alphaspirit - Fotolia

How to track Office 365 guest users

Administrators should get familiar with the platform tools at their disposal to check Office 365 Groups access and ensure tenant security.

Office 365 and Azure are where many enterprises do their work, and IT pros need to understand how to keep these...

tenants secure.

As Office 365 has continued to mature, Microsoft has added more options to share information and work with people outside your organization.

However, inviting external users opens the company to some degree of risk when an outsider gains access to your organization's data. This tip will cover the ways to monitor Office 365 guest users to see who has access to what data and how to modify those rights.

What Office 365 applications support sharing?

Microsoft is fond of presenting Office 365 as a single platform, but the reality is these are individual services linked together. Most of the services work very differently from each other.

The main application that allows access for Office 365 guest users is SharePoint Online. It integrates with several Office 365 services, such as OneDrive for Business, Microsoft Teams and Office 365 Groups, which all have external sharing functionality built on SharePoint Online.

All external users are not equal

When we talk about external users, we're talking about people from outside your organization who do not have an account in your tenant. There are two categories of Office 365 guest users.

Authenticated users sign in with a Microsoft account or an account from another Office 365 tenant to gain access to a much wider set of resources. Authenticated users appear in your Office 365 admin portal under the Active users section with #EXT# in their user names.

Anonymous users can only access documents or folders and they don't have to sign in. They get a link to a file or folder without needing to log into a Microsoft service. Because the link contains the authentication to the document, there is no way to know who does what with an anonymous access link.

Authenticated users
The Active users section in the Office 365 admin center depicts the authenticated users with the #EXT# designation.

To see which external users have access to which Office 365 Groups, go into Groups in Outlook on the web and click members. Office 365 guest users appear under the Guests tab, as shown below.

Guests tab
From Outlook on the web, you can find which guests have access to certain Office 365 Groups under the Guests tab.

Give external access to Office 365 Groups

Adding external users into your Groups is a simple process. First, see if guest access is allowed for the Office 365 Groups in your tenant by checking the settings in the Office 365 admin portal. Check the settings by going to Settings > Security & privacy.

Office 365 Groups external access
The Security & privacy section shows whether users can give Office 365 Groups access to guests.

Scroll down to the Sharing section to see if external sharing is on or off. To change the setting, click the Edit button on the right.

The following chart shows what features guest users have access to  your tenant.


Guest user allowed?

Create group


Manage group members


Delete group


Join group

Yes, by invitation

Start conversation


Reply to conversation


Search for a conversation


@mention a person in the group


Pin/favorite a group


Delete conversation


Manage meetings


View Group calendar


You can also control external access to Groups by specific domain with a Microsoft PowerShell script you use in conjunction with the Azure AD Preview PowerShell module. To adjust access, run the following command:

Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @("", "")

You can replace the -AllowList switch with -BlockList to define the domains in your Groups that external guests cannot gain access.

Use the audit logs for insights

To see what guest users are doing in your Office 365 Groups, check the audit logs in the Office 365 Security & Compliance center from the URL.

Microsoft's improvements to the search GUI have made it a good way to get the information you need. Under Search & investigation, select Audit log search. In the screenshot below, I selected all the Azure AD group administration activities.

Audit log search
The audit log search features lets the administrator see what type of actions an external guest executed in Office 365 Groups.

Office 365 stores 90 days of audit information. To get more, there are several third-party offerings to get audit information for much longer periods.

You can refine your search options for specific users, including Office 365 guest users, and for specific files, folders or sites.

Dig Deeper on Microsoft messaging and collaboration

Cloud Computing
Enterprise Desktop
Virtual Desktop