Microsoft 365 guest access: how to collaborate securely with people outside your business

Working with people outside your organization – contractors, clients, vendors, accountants, legal counsel – is a normal part of running a business. Microsoft 365 has a built-in guest access system that lets external people participate in your Teams channels, access SharePoint files, and collaborate on documents without needing a license in your tenant. When configured properly, guest access is a secure and convenient way to collaborate. When left at defaults or ignored entirely, it becomes a growing collection of external accounts with access to your data that nobody is tracking.

This guide covers how to enable guest access, what to configure before inviting anyone, how to manage guest permissions across Teams and SharePoint, and how to audit and clean up guest accounts over time.

What guest access is and how it works

A guest in Microsoft 365 is someone from outside your organization who has been granted access to specific resources in your tenant – a Team, a SharePoint site, or a shared file. Guests authenticate with their own identity (their work Microsoft account, a personal Microsoft account, or a one-time passcode sent to their email) and access only what you have explicitly shared with them.

When you invite a guest, Microsoft Entra (formerly Azure Active Directory) creates a guest user object in your directory. This guest object has limited permissions compared to a regular user – they cannot browse your global address list, discover teams they have not been invited to, or access resources outside what has been shared. But the guest object persists in your directory until someone removes it.

Guest access is different from external access. External access (also called federation) lets your users chat and call with people in other Microsoft 365 organizations without creating a guest account. External access is real-time communication only – the external person does not get access to your files, Teams channels, or SharePoint sites. Guest access grants deeper access to your resources but requires an explicit invitation and creates an account in your directory.

Enabling and configuring guest access

Guest access involves settings in three admin centers. All three need to be reviewed because they interact with each other, and the most restrictive setting wins.

Microsoft Entra (Azure AD)

The top-level control. In the Entra admin center, go to External Identities > External collaboration settings.

Guest invite settings. Controls who can invite guests:

• “Anyone in the organization can invite guest users” – the default, and too broad for most businesses
• “Member users and users assigned to specific admin roles can invite” – a reasonable middle ground
• “Only users assigned to specific admin roles can invite” – most restrictive, recommended if you want centralized control

For most small businesses, restricting invitations to admins or a designated group prevents the sprawl that comes from everyone inviting their own contacts without coordination.

Collaboration restrictions. You can allow or block invitations to specific domains. If you only work with a known set of external organizations, allow-listing their domains and blocking everything else is the most secure approach. If that is too restrictive, at minimum block known consumer email domains (gmail.com, yahoo.com, outlook.com) if your external collaboration is strictly business-to-business.

SharePoint admin center

In the SharePoint admin center, go to Policies > Sharing. This controls how files and sites can be shared externally.

The sharing levels, from most to least permissive:

1. Anyone – anonymous links, no authentication required. Disable this.
2. New and existing guests – external users must authenticate. Recommended for most businesses.
3. Existing guests only – only people already in your directory as guests. Useful during a lockdown.
4. Only people in your organization – no external sharing at all.

Set the tenant-level default to “New and existing guests.” Individual SharePoint site owners can set their site to be more restrictive than the tenant default but cannot be more permissive. This means the tenant setting is your ceiling – tighten it here and no site can override it.

Also configure:

• Link expiration. Set sharing links to expire after a defined period (30 days is reasonable). This prevents perpetual access from a single sharing link.
• Link permissions. Default new sharing links to “View only” rather than “Edit.” Users can still choose edit access when sharing, but the safe default is read-only.

For the full walkthrough of SharePoint sharing settings in a security context, see Microsoft 365 security hardening for small business.

Teams admin center

In the Teams admin center, go to Users > Guest access. This controls what guests can do inside Teams specifically.

