A quick overview of setting up guest access in Azure AD
Setting up external sharing in Microsoft 365 is complicated with interrelated settings on six different admin interfaces. So we’ll use an analogy to simplify the process: the security precautions that many organizations take to access their physical environments.
If you invite an outside person to come to your office for a meeting, they will go through multiple levels of security checks in order to gain access to the meeting room and sensitive information shared in that room. We will represent the first level as we approach the building’s campus.
Azure AD: access the campus
These global settings focus on verifying identity and defining the rules by which outsiders can be added to the directory (and by whom), as well as their rights once established. An organization can have 5 guest users for each paid license.
The Microsoft 365 external sharing model is configured so that guests should check with their own identity provider, and then you can choose to add more stringent requirements for signing in to your environment. This is a nice feature, because it means that when a user leaves their department (may be for an external supplier) their account is no longer active and they no longer have the means to log in as a guest toyourenvironment.
As we described oIn our reminder, the key settings at the Azure AD level are whether guests can see your entire member directory or only members of the teams they belong to.
This is also where you can select the “Administrators and guest role users can invite” toggle to determine whether administrators can invite guests through the administration interface. It will need to be enabled to allow team owners to invite guests through additional downstream settings. You can also choose to allow guests to invite other guests, but most departments do not do that.
Since March 2021, a one-time passcode option has been made available to customers by default. This means that if a resource like a document is shared with them and they are not currently in the directory or they do not have a Microsoft account, they will be a one-time access code for identity verification. Using our analogy with physical security, those housed in larger buildings or campuses may impose entry requirements at the entrance road, parking lot, or campus perimeter for foreigners arriving by vehicle. A security guard checks that the foreigner has a valid identity document with a trusted authority before lifting the entry barrier.
Some highly secure sites will only allow certain organizations on on the premises while others may just have a list of blacklisted organizations that can never get in. In other words, someone cannot access a meeting room if they cannot get inside the campus, but being allowed inside the campus does not grant them access. to all meeting rooms.
For more information on configuring guest access settings in the Microsoft 365 Global Admin Center and Microsoft Teams Admin Center, be sure todownload the full ebook here!