Microsoft 365 Blog: Updates & News

The ultimate guide to reviewing your Guests' Access in Microsoft 365

Written by David Francoeur | Oct 13, 2022 7:00:00 AM

According to IBM’s Cost of a data breach 2022 report, the global average cost of a data breach is $4.35M. Some 45% of data breaches occur in the cloud and cloud misconfigurations and vulnerabilities are some of the top key cost factors. 

There is, however, a silver lining – there are some clear steps that can be taken to protect your organization from data breaches. 

With the increasing amount and value of data being hosted in cloud environments, organizations should take steps to protect cloud-hosted databases. Mature cloud security practices were associated with breach cost savings of USD$720,000 compared to organizations without cloud security practices. One of the many cloud security practices that are worth implementing is identity and access management mitigation which reduces the cost of an average potential data breach by a whopping USD$224,396! 

Throughout conversations with many organizations using Microsoft 365, we’ve heard a consistent refrain about Guest Management – for most, it’s simply not a “manageable” task to oversee guests with the tools they have. Most administrators feel ill-equipped to get a full understanding of the extent of Guest Access within their Tenant, let alone make decisions on whether current Guests and their access are still legitimate, or not. As collaboration scenarios grow in complexity, organizations mature in their usage patterns of the M365 platform, and digital security becomes an increasingly scrutinized part of the enterprise – the challenge of managing Guests is reaching a tipping point where it can no longer be ignored.

What You’ll Take Away

This article will go over some of the reasons why you should consider reviewing your Guests’ Access, how to set up recurring Reviews of your Guests using Azure Identity Governance within Microsoft365 and highlight some of the challenges and difficulties one may face in using these processes.

 

Why Review Guests?

There are a host of reasons justifying the need to review an organization’s Guest accounts, but a short summary will serve the purposes of this article. Some of these reasons include:

  • Guests are easily “forgotten” and retain lingering access to Teams, Sites, Apps, and Content long after they need it. This presents a significant possible security risk, especially as new users join the workspaces and begin to add content to workspaces they assumed were private.
  • We often know little to nothing about Guest accounts, meaning it is easy for users to share the wrong content with the wrong person. This again presents a significant possible security risk. 
  • Many organizations do not archive or decommission workspaces that are no longer active. For internal users, this amounts to noise, but for guest users who retain their access, this can have more serious consequences.
  • Many guests never even redeem their invitation to collaborate with your tenant, but by virtue of being invited, they exist in your Azure Active Directory and can be selected again as a Guest via search.
  • Lack of controls and governance policies at the Tenant or Group levels may have led Guests to be inadvertently granted access to more than the sender realized.
  • In the vast majority of cases, there is a lack of a “reporting structure” for guests, meaning no one within an organization is assigned the role of managing/sponsoring/overseeing a particular Guest. This general lack of responsibility and accountability often means disorder.
  • Even once Guest policies are put in effect (e.g., Guest Group Setting in PowerShell, or Sensitivity Labels), existing Guest users are left behind in these workspaces. 

 

What is Required to Set Up a Guest Review Process

The Features discussed below required Azure AD Premium P2 licenses. 

See What are access reviews | Microsoft Learn and MAU billing model for Azure AD External Identities | Microsoft Learn.

 

How to Set Up A Guest Review Process

  • Navigate to Portal.Azure.com
  • Locate Identity Governance under Services

  • Navigate to Access Reviews and click New Access Review

  • Under the Review Type tab, select the Type of Review being created (Teams + Groups, or Applications) 

  • Configure the Review Scope and if desired, choose whether to include only Inactive Users and specify an inactivity day threshold (e.g., 30 days) 

  • Under the Reviews tab, select the way the Reviews shall be carried out. For the purposes of this blog, I will begin a review immediately on all workspaces with Guests, and subsequently, repeat the process on a Quarterly basis. I’ve opted for a multi-stage review (Note: Multi-Stage access reviews are currently in Preview) where my first stage will ask Guests to perform a Self-Review, followed by a second stage performed by Team Owners. I also specify a Fallback Reviewer (Adele Vance) if a Team Owner cannot be found. 

At the bottom of the tab, select the scenarios that can progress from Stage 1 to Stage 2. In my case any guest that has decided during the self-review that their access can be removed need not continue to the second stage – only guests who believe they still need access or did not provide an authoritative answer should proceed to the second stage. 

  • Under Settings, determine whether you wish to use ‘Decision Helpers’ and what should occur if reviewers do not respond to the process. 

