Forum Discussion
Add/Remove External Guest User from SP Site behavour in Azure/365
HelloT11EJD !
I will answer your questions below (A1 for Q1 and A2 for Q2)
A1: Yes this is by design. When you invite an external user to a Sharepoint file or folder, a guest account in your companies Azure AD needs to be created. This is to make sure that the guest users are authenticated and get any security ( Conditional access ) policies for example.
This is the same behavior as inviting an external user to Teams.A2: No, as long as external users need to athenticate then they will need to have a guest account.
If you however share a document with an anonymous link, then they dont need a guest account.
Automaitcally removing guest users when removed from a sharepoint site could be troublesome. Imagine if that guest user was a member of 3 different sites, that would mean they would loose access to all 3 sites.
Guest users in Azure AD is not a problem, just make sure, like with any users, that you do an audit of what users you have and what users you can terminate.
I hope this answered your questions!
Let me know if you have further questions or if my replies are unclear!
Kind Regards
Oliwer Sjöberg
You have features such as Access Reviews and the recently released Entitlement management to address #2. In particular, Entitlement management can be used to govern the whole process, from adding an external user to the directory, granting him access to SPO, removing access, removing the user altogether. But it requires Azure AD P2 licenses. Here's the documentation: https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview