Identifying what resources Guest Users in my tenant have been granted access to?

%3CLINGO-SUB%20id%3D%22lingo-sub-1675461%22%20slang%3D%22en-US%22%3EIdentifying%20what%20resources%20Guest%20Users%20in%20my%20tenant%20have%20been%20granted%20access%20to%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1675461%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20few%20Guest%20Users%20defined%20in%20my%20M365%20tenant%2C%20as%20well%20as%20seeing%20a%20few%20%22%23EXT%23%20external%20accounts%20(which%20each%20appear%20to%20be%20directly%20associated%20with%20their%20respective%20Guest%20User%20account)%20listed%20in%20my%20Active%20Users%20list.%20How%20can%20I%20determine%20what%20internal%20resources%20these%20guest%20user%20accounts%20have%20been%20granted%20access%20to%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1675461%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Contributor

I have a few Guest Users defined in my M365 tenant, as well as seeing a few "#EXT# external accounts (which each appear to be directly associated with their respective Guest User account) listed in my Active Users list. How can I determine what internal resources these guest user accounts have been granted access to?

1 Reply

There's no one-stop solution for this, you'll have to enumerate each individual resource (mailbox, group, site, etc) and its permissions to determine that. Checking group membership is a good start, but it doesnt cover all. And you should also complement this with Audit log search: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compl...