Back to GSO Recommendations

Guest Users with Risky Access: External Identity Exposure Risk

Why this risk matters

Guest users are external identities invited into your Microsoft 365 tenant — typically contractors, partners, vendors, or clients given access to Teams channels, SharePoint sites, or shared applications. Unlike employee accounts, guest users authenticate against their own identity provider. This means your MFA policies, Conditional Access rules, and security monitoring may have limited or no visibility into how they authenticate before they reach your resources.

Overe flags guest users who have access to sensitive resources, hold permissions beyond what is expected for a guest, have not been reviewed recently, or whose access scope has not been audited. The risk is not that guests exist — it is that their access is rarely reviewed with the same discipline applied to employee accounts.

Guest accounts can retain access long after the project, vendor relationship, or shared file that prompted the invitation is no longer active. And because they authenticate externally, there is no straightforward way to know what their own security posture looks like.

What happens if this is abused

  • Guest user's home tenant is compromised — attacker authenticates against the guest's identity provider and accesses your tenant's resources
  • Former vendor or contractor retains guest access to Teams channels, SharePoint sites, or shared documents after the relationship ends
  • Guest user with access to a sensitive SharePoint site exfiltrates data they were not formally authorised to access
  • Guest account created for a limited project granted access to the wrong groups or sites and never cleaned up
  • External identity used as a pivot to access shared resources that also contain internal user data or communications

When this is expected or acceptable

Guests are expected and legitimate in most Microsoft 365 environments. The question is not whether guests exist but whether their access is proportionate, documented, and regularly reviewed.

Guest access is acceptable when it is scoped to the specific resource the guest needs, the guest has a named internal sponsor who is accountable for their access, the access has a defined review date or expiry, and there is some form of Conditional Access applied — either via your own policies or Entra cross-tenant access settings. An open-ended guest invitation with broad access and no sponsor is a different situation.

Checks to perform before taking action

Before modifying guest user access:

  • Review the list of guest users and identify when each was last invited, when they last signed in, and what they have access to
  • Confirm whether each guest has a named internal sponsor or business owner
  • Check whether Conditional Access policies apply to guest sign-ins or whether guests are excluded from all policies
  • Review what Teams channels, SharePoint sites, and applications the guest can access — check for access that appears disproportionate to the guest's role
  • Check whether any guest users hold Entra ID roles or group memberships that go beyond basic resource access
  • Identify guests who have not signed in for an extended period but still have active access
  • Review whether your Entra cross-tenant access settings align with your intended guest security posture

Safe remediation steps

  1. Use Overe to review all guest users with active access, sorted by last sign-in date and access scope
  2. For guests with no recent sign-in and no active project relationship, remove their access
  3. For active guests with broad or unclear access, work with the internal sponsor to confirm the appropriate scope and reduce it where needed
  4. Set up access reviews in Entra ID Governance for guest users on a defined cycle
  5. Review Conditional Access policies to confirm they apply to guests — or implement cross-tenant access settings that impose requirements before guests can authenticate
  6. Establish a guest access lifecycle — invitation, access confirmation, periodic review, and expiry — rather than relying on manual oversight

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Supporting documentation

Microsoft: Manage guest access in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/external-id/manage-guest-access

Microsoft: Set up access reviews for guest users - https://learn.microsoft.com/en-us/entra/id-governance/manage-guest-access-with-access-reviews

Microsoft: Cross-tenant access settings - https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration

Related risks and follow-on checks

  • Inactive guest users
  • Dormant users
  • Conditional Access exclusions creating risk
  • Apps with risky permissions
TBD CTA