M365 Guests: The 25 Most Frequently Asked Questions
Guest access in Microsoft 365 makes it easy to collaborate with externals by granting them access to relevant files, Teams, or other resources. However, M365 guests also bring challenges related to management and Microsoft 365 security.
In our daily work with M365 administrators and users, certain questions about M365 guests come up particularly often. We’ve compiled the 25 most frequently asked questions about M365 guests here and answered them briefly and concisely for you.
With this knowledge, you can securely and efficiently manage your guests in M365 groups and Teams – whether through Microsoft standard solutions or with the advanced capabilities offered by the External User Manager (EUM).
The External User Manager offers features specifically designed for the secure and efficient management of M365 guests. Approval workflows, lifecycle management, and compliance policies give you full control over guest access.
The 25 Most Frequently Asked Questions About M365 Guests
How do I find all M365 guests in my tenant?
To view all M365 guests, you can use the Microsoft 365 Admin Center, the Microsoft Entra Admin Center, or a PowerShell script. However, this requires several manual steps. In the External User Manager, you can directly view all guests with their important details through a central dashboard. You can also specifically search for unmanaged guests and easily incorporate them into your guest management. Learn more here: Guest Import: View all M365 guests and manage them efficiently.
How do I invite external participants to Microsoft Teams meetings?
Microsoft Teams allows you to invite external participants directly in the meeting planning by entering their email address. For a step-by-step guide, see: Microsoft Teams: External Participants in Meetings.
How can I manage guest access permissions for M365 guests in Teams?
The Teams Admin Center allows you to set standard guest access permissions that apply to all M365 guests. For more information, see Microsoft Teams: Default Guest Permissions. The External User Manager provides additional controls, such as access reviews, lifecycle management, reporting, and the ability to set individual compliance policies.
Can I restrict guest access to specific Teams?
Yes, guest access can be disabled for individual Teams or allowed only for specific Teams. This can be achieved with sensitivity labels or a PowerShell script. The External User Manager offers easier and more detailed control, enabling team-specific access reviews. Learn more here: Block Guest Access for Specific Teams in Microsoft Teams.
How do I manage M365 guests in Microsoft Entra?
Microsoft Entra (formerly Azure AD) provides basic options for managing external identities and cross-tenant settings. Some important settings can also be found in other Microsoft admin centers. The External User Manager consolidates all security and compliance features in one app. Learn more: External Identities in Microsoft Entra.
How does guest onboarding work in M365 groups and Microsoft Teams?
The onboarding process typically involves the communications department contacting guests and providing an introduction. The External User Manager offers an automated onboarding solution that pre-defines security and compliance policies and requires consent agreements. Learn how to improve your onboarding process here: Onboarding Guests in Microsoft Teams and M365 Groups.
Can I blacklist or whitelist external domains for M365 guests?
Yes, this is possible. In Microsoft Entra, you can blacklist or whitelist domains by adding them to the external collaboration settings. With the External User Manager, domains can be added to the whitelist or blacklist even more easily. Learn more here: How to Blacklist and Whitelist External Domains in M365.
What happens to inactive M365 guests?
Microsoft does not offer automated functions here. Inactive guests remain in M365 groups and Teams, which can compromise the organization and security of your M365 environment. The External User Manager, on the other hand, allows you to identify inactive guests easily and remove them automatically based on configured timeframes.
How do I invite M365 guests to Teams?
Once guest settings are activated and organizational settings are configured in the Teams Admin Center, you can add guest users by going to the team, clicking on the three dots (…), selecting Add member, and entering the guest’s email address. The External User Manager provides additional security measures, such as approval workflows and automated access reviews, to ensure compliance. For more details, see Adding Guests to Microsoft Teams.
How can I restrict M365 guest access in Microsoft Teams?
In the Microsoft 365 Admin Center, you can configure general guest access under Users > Guest users > Manage Teams settings. In the Teams Admin Center, specific guest access permissions can then be further customized. The External User Manager also offers approval workflows and reports for more precise control and monitoring of guest access.
How do I enable guest access for M365 guests in the Admin Center?