Key settings to review:

• Allow guest access in Teams – must be On for guests to join any Team
• Allow IP video and screen sharing – leave on unless you have a reason to restrict
• Allow meet now – whether guests can start ad-hoc meetings
• Edit sent messages / Delete sent messages – consider disabling both for guests so there is a clear record of what was communicated
• Use Giphy / Memes / Stickers – irrelevant for security but some businesses prefer a professional tone in channels with external participants

Also review guest permissions under each Team’s settings. Team owners can further restrict what guests can do within their specific team – whether guests can create, update, or delete channels, and whether they can add or remove apps.

For a broader overview of Teams configuration including channel structure and app permissions, see How to set up Microsoft Teams for a small business.

Inviting guests

Through Teams

The most common way to add a guest. A team owner adds the guest’s email address in the Team’s member management. The guest receives an email invitation with a link to accept. After accepting, they see the Team in their Teams client under “Your organizations” and can access the channels, files, and conversations in that Team.

Guests added to a Team automatically get access to the Team’s SharePoint site and its files. They can access the Files tab in channels, download files, and upload files (if permissions allow).

Through SharePoint

You can share a SharePoint site or individual document library with a guest by entering their email address in the sharing dialog. The guest receives an invitation and can access the shared content through the browser. They do not need the Teams client installed.

This approach is useful when you want to share files with an external person but do not need them in a Teams channel – for example, sharing a project deliverables folder with a client.

Through file sharing links

Individual files or folders can be shared via a link. When the sharing settings require authentication, the recipient must sign in before accessing the content. The link can be set to view-only or edit, and can include an expiration date.

For sharing with external people, always use “Specific people” links rather than “Anyone with the link.” Anonymous links are impossible to revoke effectively and provide no audit trail of who accessed the content.

What guests can and cannot do

What guests can access

• Teams channels they have been added to (not all channels in the Team, just the ones they are members of)
• Files in those channels (stored in SharePoint)
• SharePoint sites and document libraries they have been explicitly given access to
• Shared calendars and Planner boards within their Teams
• Chat with members of the organization

What guests cannot access

• Your global address list (they cannot browse your employee directory)
• Teams or channels they have not been invited to
• Other SharePoint sites they have not been granted access to
• OneDrive files of your users (unless specifically shared)
• Admin center or any tenant administration
• Your organization’s internal applications (unless separately configured)

Private channels and guests

Guests can be added to private channels within a Team, but only if the Team itself allows guest access. Private channels have their own SharePoint site, separate from the parent Team’s site. Adding a guest to a private channel gives them access to that channel’s files but not the parent Team’s files – useful for scoping access to a specific workstream.

Managing guest lifecycle

Guest accounts do not manage themselves. Without active management, your directory accumulates stale guest accounts from collaborations that ended months or years ago. Each stale account is access that nobody is monitoring.

Guest expiration policies

Microsoft Entra supports access review policies that automatically prompt team owners to confirm whether their guests still need access. You can configure these in Entra > Identity Governance > Access reviews.

Set up a quarterly access review:

1. Create a review that targets guest users
2. Assign team owners as reviewers (they know whether the guest is still actively collaborating)
3. Configure auto-removal if the reviewer does not respond within 14 days

This catches the stale accounts that nobody remembers to clean up manually.

Manual audit

Even with automated reviews, a manual audit once or twice a year is valuable. In the Entra admin center, filter the user list to show only guest users. For each guest:

• Is the collaboration still active?
• Which Teams, SharePoint sites, and files do they have access to?
• When was their last sign-in? (A guest who has not signed in for six months probably does not need access)

Remove guests who no longer need access. This is one of the items on the Microsoft 365 security audit checklist – guest account review is consistently one of the areas where small business tenants have the most cleanup to do.

When a guest relationship ends

When a project finishes or a vendor relationship ends, remove the guest from all Teams and SharePoint sites, then delete the guest account from Entra. Removing them from a Team does not delete the guest object – it just removes their Team membership. The guest account persists in your directory and could potentially be re-invited by any team owner unless the account itself is deleted.

This is similar to the process for offboarding internal users, but simpler since guests do not have mailboxes, licenses, or OneDrive storage to deal with.

