Forum Discussion
Guest Access - Restrict Guest Access / Governance
Hi, OK so some possible options for you;
1). In order to use site specific sharing capabilities, you need to work from the principle of allowing sharing and being least restrictive from a tenant wide point of view, and then apply more strict permissions at Site level.
So at a tenant level, you would need things pretty open as shown below;
Then at the Site level, use the Site Permissions option from the cog wheel and you will have the options below.
2). A good way to track and review permissions granted to guest accounts is to use Azure AD Access Reviews as per https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview. You would need an Azure AD Premium P2 licence to use this feature however.
3). I would suggest access reviews again for this,
4). Yes, you can protect Sites with Sensitivity labelling now, and control guest access in this manner. Check out my blog on this subject - https://practical365.com/sharepoint-online/using-sensitivity-labels-with-sharepoint-sites-microsoft-teams-and-m365-groups-part-1/
5). DLP will help with the accidental sharing of information for sure, so I would always advise looking into these. Sensitivity labelling at both the container level, and the document and email level are also a very good means to protect your data and ensure it can only be accessed by those authorised to do so.
Hope this helps.
- StephenRice
Microsoft
I'll pop in and add one more suggestion. You should check out the new expiring external access feature that is rolling out soon. You should be able to find it in message center or you can read more here: https://support.microsoft.com/en-us/office/manage-guest-expiration-for-a-site-25bee24f-42ad-4ee8-8402-4186eed74dea?ui=en-US&rs=en-US&ad=US
Thanks!
Stephen Rice
Senior Program Manager, OneDrive
