Insync Tech Talk , microsoft teams , | 2021/02/11 at 2:38pm

Understanding Guests in Microsoft 365: how many people have keys to access your office?

by Loryan Strant

The guest functionality in Microsoft 365 is becoming more and more relied upon every day – especially with the steady rise in use of Microsoft Teams. 

Although, while “guests” are becoming more prevalent in our organisations, the functionality isn’t new. In late 2017, guest access was made available for Microsoft Teams however prior to that, guests could be added to Microsoft 365 Groups (previously known as Office 365 Groups) in order to access SharePoint sites, Planner boards, and other information. 

While giving people access to content through sharing files is not exactly new, a guest has access to much more than an individual file here or there. 

In the Microsoft 365 world, we use the term “tenant” to denote our environment in the shared cloud platform. The analogy here is apt for office buildings – where different organisations don’t necessarily own the offices themselves, but instead, they are a tenant in the building. And much like offices, when we invite a guest into our tenant – we are effectively giving them a key to our office. With this key, they can come and go as they please, access areas available to them, and start conversations with anyone they can see. 

As is the case with many features in the Microsoft 365 platform, the ability to invite guests into Azure Active Directory (the underlying identity platform) is enabled by default. Much like the explosive growth of Groups and Teams enabled by the lack of restrictions put in place by IT, guest users followed a similar path. Additionally, like with Groups and Teams, many IT departments completely unaware that external users were being invited into their organisation. 

Let’s pause here for a moment and reflect on what this means. 

If we bring the “guests” functionality into the real office analogy – how comfortable are you with the fact that any one of your staff is giving outsiders keys to the office? 

Most modern office security systems are electronic and use devices like fobs or keycards which allows us to track which employee was given which keycard and when they accessed the office. 

The same approaches are unfortunately not taken with guests in Microsoft 365. 


Guest access restrictions 

Recently I conducted an online survey of how organisations control and manage guests in Microsoft 365. One of the key questions asked was: do you have any controls or restrictions around inviting guests? 

Do you have any control or restrictions around inviting guests?

Much like with Microsoft 365 Groups and Teams, the common response to control explosive growth is to put in place an out-of-the-box bottleneck that channels all requests through IT. 

I was personally surprised at the number of organisations that have implemented Conditional Access controls for guests, however, based on my own governance experience with organisations question this number, as I find most organisations have barely implemented Conditional Access for end-users – let alone guests. Additionally, the implementation of Conditional Access for guests can introduce additional complexities for the end-users and requires the Azure Active Directory Premium P1 license. It wouldn’t surprise me if some of the respondents were starting to implement this functionality, or it was limited to end-users as opposed to fully implemented for guests. 


The ratio of Users to Guests

Another question asked was around how many users were in the organisation, and how many guests existed. 

How many guests exist?

Unfortunately, the data in the above graph does not give us an accurate representation as the sizes of organisations submitting ranged from individual consultants through to multinational enterprises. 

While some organisations had no guests at all, some had considerably more guests than users. For example, one organisation had 38k users and 55k guests, another had 6k users and 10k guests. 

Ultimately it comes down to the nature of the organisation and how they use Teams. Microsoft for example has a ratio of approximately 3 guests for every user. We at Insync have a ratio of approximately 10 guests for every user, as we try to conduct as much of our communication and collaboration with clients and vendors in Teams. 

The clean-up process 

Guests in Microsoft 365 do not simply disappear when the Group or Team they are members of is deleted. When this occurs, they continue to hang around the environment, with nowhere to go. This characterisation isn’t entirely accurate, as most likely the guest never accesses the environment again. However, there’s nothing to stop them from using their key to get into your office, it’s just that they can’t access the project files and rooms they previously could. 

In many instances, guests continue to exist in our Microsoft 365 tenants long after they’ve stopped accessing the office and unfortunately the ability for IT admins to see sign-in activity beyond 30 days requires more than a few mouse clicks. 

Approximately half of the respondents honestly admitted they had no formal process for cleaning up guests in their environments. Some had manual processes, some were reactive, some had automation in place, but far too many had nothing. 

When you think of the ratio of some of the organisations of users to guests, and how big some of those organisations are – it’s not exactly a comforting thought to think that possibly tens of thousands of people still have a key to your office. 


Are you still uncertain of what Guest Management in Microsoft Teams means for your organisation?

Enter your details below to receive a 35-minute video by Microsoft MVP Loryan Strant who will take you through options available natively within the Microsoft 365 platform, where it falls short, how that leaves your organisation exposed, and how GMS is the only purpose-built solution to address those.