Many organizations rely on Microsoft 365 Guest Access which gives them the ability to effectively collaborate with people outside of their tenant on projects, documents, chat and schedule meetings, and so much more. But inviting guests into your tenant is similar to inviting guests into your home. You wouldn’t invite a stranger into your house without knowing a little more about them, and you would expect the same from all the members of your household.
So let’s dig down into the 4 most common things you want to know about your Guests, how we can capture them, and who can access this information.
As a bonus, we will take a look at how you can shift the responsibility of capturing guest information to the content owners in your organization and empower them to keep your tenant secure and compliant.
What do we know about our Guests?
Out of the box, Microsoft 365 makes it very easy to invite Guests into your tenant. All the users need to do is select the Team or Group they want to invite a Guest into, start typing the email address, and voila – the Guest is added.
This sounds easy enough for the end-user, but what does this easy addition process mean for the organization, productivity, and outputs?
Potential security and compliance issues.
You wouldn’t let someone into your house if all you knew was their email. It is hard for Azure AD admins to assess whether the Guest should be allowed to remain in your tenant if you don’t know which organization they are part of, what their job title or area of responsibilities is, whether they have an appropriate security clearance level to be able to access sensitive information.
Communication and effective collaboration issues.
For the users to collaborate effectively with Guests, they need to know more information about the Guests as well. Some examples include location country/city, company name, preferred language, department and job title, and phone number.
How can additional information on Guests be captured in Microsoft 365?
Currently, there isn’t a default way for the users to input additional information about Guests when adding them to Groups and Teams.
However, Guest information can be accessed and edited by Azure AD admins. Below you can see what an admin would see on any given Guest after they were added by the end-user.
The admin can then go ahead and edit the Guest information. Microsoft has dozens of properties that can be populated with pertinent details, as you can see below:
Your organization may choose to implement a costly and time-intensive process that requires content owners who are at liberty to invite Guests into the tenant to contact the Administrator immediately after the invitation has been sent, and provide them with additional information about the Guest to enter manually.
This leaves a lot of room for error, where the end-user may forget to contact the Administrator, and of course, adds a lot of hours and responsibility to the Admin’s plate.
In organizations where such a process doesn’t exist or wasn’t implemented at the initial stage of the Microsoft 365 rollout, Admins have to manually review the Guests, sometimes months after they were originally invited.
Since Administrators rarely, if ever hold the information about the Guests, including their company name, city, state, or even country, they have to first locate the user who might shine some light on the additional details about the Guest.
One way of doing that is for the Admin to put the investigator hat on, review the list of Groups the Guest has access to, and contact current owners in hopes they can identify the individual.
Real troubles begin when the Guest in question doesn’t have access to any current M365 Groups. The only recourse at that point would be to perform an even deeper investigation by diving into Audit Logs to determine who initiated the request for the Guest user. These logs, however, go back only 30 days, meaning that it is often impossible to identify the user at all.
Is there a better way?
Although out-of-box Microsoft 365 Guest information is limited, we at Orchestry recognize the importance of Guest Access. We also are so familiar with the added time and costs, as well as potential risks associated with the collection and management of additional information about Guests.
This is why we built our new Guest Insights and Management Features to help you, and your users, overcome them in the most powerful, simple, and beautiful way.
Need to know more information about your guests? Orchestry can help
With our beautiful Guest Request process the users can capture additional information about all the Guests including contact information, first and last name, company, and country and provide a justification as to why the Guest requires access to a Group or another workspace right from the start.
This removes the need to implement any special processes for recording Guests’ information, saves tons of hours for the Administrator, and ensures that every new Guest in your tenant has all the relevant information recorded from the very moment they are invited.
Not only can Orchestry help ensure you capture information for new Guests but also for existing Guests! When any existing Guest who is missing information gets invited to a new Group or workspace, the user who is extending the invitation will be prompted to fill out any missing properties before the Guest is added to the new workspace.
What do the Guests have access to?
In Microsoft 365 only the administrators with the highest level of permissions can see what Guests have access to.
Within Azure AD, Administrators can really only see what M365 Groups Guests have access to, which is more often than not, a very incomplete picture of the full access any given Guest has.
Since knowing what groups users have access to is clearly not enough to prevent possible data leaks, a deeper dive to identify individual assets Guests were given access to is required.
How to find asset access information for Guests?
One of the ways to review information about Guest access to individual assets is to dig through Microsoft Purview Audit Logs. This does put a massive burden on administrators, as the logs need to be reviewed regularly to ensure inappropriate or potentially detrimental access was not given to a Guest, and action can be taken immediately in case it has. That said, If a Guest was given incorrect access to a resource it can still be very difficult to understand where this access came from, let alone to catch that this mistake has occurred.
The logs only go back 90 days, so in case a data leak incident occurs as a result of sharing that was done more than 90 days ago, there is virtually no way to retrace the steps.