Security considerations

Guest access is a trust decision

Every guest account is someone outside your organization with access to your data. This is an acceptable risk when the access is intentional, scoped, and monitored. It becomes a security problem when guests accumulate unmonitored, when access is broader than needed, or when nobody knows which guests have access to what.

Conditional access for guests

If your plan includes conditional access (Business Premium or with an Entra P1 add-on), you can apply policies specifically to guest users. Common policies:

• Require MFA for all guest sign-ins. Guests authenticate with their own identity provider, and you cannot control the strength of their password. Requiring MFA adds a layer that you do control.
• Block access from untrusted locations. If your guests work from known locations, restrict their access by country or IP range.
• Require compliant devices. If guests need access to sensitive data, require that their device meets compliance standards through Intune.

Even without conditional access, enabling the security defaults in your tenant forces MFA for all users including guests.

Sensitivity labels

If you use Microsoft Information Protection, you can apply sensitivity labels to Teams and SharePoint sites that control whether guests can be added. A Team labeled “Confidential – Internal Only” can be configured to block guest access entirely, regardless of the tenant-level guest settings. This gives you granular control – some Teams allow guests, others do not, based on the sensitivity of the content.

Data Loss Prevention (DLP)

DLP policies can prevent guests from downloading or sharing files that contain sensitive information (credit card numbers, social security numbers, health records). If your business handles regulated data and shares Teams or SharePoint access with external parties, DLP policies add a safety net that prevents accidental exposure.

Common mistakes

Leaving guest access open with no governance

The default Microsoft 365 configuration allows any user to invite guests and gives guests broad access within the Teams and sites they are added to. Without restricting who can invite, setting expiration on sharing links, or reviewing guest accounts regularly, the tenant accumulates external access that nobody is tracking.

Not restricting sharing link types

If “Anyone with the link” sharing is enabled, users can create anonymous links to files that do not require authentication and cannot be meaningfully revoked. Disable anonymous sharing and require authentication for all external sharing links.

Giving guests access to the wrong scope

Adding a guest to a Team gives them access to all standard channels and the entire SharePoint document library. If the guest only needs access to one project folder, add them to a private channel or share a specific SharePoint folder rather than the entire Team. Scope access to what they actually need.

Never removing guests

The most common mistake. A contractor finishes a project and their guest account sits in the directory for years. They retain access to every Team and SharePoint site they were added to. Set calendar reminders to review and clean up guest access quarterly, or use Entra access reviews to automate it.

Treating guest access as all-or-nothing

Some businesses disable guest access entirely because they cannot figure out how to configure it securely. This pushes collaboration to personal email, consumer file sharing services, and other unmanaged channels that are harder to secure and impossible to audit. Properly configured guest access is more secure than the workarounds people use when it is unavailable.

When to get help

Guest access configuration spans three admin centers (Entra, SharePoint, Teams) and interacts with conditional access, DLP, and sensitivity labels. For a business that shares Teams or files with a handful of external contacts, the basic configuration described here is manageable. For businesses that regularly collaborate with dozens of external partners, clients, or contractors, the configuration needs to be tighter and the governance more structured.

Sequentur’s managed Microsoft 365 services include guest access configuration, policy setup, and ongoing guest account auditing. If your tenant has accumulated guest accounts from years of unmanaged collaboration, we can audit the current state, remove stale access, and set up governance policies so the problem does not recur.

Summary

Microsoft 365 guest access lets external people collaborate in your Teams and SharePoint without needing a license in your tenant. It is a secure and practical way to work with contractors, clients, and partners when configured properly – restrict who can invite guests, require authentication on all sharing links, set link expiration, limit guest permissions in Teams, and review guest accounts quarterly.

The most common problem is not that guest access exists but that nobody manages it. Guest accounts accumulate, sharing links persist indefinitely, and nobody knows which external people have access to what. Setting up governance before you start inviting guests is significantly easier than cleaning up after a year of unmanaged access.