Forum Discussion
Do we need a new way to manage guest access in Teams?
Hi EliteFlames6 ;
Have a look at this - https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews . Youi need extra licenses for Azure AD.
There is some soon to be released functionality. Called Expiring External Access feature for a site. The documentation for this was released ahead of the functionality and has been pulled by Microsoft but you can see the functionality in action here -
https://myignite.techcommunity.microsoft.com/sessions/81495?source=sessions
That's all I know about at present.
Andrew Hodges One of the issues that I have run into with this, is the inability to properly manage Guest without running a bunch of posh commands to check to see if we have stale users. Once a guest accepts the terms of access, they can be added to SP sites, Groups, Teams, etc. with the only oversite being the user, unless you can run the PowerShell reports and then using those reports to cross check the audit to see if there has been any activity, in most cases the 90 day limit comes into play here, where as my users are audited for 180 days. I then need to use PowerShell to remove any Guest that has had no activity in 90 days, but again PowerShell. There are no reports in the GUI for this and no centralized management of this. This part I think is what David Phillips is referring to, (At least I hope it is..lol). It would be good to truly have some centralized management for Guest users in O365. Right now I have to take too many steps to check, and in a large environment's, this takes time.
Hi EliteFlames6 ;
Have a look at this - https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews . Youi need extra licenses for Azure AD.
There is some soon to be released functionality. Called Expiring External Access feature for a site. The documentation for this was released ahead of the functionality and has been pulled by Microsoft but you can see the functionality in action here -
https://myignite.techcommunity.microsoft.com/sessions/81495?source=sessions
That's all I know about at present.
Thanks Andrew Hodges ,
I am going through this now, and it looks promising for the external file sharing, I just did something similar with forced encryption to external parties and limiting the life of those messages to 30 days, but the needed P2 license would come into question. Normally for actions such as this, (any security related Azure Policy), you cannot just get away with purchasing just 1 or 2 - P1/P2 license, for any security needs, you have to license the entire tenant, or you are out of compliance with Microsoft depending on what you are doing.
Note: Found this out while getting my Secure Score up!!
For large tenants such as mine this could be very costly, even as we are planning our full Azure subscription rollout in our prod tenant. I will test this out in our Dev/Test tenant to see if I can justify the potential cost. If seems to help the issue, but seems puts to 'owness' on the user, (Group Owners/Managers), to police behind themselves honestly, (
). But if this works as shown, it is a really good step forward. Thanks for providing.