Guest access can be enabled in the Microsoft Teams Admin Center. Go to Settings & policies > Org-wide default settings > Guest access and turn it on. For more details: Enable Guest Access for Microsoft Teams.
What are the risks associated with guest access to OneDrive data?
Guest access to OneDrive can lead to data leaks, as guests may view or share sensitive information. Without regular reviews, unauthorized access may go unnoticed. The External User Manager minimizes these risks by automating access reviews.
Can I convert M365 guests to members?
No, M365 guests cannot currently be converted directly to members. Members need an email address within the organization’s domain, while guests use external domains. To add guests as members, they need an account within your organization’s domain. Learn more here: Microsoft Teams: Change Guest to Member.
How can I see which files M365 guests are accessing?
In the Microsoft 365 Admin Center, go to Reports > Usage to view which files guests have viewed, downloaded, or edited. In the SharePoint Admin Center under Reports, you can also access activity logs to track guest activities.
What is the difference between authenticated and anonymous M365 guests?
Authenticated guests log in with a Microsoft account, while anonymous guests access content only via shared links.
How can I restrict guest sharing for individual SharePoint sites?
In the SharePoint Admin Center, you can restrict guest sharing for individual SharePoint sites. Go to Sites > Active Sites, select the SharePoint site you want to configure. Under Settings look for External file sharing and set it to Only people in your organization.
Can I ensure that all M365 guests accept compliance policies?
This is only possible with the External User Manager. The EUM onboarding portal allows you to set mandatory compliance policies and have documents (GDPR, NDA, etc.) signed.
How do I set up an approval workflow for M365 guests?
Approval workflows are a best practice in Microsoft Teams governance to ensure that only authorized people have access to Teams and resources. Unfortunately, Microsoft does not offer integrated approval workflows. However, with the External User Manager approval process, you can easily control guest access and keep your Microsoft 365 environment secure. Learn more: Microsoft Teams: External User Manager.
How do I remove M365 guests when they no longer need access?
Microsoft only offers manual options to remove guest access for M365 guests. With the External User Manager, you can automatically remove guest users based on lifecycle rules or inactivity.
How does the EUM help minimize data leaks through M365 guests?
The External User Manager is specifically designed to control guests in M365 groups and Teams and prevent data leaks. Key features include guest approval workflows, regular access reviews, lifecycle rules based on predefined criteria or inactivity, and detailed reports on M365 guests.
Can I restrict M365 guests to specific geographic regions?
Yes, this is possible. In the Azure Active Directory Admin Center, you can create a new policy under Conditional Access. Under Users, select guest users to whom the policy will apply. Under Network, you can then specify which geographic regions are allowed or blocked for access.
How long do M365 guests retain access to shared content?
By default, M365 guests retain access to shared content until it is manually revoked. The External User Manager automatically removes guest users based on predefined lifecycle rules, which also revoke access to shared content.
How can I ensure that M365 guests only have temporary access?
The External User Manager offers the option to automatically remove guest access after a predefined period. Learn more here: Microsoft Teams: External User Manager. With Microsoft’s standard tools, this can only be done manually.
How can I import existing M365 guests into the External User Manager?
Using the Guest Import feature in the External User Manager, you can easily incorporate existing M365 guests into centralized management. Learn more here: Guest Import: View all M365 guests and manage them efficiently.
How do I identify if an M365 guest is active or inactive?
Microsoft does not offer automated inactivity checks. However, with the External User Manager, you can regularly review your M365 guests, view detailed reports, and automatically remove inactive guests based on your configuration.
Make managing M365 guests easy!
The management of M365 guests can be challenging and requires appropriate measures for more control and Microsoft 365 security. The External User Manager makes it easy to manage guest access effectively and securely.
Do you still have questions about M365 guests? We leave no question unanswered:
Head of Marketing & Sales at Solutions2Share – Florian Pflanz has 6 years of M365 experience and has been involved in numerous projects concerning Microsoft Teams governance. In over 200 workshops, he has collected extensive knowledge and best practices regarding Microsoft Teams and companies’ management requirements.
