Firstly, “Guest Users”, what are they?

Guest users are users who have been added to your Microsoft 365 environment but do not belong to your organisation.

They can be users from other organisations but also can be personal accounts like Gmail or Hotmail accounts.

The problem is that most organisations have no idea that they are being created and so will not be looking to manage and remove these guests.

Out of control guests!

Out of the box with Microsoft 365, anyone can add a guest user!

If you were to look at the list of guest users you would have no idea why they are there, how they got there and worst of all if they should still have access. So you have no idea if you can remove the guest or not.

These guest users represent a significant risk to your organisation’s security because they have access to your Microsoft 365 and are a ticking timebomb!

So, how can we solve this issue? What are some solution options?

Solutions

The following section discusses some options for solving this problem.

Roll your own.

Firstly, you lock things down. Put together a guest approval process where if a guest user is needed to be added to the organisation, then they fill out a form.

Include in the form the following:

• Who they are?
• Why do they need access?
• What do they need access to?
• How long do they need access?

Using Microsoft Forms is a wonderful way to capture this information.

The IT team can use this information to go and invite the guest users and give them access to the appropriate resources.

There will need to be an additional process which checks the form submissions periodically so that users who no longer need access are removed.

Of course things might have changed by then and they may still need access, so make sure you contact the person who sent the original request.

As I am sure you have realised this process does introduce a bottleneck as each form needs to be processed by one of your IT team and this will take them away from other activities.

But, this is approach is certainly better than not leaving it as it was, you are now further protected and have at least a process to clean up these old guest users and remove any which are no longer required. Furthermore, with a bit more effort you implement something a little more sophisticated using Power Automate to help remind your team when they need to check the guest accounts.

Looking for something a bit smarter and more well-thought-out?

If you are a business with 150 users or more than the previous process is going to be a bit onerous on your IT team.

Instead, you could deploy Orchestry.

Orchestry has a wealth of features, and we use it almost every day ourselves.

Because this is Orchestry there are also a wealth of management reports.

Additionally, with Orchestry we can set up policies which enforce guest access reviews. There are options to either delegate the guest review process to the owners of the Microsoft Teams or if you would to centralise it then, it can be moved to a central team such as IT security which receives the requests.

These requests won’t just fade away, if no one takes action you will get asked repeatedly until the review has taken place.

The management reports are great because you can quickly see if there are any guests who have not accessed your systems recently and then if they haven’t, well then we should delete them!

Overall the Orchestry approach is thoroughly thought out and will manage your guests from creation to deletion.

Conclusion

We hope that gives you some food for thought on guests, the security risk that they represent and the fact that they need to be managed properly.

If you would like to find out more register and download our guide below.

---