This focus area intends to equip you with the skill to securely allow partners, vendors, customers, or other stakeholders access to your organization’s resources without compromising security protocols.
Defining Guest and External Access
Before diving into the specifics of this topic, it’s crucial to understand what we mean by ‘guest’ and ‘external access. Essentially, guest access allows an external user, such as a partner or client, limited access to specific resources within your Microsoft 365 environment, while external access extends more broadly, enabling an outsider to join certain teams and participate in collaborations.
Planning Guest and External Access
In planning guest and external access, you should cover these core areas:
- Deciding policy requirements about who can enable or disable guest access.
- Identifying which resources will be available to guest users. These could range from Teams, SharePoint sites, to OneDrive for Business.
- Establishing user authentication procedures. Options include multi-factor authentication (MFA) for an extra layer of security.
- Determining the lifecycle of guest user access. Think about how long a guest user should have access and how you’ll review and renew these access rights.
Implementing Guest and External Access
To implement guest and external access within Microsoft 365, you might start in the Microsoft 365 admin center. For instance, to enable guest access in Teams, follow these steps:
- Navigate to the Teams admin center.
- Select org-wide settings, and then click on ‘Guest access’.
- Switch the ‘Allow guest access in Teams’ to on.
- Under the ‘Calling’ section, set your desired options.
- Once you complete these, hit the ‘Save’ button.
Bear in mind, it could take up to 24 hours for the changes to take effect in your organization.
A similar process applies when enabling guest access in SharePoint and OneDrive.
Managing Guest and External Access
Once guest access is activated, it’s essential to manage and monitor it over time. For instance, organizations should periodically review the guest user’s access rights and deactivate those no longer needed. Also, businesses may want to monitor guest user activities using Microsoft Cloud App Security to prevent potential security threats.
In addition, the Azure Active Directory portal provides an all-in-one space where you can view and manage guest user’s activities. For instance, through the ‘Guest users’ tab under ‘Users’, you can quickly identify guest users in your organization and individually assess their access.
The Critical Role of Azure AD B2B
At the heart of managing guest and external access within Microsoft 365 is Azure AD B2B (Business to Business). This service allows you to invite external users to collaborate on your organization’s resources securely. Not only can you invite individual users, but you can also invite multiple users or even an entire Google or Azure AD domain.
The table below compares some of the things a typical and B2B guest user can do:
| Guest Users | B2B Guest Users | |
| Can they be included in communication and collaboration? | Yes | Yes |
| Can they access content in SharePoint, OneDrive, and Teams? | Yes | Yes |
| Can they have a mailbox in your organization? | No | No |
| Can they be an administrator? | No (unless you give them the role) | No (unless you give them the role) |
In conclusion, effectively planning, implementing, and managing guest and external access in Microsoft 365 is vital for successful collaboration. Yet, it also requires keeping strong governance and security measures in place, thus striking a balance between flexibility and safety. As you proceed with your prep for the MS-100: Microsoft 365 Identity and Services exam, make sure to explore each of these areas in greater depth. Practice using Azure AD B2B and get familiar with governing and monitoring tools like Microsoft Cloud App Security.
Practice Test
True or False: You cannot manage guest access permissions through Azure Active Directory.
- True
- False
Answer: False
Explanation: Azure Active Directory (Azure AD) lets you manage guest access and control their access levels within Microsoft
What can you do to limit guest access to certain apps and services in Microsoft 365?
- A) Disable guest access entirely
- B) Configure conditional access policies
- C) Remove the guest account
- D) None of the above
Answer: B) Configure conditional access policies
Explanation: Configuring conditional access policies allows you to limit guest access to specific apps and services without completely disabling guest access.
True or False: External users need a Microsoft 365 or Office 365 work or school account to accept an invitation for guest access.
- True
- False
Answer: False
Explanation: External users do not need a Microsoft 365 or Office 365 work or school account. They can use a Google account or a one-time passcode.
What is the first step in implementing guest and external access in Microsoft 365?
- A) Enable guest access in Microsoft 365
- B) Create a new user account
- C) Configure a SharePoint Online site
- D) Set up e-mail forwarding
Answer: A) Enable guest access in Microsoft 365
Explanation: To implement guest and external access, the first step is to enable guest access in the Microsoft 365 admin center.
Which service does not support guest access in Microsoft 365?
- A) SharePoint Online
- B) Teams
- C) Exchange Online
- D) OneDrive for Business
Answer: D) OneDrive for Business
Explanation: All three services — SharePoint Online, Teams, and Exchange Online — support guest access, but OneDrive for Business does not due to privacy and security concerns.