  • On the Confirmation Screen, confirm and Create the Access Review. 
 

What the Guest Review Participants Will Receive

Participants in a Guest Review process will receive an email from Microsoft and direct them to the My Access portal to action the review. The user experience is not bad, but is likely to require some adoption and change management efforts to be successful.

 

Monitoring A Guest Review Process

To monitor an ongoing Access Review, the Access Review can be opened, and individual Groups can then be expanded. This can be quite challenging when done at scale and it is difficult to get an overall sense of individual guests and their current access reviews across the environment.

 

Challenges and Costs

If you’ve gotten this far you can likely ascertain that there is a great deal of complexity to navigate to put this in place, to oversee its execution, as well as to prepare and onboard users to receive these requests and make sense of them.

Another significant challenge can be figuring out licensing and costing which can be extremely complicated. Microsoft provides a table of example license scenarios but even this is not altogether clear. How you choose to set up the Reviews has a clear impact on the licensing count that will be required. Furthermore, how do you know if you will fall over or under the first 50,000 MAU? Are you accounting for the extra fees for SMS/Phone-based multi-factor?

With the Azure P2 Premium license costing a whopping 11.50 per user/per month, incremental costs can add up fast! It is not hard to imagine a large organization with 1,000 unique Team Owners all wanting to perform access reviews for Guests in their Teams – this would amount to an annual cost of $138,000. 

All this could be on top of existing license SKUs such as an E3 license (CAD 47.90 per user/month) for each user. Another option would be to bump these users from an E3 to an E5 (CAD 73.00 per user/month) but unless this is required for other functionality, this is a steep cost that many organizations are not ready to bear. 

 

Is There Another Way?

With Orchestry, there is! Our latest Guest Governance and Guest Insights features allow you to set up comprehensive Guest Review policies in minutes, and effectively delegate and automate the entire Guest review process. Curious about what the Guest Review process looks like with Orchestry and how much money and time it can save you?

 

What’s more important, Guest Governance and Guest Insights features not only allow for much simpler, more efficient, and well-informed Guest reviews but also offer unprecedented insights into all Guests in your tenant and give you granular control over Guest Access. 

 

More Details About Guests

Unlike the out-of-the-box Microsoft 365 Guest addition functionality, Orchestry requires users to capture additional information on Guests before sharing access to assets in your tenant, including their first and last name, their company name, and country, and add a justification as to why the Guest needs access. 

With the additional context on hand, reviewing Guests becomes a significantly simpler process. 

We have put together a comprehensive blog on everything you want to know about Guests in your tenant and how to capture this information, so have a read! 

Guest Review & Guest Request Policies

Orchestry’s beautiful interface allows you to easily create Guest Review policies of any level of complexity and apply them to the existing workspaces in minutes.  

Guest Request policies allow you to create granular rules around Guest requests. You can create policies that restrict Guest Access to certain types of Workspaces altogether. These policies can be applied to Workspaces that hold highly confidential information. More lenient policies can also be created, requiring users to collect additional information about Guests, or approval by a group of members or individuals within your organization before Guest Access is granted.  

But that’s only a small portion of what Orchestry can do. On top of Guest Governance and Guest Insights features, it is full of other functionality including Workspace Template features which lets you get the most out of your Microsoft 365 license.

These features allow you to leverage the existing library of business-first scenario templates created by Microsoft 365 MVPs, or create your own templates and, of course, apply Guest Review and Guest Request policies to those templates. Now every time an end-user requests a new workspace from an existing template, the policies will be automatically embedded and put into action in that workspace once provisioned.

 

Guest Insights

Orchestry’s Guest Insights lift the lid on all the Guests within your tenant and provides you with an unprecedented view of the total number of Guests, the number and list of Workspaces that have been shared with Guests, the number and list of unique domains the Guests in your tenant come from, access violations, growth in Guest numbers over time and so much more! These actionable insights allow your organization to make educated decisions on potential changes to the Guest Request and Review policies, revoking access and removing Guests, and the overall security of your tenant. 

Want to See Orchestry’s Guest Governance and Guest Insights in Action? Watch our on-demand webinar “Gain control over M365 Guest Access with Orchestry”.

What will you learn in this 60-minute webinar?

    • Review of common security, financial, and data risks, and challenges associated with Guest Access.
    • Discussion around some of the gaps in the existing Guest Access reporting, provisioning, and lifecycle management.
    • Presentation of the latest Guest Insights and Lifecycle Management features and how they can address your organization’s risks.