest has access to. Then they would need to communicate with Teams users in hopes they can identify the individual.

Real troubles begin when the Guest in question doesn’t have access to any current M365 Groups. The only recourse at that point would be to perform an even deeper investigation. Diving into Audit Logs may help determine who completed the request for the Guest user. These logs, however, go back only 30 days, meaning that it is often impossible to identify the user at all.

Is there a better way?

Although out-of-box Microsoft Teams external Guest access information is limited, we at Orchestry recognize the importance of Guest Access. Our experience shows that added time and costs and potential risks of managing Guests are too great to overlook.

This is why we built our new Guest Insights and Management Features to help you, and your users, overcome these challenges.

Need to know more information about your guests? Orchestry can help.

With our beautiful Guest Request process the users can capture additional information about all the Guests. This information includes first and last name, company, and country. The requestors can also provide a reason why the Guest needs access to a Group right from the start.

This removes the need to implement any special processes for recording Guests’ information. In the long run, it saves hours of Admin work and custom development costs. Lastly, it ensures all relevant information about each Guest is captured from the moment they join your tenant.

Not only can Orchestry help ensure you capture information for new Guests but also for existing Guests! When an existing Guest is invited to a new M365 Group, the inviter will be asked for additional details about them. Only after the details have been added, access to the new workspace will be granted to the Guest.

Only knowing what groups users have access to is clearly not enough to prevent possible data leaks. So a deeper dive to identify individual assets Guests were given access to is required.

How to find asset access information for Microsoft Teams Guests?

One of the ways to review information about Guest access to individual assets is to dig through Microsoft Purview Audit Logs.

This does put a massive burden on administrators. The logs need to be reviewed regularly to ensure incorrect or potentially detrimental access was not given to a Guest. Action has to be taken immediately in case it has.

If a Guest was given incorrect access it can still be very difficult to understand where the access came from.

The logs only go back 90 days. If a data leak occurs as a result of sharing completed over 90 days ago, there is virtually no way to retrace the steps.

Below is an example of an Audit Log. What is absent in this view is a way to see what links this user may have been sent. The current process to access Sharing Link reports is incredibly painful, and can still obscure critical information!

Alternatively, Administrators can leverage PowerShell scripts to help ensure no critical data is lost. Some sample scripts can be found online, but they are only accurate to the point they have been run.

The downside of PowerShell scripts is that they produce CSV format data which is hard to review and make sense of.

Is there a better way?

The area of Guest access to specific assets is particularly painful in the native Microsoft 365 and Azure AD environment. Orchestry’s Guest Insights and Lifecycle Management features have become a true game-changer for Administrators.

Our MS Teams Guest access Details show you every Group that a Guest has access to in rich detail.

Guest Insights lets you see in a single beautiful interface the specific details about each Guest. This includes their personal details, location, date created or added, their activity, and the last time they logged in. Lastly, you can see a detailed list of all workspaces they have access to and when they were added.

The best part of the Guest Insights feature is they will let you know if a Guest should be removed!

This will help you quickly identify Guests that shouldn’t be in your tenant and remove them in an instant.

What does this login history tell me? 

All these are common questions and unfortunately, it’s difficult to get this information at an aggregated level.

Any automatic actions that would help you get in control of your Guests would require complex and costly customizations OOTB. This includes:

• Automatic flagging of users that have not redeemed their invitation.
• Get recommendations for guest accounts that should be deleted.
• Escalate areas where guests have access they shouldn’t have.

How to find out Microsoft Teams Guest status?

By default, only the Administrators with the highest level of permissions and privileges can view the Guest login history. They are the only ones who can view invitation redemptions and perform other actions, like resending Guest access invitations.

Staying up to date on the status of each Guest is a full-time job for any Administrator. Alternatively, a variety of PowerShell scripts could be pieced together. The output would be a raw CSV file.

These scripts would need to be run daily to truly have an accurate view of what is happening with your guests. They would still require the Administrator to perform manual actions based on what these reports indicate.

Is there a better way?

Orchestry’s Guest Insights features to track the overall status of Guests in your tenant, as well as each Guest individually. They give you an unparalleled understanding of their current status.

With Orchestry you can quickly and easily make the right decisions on which Guests to remove or renew.

How to find the list of Guest domains?

Unfortunately, there is no way to see in OOTB Microsoft 365 what domains all your Guests have been added from. The Administrators are either stuck doing this manually or instead, spend time writing custom code or PowerShell scripts.

Admins can block every single “undesirable” domain. This is likely to frustrate your users. As a result, they will start to email content over which is much less secure.

Under the umbrella of Microsoft 365, there are several places where domains can be blocked, including SharePoint, Teams, and Azure AD. So domain blocking will need to be done on an individual basis in each one of those instances.

Is there a better way?

Orchestry’s Guest Insights and Lifecycle Management features can help with that as well! Say goodbye to PowerShell scripts, and hello to simple beautiful reports. This report will tell you how many domains you have and how many Guests have come from each domain!

This report can really help you understand what domains the Guests are being added from. It will also help you ensure that you block the appropriate domains before the sharing gets out of control.