top of page
Search

🧩 Part 5: Guest users and external sharing – collaborate without losing control

  • Writer: Bjørnar Aassveen
    Bjørnar Aassveen
  • 3 days ago
  • 3 min read

Updated: 2 days ago

In a modern organization, collaboration with external parties – such as consultants, partners, suppliers and customers – is essential. But providing access to internal resources can also be a security risk if not done correctly.


Fortunately, Microsoft 365 and Entra ID offer great tools for sharing securely while maintaining control.


👤 What is a guest user?


A guest user (or B2B user) is an external person who is invited into your Microsoft 365 tenant. They are given an account in your Entra ID, but typically authenticate with their own identity (e.g. Google, Microsoft, work account).


Guest users can access:

  • Teams and channels

  • SharePoint sites and documents

  • Planner, OneNote, and other M365 tools

  • Applications via Entra ID


🔐 How to Secure External Sharing?


Here are some key mechanisms and recommendations:


Conditional Access

  • Use policies to control how and when guests gain access:

  • Require MFA for guests

  • Block access from unsecured devices or locations

  • Only allow access to specific apps


Guest Policies in Entra ID

You can control:

  • Who can invite guests (everyone, only administrators, or specific users)

  • What guests can see in the directory

  • Whether guests can see other users


Teams and SharePoint Settings

  • Restrict external sharing at the team or site level

  • Use sensitivity labels to control sharing levels

  • Enable notifications for external access


Access reviews

  • Set up regular access reviews for guest users:

  • Ask owners to confirm that guests still need access

  • Automatically remove inactive guests

  • Document reviews for auditing

💡Requires Microsoft Entra ID P2

🔄 Extra: What is Cross-Tenant Synchronization?


Cross-Tenant Synchronization (CTS) is a feature of Microsoft Entra ID that allows you to automatically synchronize users between two or more Microsoft 365 tenants. This is particularly useful in scenarios where:

  • An organization has multiple tenants (e.g., after mergers or acquisitions)

  • You work closely with a partner organization

  • You want to provide access to resources without using traditional B2B invitations


How does it work?

CTS uses Entra ID B2B at its core, but instead of manual or ad hoc invitation, you set up a policy-based synchronization:

  • Users in one tenant (the source tenant) are synchronized to another (the target tenant)

  • They are created as guest users, but with continuous updating of attributes

  • You can use filters to control which users are synchronized


Benefits of CTS


✅ Automatic and up-to-date – no manual invitation

✅ Scalable – supports many users and multiple tenants

✅ Better user experience – one identity, fewer logins

✅ Can be combined with Conditional Access and Access Reviews


When should you use it?

Use CTS when:

  • You have multiple tenants and want to provide employees with cross-tenant access

  • You work closely with another organization and want continuous access

  • You want to automate guest user management and reduce manual work


When should you not use it?

Avoid CTS if:

  • You only need temporary access for a few users

  • You don't need continuous synchronization

💡 CTS requires Microsoft Entra ID P1 in both tenants, and that both parties have configured cross-tenant access settings.

🧹 Cleanup and Monitoring

  • Use audit logs and sign-in logs to monitor guest access

  • Use Entitlement Management to grant and remove access as a package

  • Set up automatic guest removal after X days of inactivity


Best Practices

  • Minimize Access: Only Grant Access to What’s Necessary

  • Time-Limit Access: Use PIM or Automation to Set Expiration

  • Communicate Clearly: Inform Internal Users How to Share Securely

  • Evaluate Regularly: Use Reports and Access Assessments


Example: Secure Collaboration in Teams

  • A project manager invites an external consultant to a Team

  • The consultant gets access to files and meetings, but not to other Teams

  • A 30-day access review automatically removes the consultant if no one renews


🚀 Next Steps


In the next post, we’ll look at Entitlement Management and access packages – how you can grant the right access to new employees, project participants or external parties with one click.


Bjørnar&AI

Commentaires

bottom of page