Securing guest access in Teams

Posted by

What we have to take inito account when we have guests in out tenant? In this post I want to throw some guides about it:

Limitations for guests

Guest are a “special” member type in Azure AD and M365. So, there are some limitations by design for guests you should know of:

  • Per licensed user you can add up to five guests (1:5 ratio)
  • Guest user permissions in Azure AD are limited by default
    • cannot browse other tenant information
    • but can view their own profile
    • but can retrieve input on other users if he/she searches for a UPN or object ID
  • Guest user permissions in Office 365 groups are limited
  • Guest user permissions in Teams are limited
    • no One Drive for Business
    • no people search outside of Teams
    • no calendar
    • no meeting scheduling
    • no pstn/telephony
    • no org chart
    • no teams creation/revision
    • no teams browsing
    • no file upload in P2P chats

What you can do to secure your Microsoft 365 guest identities?

The following are simply recommendations, so it will change depending the security you want to apply to your tenant:

  • enforce multi-factor authentication for guests
  • provide terms which guests musts agree on
  • regularly review permission needs are still valid
  • restrict access for guest to web-only / browser-only
  • set session timeout to enforce regular/daily authentication by guests
  • classify content by using sensitivity labels
  • auto classify defined sensitive information to highly confidential
  • auto remove guests access from files labeled high confidential

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s