Skip to content
September 28, 2022

What should you know about your Microsoft Teams Guests?

Many organizations rely on Microsoft Teams Guest Access for effective collaboration with Teams accounts not managed by an organization. This includes collaboration on projects, and documents, chatting and scheduling meetings, and so much more.

But inviting guests into your tenant is similar to inviting guests into your home. You wouldn’t invite a stranger into your house without first learning a little more about them. And you would expect the same from all the members of your household.

So let’s take a close look at the 4 most common things you should know about MS Teams Guest users. We will take a close look at how you can capture this information, and who can access it.

We will show you how to shift the responsibility of capturing guest information to the content owners in your organization. This way you can empower them to keep your tenant secure and compliant.

 

What do you know about your Guests in Teams?

Out of the box, Microsoft 365 makes adding external users to Teams very easy. This is how to add someone external to Microsoft Teams:

  • Select the Team or Group they want to invite a Guest into
  • Start typing the email address
  • Click on the email address and done!
Adding Guest users to Microsoft Teams
Adding Guest users to Microsoft Teams

This sounds easy enough for the end-user, but what does this process mean for the organization, productivity, and outputs?

Potential security and compliance issues.

You wouldn’t let someone into your house if all you knew was their email. Without context, it is hard for Azure AD admins to decide if the Guest should retain access to your tenant. This context should include:

  • Which organization the Guest is part of.
  • What is their job title or area of responsibility is.
  • Whether they have an appropriate security clearance level to be able to access sensitive information.

Communication and effective collaboration issues.

For the users to collaborate effectively with Guests, they need to know more information about the Guests as well. Some examples include location country/city, company name, preferred language, department and job title, and phone number.

How can additional information on MS Teams Guest Users be captured?

By default, there isn’t a way for users to capture additional information about Guests when adding them to Groups and Teams. This is one of the major Microsoft Teams Guest access limitations.

However, Guest information can be accessed and edited by Azure Active Directory admins. Below you can see what an admin would see on any given Guest after end users add Guests.

The information available about Guest users in Azure Active Directory
The information available about Guest users in Azure Active Directory

Information about individual Guest user in Microsoft Azure Active Directory

The Teams admin can then go ahead and edit the Guest information. Microsoft has dozens of properties that can be populated with pertinent details, as you can see below:

The Guest user information fields available for editing by Azure Active Directory Admin
The Guest user information fields available for editing by Azure Active Directory Admin

Your organization can communicate a costly process that will facilitate the collection of additional information about Guests. This process would require:

  • Content owners are to contact the Administrator right after the invitation has been sent.
  • Provide the admin with the additional information required by the organization about the recently added Guest.
  • Admin will need to enter the details manually in Azure AD.

 

Guest User information fields that need to be populated manually by Azure Active directory Admin
Guest User information fields that need to be populated manually by Azure Active Directory Admin

This leaves a lot of room for error, where the end-user may forget to contact the Administrator. This also, of course, adds a lot of hours and responsibility to the Admin’s plate.

In organizations where such a process doesn’t exist, IT Admins will have to perform frequent cleanups and data entry.

Since Administrators rarely, if ever hold the additional information about the Guests, they will first need to locate those who do.

The Admin would need to put the investigator hat on and review the list of Groups the Guest has access to. Then they would need to communicate with Teams users in hopes they can identify the individual.

Real troubles begin when the Guest in question doesn’t have access to any current M365 Groups. The only recourse at that point would be to perform an even deeper investigation. Diving into Audit Logs may help determine who completed the request for the Guest user. These logs, however, go back only 30 days, meaning that it is often impossible to identify the user at all.

 

Date range selection field for activity logs in Azure Active Directory
Date range selection field for activity logs in Azure Active Directory
Individual Guest user audit logs in Azure Active Directory
Individual Guest user audit logs in Azure Active Directory

Is there a better way?

Although out-of-box Microsoft Teams external Guest access information is limited, we at Orchestry recognize the importance of Guest Access. Our experience shows that added time and costs and potential risks of managing Guests are too great to overlook.

This is why we built our new Guest Insights and Management Features to help you, and your users, overcome these challenges.

Need to know more information about your guests? Orchestry can help.

With our beautiful Guest Request process the users can capture additional information about all the Guests. This information includes first and last name, company, and country. The requestors can also provide a reason why the Guest needs access to a Group right from the start.

This removes the need to implement any special processes for recording Guests’ information. In the long run, it saves hours of Admin work and custom development costs. Lastly, it ensures all relevant information about each Guest is captured from the moment they join your tenant.

Orchestry's Microsoft Teams Guest request access form
Orchestry's Microsoft Teams Guest request access form

Not only can Orchestry help ensure you capture information for new Guests but also for existing Guests! When an existing Guest is invited to a new M365 Group, the inviter will be asked for additional details about them. Only after the details have been added, access to the new workspace will be granted to the Guest.

 

What can Guests access in Teams?

In Microsoft 365 only the administrators with the highest level of permissions can see what Guests have access to. 

Within Azure AD, Administrators can really only see what M365 Groups Guests have access to, which is more often than not, a very incomplete picture of the full access any given Guest has.

Information about Guest user Group membership found in Azure Active Directory
Information about Guest user Group membership found in Azure Active Directory

Specific details about Group an individual Guest user has access to

Only knowing what groups users have access to is clearly not enough to prevent possible data leaks. So a deeper dive to identify individual assets Guests were given access to is required.

How to find asset access information for Microsoft Teams Guests?

One of the ways to review information about Guest access to individual assets is to dig through Microsoft Purview Audit Logs.

