Guarding against inactive guests in Microsoft 365
Table of contents
In episode five of our video series, Microsoft MVPs Vlad Catrinescu and Drew Madelung explore how to manage inactive guests in Microsoft 365.
Vlad and Drew explore the definition of inactive guest users, their implications, associated risks, and best practices for effective management. Their previous episodes discussed orphaned workspaces, orphaned users, reclaiming Microsoft 365 licenses, and teams ownership.
Check out the full episode below, and read the blog for some of the key takeaways.
Understanding Microsoft 365 guest users
A guest user is going to be the primary way that we refer to a user that’s in your directory, a user in Entra ID, who is not a regular member of your organization. If you bring in someone else outside of your tenant, the guest is someone actually being added to your directory. Unlike regular members of the organization, guest users maintain their identities and authentication credentials outside the organization’s directory.
Guest users are primarily added to the organization’s environment through an invitation process, wherein they receive invitations to specific resources such as Teams, SharePoint sites, or files. Upon accepting the invitation, guest users become part of the organization’s directory, but with limited access rights.
A guest user and an external user in Microsoft 365 are two separate things, you don’t want to use the term external and guest synonymously. Admins need to understand and use the right vocabulary between external access and guest access. External access is tied to chat federation in Teams, which has its own configurations on allow and block domains. B2B Guest has its own allow and block domains, and then you have B2B Direct Connect, which also has its own allow and block tenants because they don’t manage domains, they work with tenant IDs instead of domains.
Understanding inactive guests
An inactive guest is a guest account that has not engaged in any login or collaboration activities within your tenant for a specified period. This period is typically determined by factors such as the last sign-in date or the creation date of the guest account.
So if a guest user hasn’t signed in after something is shared with them, after a while that account in your directory is going to become inactive. You can also have the situation where you invite a guest and they never sign in. So the last sign-in date might be empty, but then you can refer to the creation date.
Inactive guest accounts can accumulate over time, especially in large organizations or those with extensive collaboration efforts. These dormant accounts pose potential security risks and can clutter the directory, making it challenging to maintain a streamlined and secure environment.
Implications of inactive guests
The presence of inactive guests in your Microsoft 365 tenant can have several implications, including:
Security risks: Dormant accounts can become potential entry points for malicious actors if not monitored closely. Hackers may exploit inactive accounts to gain unauthorized access to sensitive information or resources within the organization.
Resource consumption: Inactive guest accounts consume resources within the tenant, including storage space and licensing costs. Continuously maintaining these accounts without any productive use can lead to unnecessary expenses and resource allocation.
Compliance concerns: Inactive accounts may violate regulatory compliance requirements, especially in industries with stringent data protection regulations. Failure to manage these accounts effectively can result in compliance breaches and associated penalties.
Best practices for managing inactive guests
To mitigate the risks associated with inactive guests, organizations should implement robust management strategies. Here are some best practices to consider:
Regular access reviews: Conduct regular access reviews to identify and remove inactive guest accounts from Microsoft 365 groups and teams. Leveraging the built-in access review tools allows administrators to review guest access permissions and revoke access for inactive accounts proactively. Access reviews will cover all your Microsoft 365 groups but won’t cover standalone SharePoint sites. A downside of access reviews is the extra licensing required. That is Entra ID P2, which if you have M365 E5, you’re good to go, but if you don’t have it, it can be quite an extra cost.
Enforce expiration policies: Implement expiration policies for guest access to SharePoint sites and OneDrive folders. By setting expiration dates for guest access, organizations can automatically revoke access for inactive accounts after a specified period, reducing the likelihood of dormant accounts accumulating over time.
Entra ID governance: Consider procuring Entra ID Governance licenses for advanced guest account management capabilities. Entra ID Governance offers inactive guest dashboards for tracking guest activity and automating account removal processes based on predefined criteria.
PowerShell scripts: You can write custom PowerShell scripts and perform actions based on some interval that can help detect inactive guests. It could be 30 days, 90 days, a week, that’s up to you.
Educate users and administrators: Raise awareness among users and administrators about the importance of managing guest accounts effectively. Encourage users to remove inactive guests from their teams and groups when no longer needed, and provide training on how to conduct access reviews and enforce security policies.
Utilize third-party solutions: Explore third-party solutions such as Syskit Point for comprehensive guest account management. The platform offers advanced features for monitoring guest activity and can enforce periodic access reviews. With the 21-day free trial of Syskit Point, you can analyze your tenant and it’ll give you an understanding of inactive guests and many other things you might not know about your Teams and SharePoint tenant.
Conclusion
Managing inactive guests in Microsoft 365 requires a multifaceted approach encompassing policy formulation, access control, monitoring, and collaboration. By implementing proactive measures and adhering to best practices, organizations can mitigate security risks, ensure regulatory compliance, and safeguard sensitive data against unauthorized access and exploitation.
In the next episode
Up next, Vlad and Drew discuss oversharing in your Microsoft 365 tenant and how you can detect oversharing and control it.