alphaspirit - Fotolia
How to track Office 365 guest users
Administrators should get familiar with the platform tools at their disposal to check Office 365 Groups access and ensure tenant security.
Office 365 and Azure are where many enterprises do their work, and IT pros need to understand how to keep these tenants secure.
As Office 365 has continued to mature, Microsoft has added more options to share information and work with people outside your organization.
However, inviting external users opens the company to some degree of risk when an outsider gains access to your organization's data. This tip will cover the ways to monitor Office 365 guest users to see who has access to what data and how to modify those rights.
What Office 365 applications support sharing?
Microsoft is fond of presenting Office 365 as a single platform, but the reality is these are individual services linked together. Most of the services work very differently from each other.
The main application that allows access for Office 365 guest users is SharePoint Online. It integrates with several Office 365 services, such as OneDrive for Business, Microsoft Teams and Office 365 Groups, which all have external sharing functionality built on SharePoint Online.
All external users are not equal
When we talk about external users, we're talking about people from outside your organization who do not have an account in your tenant. There are two categories of Office 365 guest users.
Authenticated users sign in with a Microsoft account or an account from another Office 365 tenant to gain access to a much wider set of resources. Authenticated users appear in your Office 365 admin portal under the Active users section with #EXT# in their user names.
Anonymous users can only access documents or folders and they don't have to sign in. They get a link to a file or folder without needing to log into a Microsoft service. Because the link contains the authentication to the document, there is no way to know who does what with an anonymous access link.
To see which external users have access to which Office 365 Groups, go into Groups in Outlook on the web and click members. Office 365 guest users appear under the Guests tab, as shown below.
Give external access to Office 365 Groups
Adding external users into your Groups is a simple process. First, see if guest access is allowed for the Office 365 Groups in your tenant by checking the settings in the Office 365 admin portal. Check the settings by going to Settings > Security & privacy.
Scroll down to the Sharing section to see if external sharing is on or off. To change the setting, click the Edit button on the right.
The following chart shows what features guest users have access to your tenant.
| Feature |
Guest user allowed? |
| Create group |
No |
| Manage group members |
No |
| Delete group |
No |
| Join group |
Yes, by invitation |
| Start conversation |
Yes |
| Reply to conversation |
Yes |
| Search for a conversation |
Yes |
| @mention a person in the group |
No |
| Pin/favorite a group |
No |
| Delete conversation |
Yes |
| Manage meetings |
No |
| View Group calendar |
No |
You can also control external access to Groups by specific domain with a Microsoft PowerShell script you use in conjunction with the Azure AD Preview PowerShell module. To adjust access, run the following command:
Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @("domain1.com", "domain2.com")
You can replace the -AllowList switch with -BlockList to define the domains in your Groups that external guests cannot gain access.
Use the audit logs for insights
To see what guest users are doing in your Office 365 Groups, check the audit logs in the Office 365 Security & Compliance center from the protection.office.com URL.
Microsoft's improvements to the search GUI have made it a good way to get the information you need. Under Search & investigation, select Audit log search. In the screenshot below, I selected all the Azure AD group administration activities.
Office 365 stores 90 days of audit information. To get more, there are several third-party offerings to get audit information for much longer periods.
You can refine your search options for specific users, including Office 365 guest users, and for specific files, folders or sites.
