Why Should You Care About Guest Users? Because they are a Ticking Timebomb

Firstly, “Guest Users”, what are they?

Guest users are users who have been added to your Microsoft 365 environment but do not belong to your organisation.

They can be users from other organisations but also can be personal accounts like Gmail or Hotmail accounts.

The problem is that most organisations have no idea that they are being created and so will not be looking to manage and remove these guests.

Out of control guests!

Out of the box with Microsoft 365, anyone can add a guest user!

If you were to look at the list of guest users you would have no idea why they are there, how they got there and worst of all if they should still have access. So you have no idea if you can remove the guest or not.

These guest users represent a significant risk to your organisation’s security because they have access to your Microsoft 365 and are a ticking timebomb!

So, how can we solve this issue? What are some solution options?


The following section discusses some options for solving this problem.

Roll your own.

Firstly, you lock things down. Put together a guest approval process where if a guest user is needed to be added to the organisation, then they fill out a form.

Include in the form the following:

  • Who they are?
  • Why do they need access?
  • What do they need access to?
  • How long do they need access?

Using Microsoft Forms is a wonderful way to capture this information.

The IT team can use this information to go and invite the guest users and give them access to the appropriate resources.

There will need to be an additional process which checks the form submissions periodically so that users who no longer need access are removed.

Of course things might have changed by then and they may still need access, so make sure you contact the person who sent the original request.

As I am sure you have realised this process does introduce a bottleneck as each form needs to be processed by one of your IT team and this will take them away from other activities.

But, this is approach is certainly better than not leaving it as it was, you are now further protected and have at least a process to clean up these old guest users and remove any which are no longer required. Furthermore, with a bit more effort you implement something a little more sophisticated using Power Automate to help remind your team when they need to check the guest accounts.

Looking for something a bit smarter and more well-thought-out?

If you are a business with 150 users or more than the previous process is going to be a bit onerous on your IT team.

Instead, you could deploy Orchestry.

Orchestry has a wealth of features, and we use it almost every day ourselves.

With Orchestry, guest users are managed from the start to the end of the lifecycle with your organisation.

Firstly, guest users are requested through Microsoft Teams to be added to the Project team. During that request, you are prompted for information such as name, job title, company, mobile phone, and a justification as to why they are being added as a guest user.

Straightaway this is better as you can now see exactly why they need to be added and you are capturing mobile phone details so worse comes to worse you can phone them to check who they are.

Because this is Orchestry there are also a wealth of management reports.

Additionally, with Orchestry we can set up policies which enforce guest access reviews. There are options to either delegate the guest review process to the owners of the Microsoft Teams or if you would to centralise it then, it can be moved to a central team such as IT security which receives the requests.

These requests won’t just fade away, if no one takes action you will get asked repeatedly until the review has taken place.

The management reports are great because you can quickly see if there are any guests who have not accessed your systems recently and then if they haven’t, well then we should delete them!

Overall the Orchestry approach is thoroughly thought out and will manage your guests from creation to deletion.


We hope that gives you some food for thought on guests, the security risk that they represent and the fact that they need to be managed properly.

If you would like to find out more register and download our guide below.