Below is an example of an Audit Log. Noticeably absent in this view is any way to see what links this user may have been sent, granting them access to individual assets within your environment. The current process to access Sharing Link reports is incredibly painful, and can still obscure critical information!
Alternatively, Administrators can leverage PowerShell scripts to help ensure no critical data is lost. Some sample scripts can be found online, but they are only accurate to the point they have been run.
The downside of PowerShell scripts is that they produce CSV format (Comma Separated Value) data which is very hard to review and make sense of.
Is there a better way?
The area of Guest access to specific assets is particularly painful in the native Microsoft 365 and Azure AD environment, so Orchestry’s Guest Insights and Lifecycle Management features have become a true game-changer for Administrators.
Our Guest Details show you every Group that a Guest has access to in rich detail.
Guest Insights lets you see in a single beautiful interface the specific details about each Guest, including their personal details, location, date created or added, their activity, and the last time they have logged in, as well as a detailed list of all workspaces they have access to, the date they were added and so much more.
The best part of the Guest Insights feature is that they are intelligent enough to let you know if a Guest should be removed!
This can help you quickly identify Guests that shouldn’t be in the Workspace and allow you to remove them in an instant.
What is the Guest's status?
You have 1,000 Guests in your tenant but do you actually know if they are active?
When was the last time they logged in?
Did they redeem their invitation to collaborate with your tenant?
What does this bizarre login information mean?
What does this login history tell me?
All these are common questions and unfortunately, it’s difficult to get this information at an aggregated level.
In order to automatically flag users that have not redeemed their invitation, get recommendations for guest accounts that should be deleted, or escalate areas where guests have access which they shouldn’t have to require complex and costly customizations.
How to find out Guest status?
By default, only the Administrators with the highest level of permissions and privileges can view the login history, and invitation redemptions and perform other actions, like resending Guest access invitations.
To stay up to date on the status of all the Guests in your tenant, would require the full-time attention of your Administrator. As an alternative solution, a variety of PowerShell scripts could be pieced together to attempt to bring this information together and provide an output as a raw CSV file. These scripts would need to be run daily to truly have an accurate view of what is happening with your guests, and still requires the Administrator to perform manual actions based on what these reports indicate.
Is there a better way?
Orchestry’s Guest Insights features to track the status of overall Guests in your tenant, as well as each and every Guest individually, and gives you an unparalleled understanding of their current status, just like we do for Workspaces.
You can quickly and easily make the right decisions on which Guests to remove or renew at the right time with Orchestry.
Which domains do all your Guests come from?
Another useful perspective from which to track and manage your guest population is to view the entire list of unique domains from which they originate. Many organizations will want to see patterns emerging from the domains that are repeatedly seen as guests, and perhaps which domains could be problematic and should be blocked.
How to find list of Guest domains?
Unfortunately, there is no way to see in out-of-box Microsoft 365 what domains all your Guests have been added from so the Administrators are either stuck doing this manually or instead spend time writing custom code or PowerShell scripts.
Admins can block every single “undesirable” domain but all this will do is likely frustrate your users who instead of inviting Guests into Groups and workspaces will start to email content over which is much less secure.
Under the umbrella of Microsoft 365, there are several places where domains can be blocked, including SharePoint, Teams, and Azure AD. So domain blocking will need to be done on an individual basis in each one of those instances.
Is there a better way?
Orchestry’s Guest Insights and Lifecycle Management features can help with that as well! No more PowerShell scripts, but a simple beautiful report instead, to tell you how many domains you have and how many Guests have come from each domain!
This report can really help you understand what domains the Guests are being added from, and help you ensure that you block the appropriate domains before the sharing gets out of control.
Want to see the Guest Insights and Lifecycle Management in action?
If you are looking to streamline capturing additional information about Guests in your tenant, getting a full grasp on the Guest status and their individual asset access, understand the domains which the Guests are coming from, without the endless hours of auditing, building, and running PowerShell scripts – you’re in for a treat!
On October 26, 2022, Orchestry is unveiling our much anticipated game-changing Guest Insights and Lifecycle Management Features to the world! Come join us at the LIVE webinar, or, if you can’t make it, register to receive the recording after the fact.
During the webinar, Michal Pisarek – Orchestry CEO, 7X Microsoft MVP will present use cases and functionality of our 3 core Guest features:
• Guest Insights
• Guest Provisioning
• Guest Reviews
What are your takeaways?
- Review of common security, financial, and data risks, and challenges associated with Guest Access.
- Discuss some of the gaps in the existing Guest Access reporting, provisioning, and lifecycle management.
- Present the latest Guest Insights and Lifecycle Management features and how they can address your organization’s risks.
Want more insights like this one?
For more Microsoft 365, SharePoint Online, and Teams insights, tips and tricks, best practices, and exclusive events delivered straight to your inbox, join our mailing list today and level up your Microsoft 365 game!