This does put a massive burden on administrators. The logs need to be reviewed regularly to ensure incorrect or potentially detrimental access was not given to a Guest. Action has to be taken immediately in case it has.

If a Guest was given incorrect access it can still be very difficult to understand where the access came from.

The logs only go back 90 days. If a data leak occurs as a result of sharing completed over 90 days ago, there is virtually no way to retrace the steps.

Below is an example of an Audit Log. What is absent in this view is a way to see what links this user may have been sent. The current process to access Sharing Link reports is incredibly painful, and can still obscure critical information!

Microsoft Purview Audit Logs
Microsoft Purview Audit Logs

Alternatively, Administrators can leverage PowerShell scripts to help ensure no critical data is lost. Some sample scripts can be found online, but they are only accurate to the point they have been run.

The downside of PowerShell scripts is that they produce CSV format data which is hard to review and make sense of.

Is there a better way?

The area of Guest access to specific assets is particularly painful in the native Microsoft 365 and Azure AD environment. Orchestry’s Guest Insights and Lifecycle Management features have become a true game-changer for Administrators.

Our MS Teams Guest access Details show you every Group that a Guest has access to in rich detail.

GetImage-11-2-1-2
Orchestry's individual Microsoft 365 Guest user access details

Guest Insights lets you see in a single beautiful interface the specific details about each Guest. This includes their personal details, location, date created or added, their activity, and the last time they logged in. Lastly, you can see a detailed list of all workspaces they have access to and when they were added.

The best part of the Guest Insights feature is they will let you know if a Guest should be removed!

This will help you quickly identify Guests that shouldn’t be in your tenant and remove them in an instant.

 

Orchestry's Guest user access violation notification
Orchestry’s Guest user access violation notification
 

What is the MS Teams Guest status?

You have 1,000 Guests in your tenant but do you actually know if they are active?

When was the last time they logged in?

Did they redeem their invitation to collaborate with your tenant?

What does this bizarre login information mean?

Latest Guest user sign in information in Microsoft Azure Active directory

What does this login history tell me? 

Guest user login audit information available in Microsoft 365 Azure Active Directory

All these are common questions and unfortunately, it’s difficult to get this information at an aggregated level.

Any automatic actions that would help you get in control of your Guests would require complex and costly customizations OOTB. This includes:

  • Automatic flagging of users that have not redeemed their invitation.
  • Get recommendations for guest accounts that should be deleted.
  • Escalate areas where guests have access they shouldn’t have.

How to find out Microsoft Teams Guest status?

By default, only the Administrators with the highest level of permissions and privileges can view the Guest login history. They are the only ones who can view invitation redemptions and perform other actions, like resending Guest access invitations.

Guest user status information is available in Microsoft 365 Azure Active Directory
Guest user status information is available in Microsoft 365 Azure Active Directory

Staying up to date on the status of each Guest is a full-time job for any Administrator. Alternatively, a variety of PowerShell scripts could be pieced together. The output would be a raw CSV file.

These scripts would need to be run daily to truly have an accurate view of what is happening with your guests. They would still require the Administrator to perform manual actions based on what these reports indicate.

Is there a better way?

Orchestry’s Guest Insights features to track the overall status of Guests in your tenant, as well as each Guest individually. They give you an unparalleled understanding of their current status.

Orchestry's Microsoft Teams Guest insights dashboard

With Orchestry you can quickly and easily make the right decisions on which Guests to remove or renew.

 

Which domains do all your MS Teams Guest users come from?

Another way to track your Guest population is to view the entire list of unique domains from which they originate. Many organizations will want to see patterns emerging from the domains that are repeatedly seen as guests. It will help them determine which domains could be problematic and should be blocked.

How to find the list of Guest domains?

Unfortunately, there is no way to see in OOTB Microsoft 365 what domains all your Guests have been added from. The Administrators are either stuck doing this manually or instead, spend time writing custom code or PowerShell scripts.

Admins can block every single “undesirable” domain. This is likely to frustrate your users. As a result, they will start to email content over which is much less secure.

Under the umbrella of Microsoft 365, there are several places where domains can be blocked, including SharePoint, Teams, and Azure AD. So domain blocking will need to be done on an individual basis in each one of those instances.

 

Guest user domain blocking configuration in Microsoft 365 Admin Center
Guest user domain blocking configuration in Microsoft 365 Admin Center

Microsoft Teams Guest user domain blocking configuration in Microsoft Teams Admin Center

M365 Group external user domain blocking configuration

Is there a better way?

Orchestry’s Guest Insights and Lifecycle Management features can help with that as well! Say goodbye to PowerShell scripts, and hello to simple beautiful reports. This report will tell you how many domains you have and how many Guests have come from each domain!

This report can really help you understand what domains the Guests are being added from. It will also help you ensure that you block the appropriate domains before the sharing gets out of control.

Orchestry's domain report for Microsoft Teams and Microsoft 365 Guest users
 

Want to see the Guest Insights and Lifecycle Management in action?

Are you looking to:

  • Streamline capturing additional information about Guests in your tenant
  • Get a full grasp on the Guest status and their individual asset access
  • Understand the domains which the Guests are coming from
  • Avoid endless hours of auditing, building, and running PowerShell scripts.

Watch our on-demand webinar where Michal Pisarek presents use cases and functionality of our 3 core Guest features:

• Guest Insights

• Guest Provisioning

• Guest Reviews

What are your takeaways?

  • Review of common security, financial, and data risks, and challenges associated with Guest Access.
  • Discuss some of the gaps in the existing Guest Access reporting, provisioning, and lifecycle management.
  • Present the latest Guest Insights and Lifecycle Management features and how they can address your company’s risks

Other posts you might be interested in

View All Posts