Before February 2021, Microsoft turned off Microsoft Teams guest access by default for all tenants. If you wanted to turn it on, an admin had to decide to allow guest access to Teams and turn it on.
As of February 8th, 2021, something changed. Guest access is ON by default.
This change means that all existing and new customers who haven’t configured this setting will have guest access turned on for the entire tenant.
When to use Microsoft Teams Guest Access
As the need for remote work tools increases, having full guest access enabled makes sense. It allows users to invite anyone with an email address to collaborate with your teams.
In many cases, this is a good thing. For example, there may be people who work outside of your organization, such as consultants, vendors, partners, and suppliers that need the ability to access your Teams, including documents, resources, applications, and chats.
There is a need for caution, however. Adding guests to your Teams might go under the radar for the admins and cause security issues.
Challenges with Teams Guest Access
What is the risk to Teams security?
Is it required for tenant administrators to know what happens when guests access their tenant? In some cases, they don’t need to know. However, in some regulated industries, this type of insight can be required.
Managing standard Teams users involves a process. Accounts are opened and closed when an employee joins or leaves an organization, but this does not happen for guests.
Over time, this challenge means you will likely have duplicate guests, which is not ideal for compliance and security.
Nikki Chapple, Enterprise Architect, specializing in Microsoft 365 and Microsoft Teams, agrees. In a recent LinkedIn article, she said, “Over time, you will end up with lots of redundant but active guest B2B accounts in your tenant. This is not good news as security, compliance & audit best practice requires user access to be actively managed and reviewed on a regular basis.”
Solving the Problem
The good news is turning on and off guest access is not difficult. To enable guest access to Microsoft Teams:
- Sign in to the Admin Center for Microsoft Teams
- Select organization-wide settings
- Select guest access
- Turn guest access on or off
If you choose to use Guest Access within Microsoft Teams, there are some things you can do to avoid the security concerns of guest user accounts that remain on the tenant long after they are needed.
Create a policy to review guest access with a frequency (i.e., monthly, quarterly, etc.). At that time, have an email sent to each of the guests asking them if they still need to use your system.
This way, the guest user has to confirm they need access. If not, an admin can remove them. Those guests that respond can be approved to continue, and those that don’t respond or say “no” can be denied access.
Another option is to create a dynamic security group and put anyone with a guest tag into the group. That way, you can keep better track of guests and revoke their access when they no longer need it.
You can set an automatic review task that will notify resource owners via their email inboxes to check their teams, groups, and sites. If they find either guest or internal users, who have access to files, folders, or sites they shouldn’t have had, you can easily remove it right from the app.
The newest SysKit Point feature – security Office 365 alerts, will help you detect any new guest as soon as they accept the invitation.
With that alert, you have a safety net even if you forgot to turn off the default Microsoft Teams guest user setting. Request a demo of SysKit Point to learn more.