Who Is Reviewing Teams Guest Access?

Date:Tuesday, Nov 19, 2019
Author: Paul Maggs
Reading Time: 6 minutes
Tags: Azure Identity Governance
Categories: Security Tips


Collaboration shouldn’t be limited to people within your own organisation, extending these capabilities to allow external guest participants improves how people share ideas and information. Keeping files and conversations within a single location removes the need to continually swap communications via email or other methods, reduces unnecessary copies of data that is difficult to reconcile when compiling authoritative versions, and removes the need to send this information externally for which you have no control over its use (unless you’ve deployed rights managements, which is a conversation for another time).

By default, when switching on teams guest access the effect is that the change is global within your Office 365 tenant, meaning that every team owner, which may be anyone within your organisation, has the ability to allow external guests into their teams within your organisation therefore have access the associated conversations and files within them. This poses the critical question, how to you review and reconcile who has access to your organisation, your teams, and data? It can be a scary proposition if you’ve enabled guest access without thought to this question.

Organisations utilising a governance model relying on team owners to police their own teams need to provide tools to assist with the review and remediation process. Relying on team owners to perform these administration tasks without assistance invariably leads to poor governance as tasks are forgotten or staff are unaware of their responsibilities. Whilst external guests are trusted entities, over time if they no longer require access it’s best practise to limit this access as it limits risk of something going awry.

Does Office 365 provide native tools?

Multiple tools and methods exist that can assist organisations review and remediate external guest access, and for some organisations the solution may be to deploy Azure identity governance access reviews. Access reviews enable organisations the ability to delegate group management to specific people or groups of people so that they can validate membership and perform actions as a result. Access reviews are not limited to teams and can be utilised within other areas of Office 365, however a good use case is pairing with teams to ensure membership is kept up to date and valid.

Where access reviews excel is the ability to enable regular group membership validation assigned to people within your organisation who are best placed to make these decisions. It’s one thing to have the IT department review where access has been granted, yet in many instances they will not be able to make a value judgement on whether this access is warranted or should be rescinded. Empowering the right people, in this instance the team owners, to regularly make these decisions puts the responsibility in the right hands and ensures guest access to teams is regulated and up to date.

Access reviews. How do they work?

Access reviews provide flexibility in regards to the number of policies you can deploy, the data they protect, and how they respond when enacted. This means there’s ample opportunity to deploy different policies based on need, including, what data access is affected, how often a review should be completed, who should be completing the reviews, and whether the review include not only external guests but also internal staff.

Here are some areas to be aware of:

Additional training and adoption is required

Enabling access reviews affects what data is accessible and by whom, therefore it’s highly recommended implementing a change such as this be planned with sufficient education and reference materials. Whilst Microsoft have provided a friendly interface for the review process there is a potential for incorrectly applied reviews to impact the ability for people to access and collaborate through loss of access.

Keep in mind when enabling access reviews:

Example of the access review process

Step 1: Example Access Review Email

At each review cycle, reviewers are sent an email informing them that they are responsible for an access review audit with a link to the review resources.

Guest access review

Description: Guest access review

Step 2: Actioning an access review

A list of all team members, in this example they are external guests, who require their access to be validated by a reviewer. Note that for this particular review there are recommendations generated by Azure providing guidance on whether to renew or revoke permissions.

Guest access review

Description: Guest access review

Step 3: Reporting

Reviewers and administrators are provided with reports indicating the results of each review. A visual graph provides a quick summary whilst detailed results provide in depth information including why access was either extended or denied and the effects of any change

Guest access review

Description: Guest access review
Guest access review

Description: Guest access review

Licensing requirements

Access reviews are part of Azure’s Identity Governance features and require either Enterprise Mobility + Security E5 or Azure Active Directory Premium P2 licenses.