Securing guest access in Teams

What we have to take inito account when we have guests in out tenant? In this post I want to throw some guides about it:

Limitations for guests

Guest are a “special” member type in Azure AD and M365. So, there are some limitations by design for guests you should know of:

  • Per licensed user you can add up to five guests (1:5 ratio)
  • Guest user permissions in Azure AD are limited by default
    • cannot browse other tenant information
    • but can view their own profile
    • but can retrieve input on other users if he/she searches for a UPN or object ID
  • Guest user permissions in Office 365 groups are limited
  • Guest user permissions in Teams are limited
    • no One Drive for Business
    • no people search outside of Teams
    • no calendar
    • no meeting scheduling
    • no pstn/telephony
    • no org chart
    • no teams creation/revision
    • no teams browsing
    • no file upload in P2P chats

What you can do to secure your Microsoft 365 guest identities?

The following are simply recommendations, so it will change depending the security you want to apply to your tenant:

  • enforce multi-factor authentication for guests
  • provide terms which guests musts agree on
  • regularly review permission needs are still valid
  • restrict access for guest to web-only / browser-only
  • set session timeout to enforce regular/daily authentication by guests
  • classify content by using sensitivity labels
  • auto classify defined sensitive information to highly confidential
  • auto remove guests access from files labeled high confidential

SharePoint Online: Not possible to add guest users

While I was doing a implementation in a customer, I faced a weird thing, I created a new Site Collection, and when I was trying to invite people that I had in the B2B tenant, I was not able to find them.

If I tried with an internal users, I was able to find them, so I was sure that the problem was with the external users.

The first thing that I checked, was the properties of the SC to be sure that I can invite external users, and of course I checked this parameter at tenant level, was with no luck.

So, I started to check commands in Docs, and I found a command very interesting: ShowpeoplepickerSuggestionForGuestUsers

So I decided to give it a shot:

spoex.png

Once executed the last command, I was able to find guest users

Mistery solved!!