True or False: You can manage guest users’ access to resources in an different Azure Active Directory (Azure AD) organization.
- True
- False
Answer: True
Explanation: It is possible to manage guest users’ access to resources in Azure AD, including an external (or different) organization.
True or False: Azure B2B collaboration requires external users to have an organizational account.
- True
- False
Answer: False
Explanation: Azure B2B Collaboration allows users with various account types such as Gmail, Yahoo, and other personal email users, in addition to those with organizational accounts.
In SharePoint Online and OneDrive for Business, can you implement restricted sharing by domain?
- A) Yes
- B) No
Answer: A) Yes
Explanation: SharePoint Online and OneDrive for Business let you set up a policy to restrict sharing based on the domain.
To regulate access and permissions for external and guest users, what feature would you use in Microsoft 365?
- A) Conditional Access Policies
- B) User Roles
- C) Two-Factor Authentication
- D) All of the above
Answer: D) All of the above
Explanation: All options can be utilized to control access and permissions of external and guest users. Conditional access policies can regulate what resources can be accessed, user roles can decide the scope of actions, and two-factor authentication strengthens the security.
True or False: Guest users have the same access rights and permissions as other end-users.
- True
- False
Answer: False
Explanation: Guest users have limited capabilities and privileges by default. However, permissions can be modified as per requirement.
Interview Questions
What is the purpose of the guest access feature in Microsoft Teams?
Guest access in Microsoft Teams allows someone outside an organization to access teams, channels, chats, and applications within a team. This is useful for collaborating with individuals outside of the organization, such as clients, vendors, or other stakeholders.
What are the key steps to plan for guest access in Microsoft 365?
The key steps involved in planning for guest access in Microsoft 365 are assessing user needs and collaboration requirements, defining a guest access policy, planning governance, security and compliance requirements, and finally creating a roll-out plan for deploying guest access.
How do you implement guest access in Microsoft 365?
Guest access in Microsoft 365 can be implemented by navigating to the Microsoft 365 admin center, selecting Settings > Services & add-ins, and then clicking Microsoft Teams. From there, you can toggle on or off the “Allow guest access in Microsoft Teams” setting.
What are the restrictions for guest users in Microsoft Teams?
Though guest users can participate in chats, meetings, and collaborate on files, they can’t do things like make private calls, schedule meetings, browse directory-based resources like the company directory or create teams themselves.
How can I remove a guest user in Microsoft 365?
Guest users can be removed via the Azure Active Directory portal. The admin must find the guest user in the list of all users, and then select the “Delete” option.
What is the impact of external sharing settings in SharePoint on Microsoft Teams?
External sharing in SharePoint affects the ability to share files in Teams. If external sharing is turned off on the SharePoint site associated with the Team, you will not be able to share files in a chat or channel with guests.
Can you limit guest access to specific teams within Microsoft Teams?
Yes, team owners in Microsoft Teams can control guest access to specific teams. This can be managed through team settings, where owners can add or remove guest users.
Can guest users access OneDrive in Microsoft 365?
Yes, if given permissions by someone within the organization, guest users can access files or folders in OneDrive for work or school.
How can you manage guest user’s access to Microsoft 365 Groups?
The ability to manage guest user’s access to Microsoft 365 Groups can be controlled by the group owners. They can add or remove guest users as members through the Microsoft 365 admin center or via PowerShell commands.
How are guest users audited in Microsoft 365?
Auditing of guest user activities is available through the audit logs in the security and compliance center in Microsoft 365. This includes their sign-ins and activities within the apps.
What are the prerequisites for enabling guest access in Microsoft Teams?
To enable guest access in Microsoft Teams, you need to set guest access option to ‘On’ in Teams settings, configure guest access settings in Azure Active Directory, allow guest users to be invited into your organization, and give consent to guest users for accessing Teams.
How do you control which external users have access to what content in SharePoint Online?
You can set guest link expiration dates and guest permissions at a granular level to control who can access what content and for how long. With SharePoint’s external sharing feature, you can also limit external access to only certain sites.
Can you disable guest access after it’s enabled in Microsoft Teams?
Yes, you can disable guest access by turning off the “Allow guest access in Microsoft Teams” setting in the Microsoft 365 admin center.
How can you monitor guest user activities in Microsoft 365?
You can use compliance and security features in the Microsoft 365 Security & Compliance Center to monitor activities of guest users, including which files they’ve accessed, and what they’ve done with shared content.
Can I modify the properties of a guest user in Azure Active Directory?
Yes, an administrator can modify details of a guest user in Azure Active Directory, such as Job title, Department, and Office location. For some attributes like username and source, changes must be managed from the original source of the guest user’s home directory.
extutorials.com