Guest Access - Restrict Guest Access / Governance

New Contributor

We are trying to implement governance around Guest Access in Office 365 and few questions:


1. How do we restrict permission to users to add Guests to entire tenant and also site collection specific?

2. How do we track permission given to Guest Accounts? Is there are tool, Power Shell or way to do it?

3. Is there a way to notify the business users to remove guests access on recurring basis?

4. Can we provide Guest access based on the classified site categories? For example - High Classification site will have guest access disabled, whereas Low Classification sites will have the guest access enabled.

5. Are there any invalid AD policies that can be done? Or Are there DLP policies that can be done?  or possibly is there any OOB policies that we can enable. 


2 Replies



Hi, OK so some possible options for you;


1). In order to use site specific sharing capabilities, you need to work from the principle of allowing sharing and being least restrictive from a tenant wide point of view, and then apply more strict permissions at Site level.


So at a tenant level, you would need things pretty open as shown below;


Screenshot 2020-09-13 at 21.23.56.png

Then at the Site level, use the Site Permissions option from the cog wheel and you will have the options below.


Screenshot 2020-09-13 at 21.25.27.png

2). A good way to track and review permissions granted to guest accounts is to use Azure AD Access Reviews as per  You would need an Azure AD Premium P2 licence to use this feature however.


3). I would suggest access reviews again for this,


4). Yes, you can protect Sites with Sensitivity labelling now, and control guest access in this manner.  Check out my blog on this subject -


5). DLP will help with the accidental sharing of information for sure, so I would always advise looking into these.  Sensitivity labelling at both the container level, and the document and email level are also a very good means to protect your data and ensure it can only be accessed by those authorised to do so.


Hope this helps.



I'll pop in and add one more suggestion. You should check out the new expiring external access feature that is rolling out soon. You should be able to find it in message center or you can read more here:




Stephen Rice

Senior Program Manager, OneDrive