cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Guest Access - Restrict Guest Access / Governance

abdullah202025
Copper Contributor

‎Sep 11 2020 01:38 PM

‎Sep 11 2020 01:38 PM

Guest Access - Restrict Guest Access / Governance

We are trying to implement governance around Guest Access in Office 365 and few questions:

 

1. How do we restrict permission to users to add Guests to entire tenant and also site collection specific?

2. How do we track permission given to Guest Accounts? Is there are tool, Power Shell or way to do it?

3. Is there a way to notify the business users to remove guests access on recurring basis?

4. Can we provide Guest access based on the classified site categories? For example - High Classification site will have guest access disabled, whereas Low Classification sites will have the guest access enabled.

5. Are there any invalid AD policies that can be done? Or Are there DLP policies that can be done?  or possibly is there any OOB policies that we can enable. 

 

1,140 Views
0 Likes
2 Replies
Reply
2 Replies
PeterRising

‎Sep 13 2020 01:33 PM

‎Sep 13 2020 01:33 PM

Re: Guest Access - Restrict Guest Access / Governance

@abdullah202025 

 

Hi, OK so some possible options for you;

 

1). In order to use site specific sharing capabilities, you need to work from the principle of allowing sharing and being least restrictive from a tenant wide point of view, and then apply more strict permissions at Site level.

 

So at a tenant level, you would need things pretty open as shown below;

 

Screenshot 2020-09-13 at 21.23.56.png

Then at the Site level, use the Site Permissions option from the cog wheel and you will have the options below.

 

Screenshot 2020-09-13 at 21.25.27.png

2). A good way to track and review permissions granted to guest accounts is to use Azure AD Access Reviews as per https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview.  You would need an Azure AD Premium P2 licence to use this feature however.

 

3). I would suggest access reviews again for this,

 

4). Yes, you can protect Sites with Sensitivity labelling now, and control guest access in this manner.  Check out my blog on this subject - https://practical365.com/sharepoint-online/using-sensitivity-labels-with-sharepoint-sites-microsoft-...

 

5). DLP will help with the accidental sharing of information for sure, so I would always advise looking into these.  Sensitivity labelling at both the container level, and the document and email level are also a very good means to protect your data and ensure it can only be accessed by those authorised to do so.

 

Hope this helps.

 

 

0 Likes
Reply
Stephen Rice

‎Sep 15 2020 10:29 AM

‎Sep 15 2020 10:29 AM

Re: Guest Access - Restrict Guest Access / Governance

I'll pop in and add one more suggestion. You should check out the new expiring external access feature that is rolling out soon. You should be able to find it in message center or you can read more here: https://support.microsoft.com/en-us/office/manage-guest-expiration-for-a-site-25bee24f-42ad-4ee8-840...

 

Thanks!

 

Stephen Rice

Senior Program Manager, OneDrive

0 Likes
Reply