Guest & External Access

Guest users and external collaboration

9controls
1critical
5auto-remediable
EXT-01HighLevel 1Auto-fix

Restrict Guest Invitation Permissions

Unrestricted guest invitations allow any user to bring external identities into your tenant. This creates uncontrolled access paths and potential data exposure. Limiting invitations to authorized personnel ensures oversight.

EXT-02MediumLevel 1Auto-fix

Require MFA for Guest Users

Guest accounts often have weaker security than internal accounts. Requiring MFA for guests ensures external collaborators meet the same authentication standards as your employees.

EXT-06MediumLevel 1

External Sharing Visibility

External sharing is the most common data leakage vector. Without visibility into what is shared externally, you cannot assess your data exposure risk or detect sensitive data being shared inappropriately.

EXT-07CriticalLevel 1

Detect External Mail Forwarding

Attackers commonly set up mail forwarding rules after compromising accounts. These rules silently copy all emails to external addresses, enabling ongoing data theft even after the initial compromise is remediated.

EXT-09MediumLevel 1Auto-fix

Guest User Lifecycle Review

Stale guest accounts are attack targets. Unlike internal accounts, guest accounts may not be subject to your password policies or MFA requirements. Regular lifecycle review prevents unauthorized access through forgotten guest identities.

EXT-04MediumLevel 2

Configure Guest Access Expiration

Guest accounts created for temporary projects often outlive their intended use. Without expiration, ex-partners and former vendors retain access indefinitely. Automatic expiration ensures guest access is time-bound.

EXT-08MediumLevel 2

Audit Mailbox Delegation

Mailbox delegation enables users to send email as others or access their mailboxes. Unauthorized delegation can be used for impersonation attacks or to access sensitive communications without detection.

EXT-05HighLevel 2Auto-fix

Cross-Tenant Access Policy Review

Permissive cross-tenant defaults allow any external organization to collaborate with your tenant. Restricting defaults and configuring partner-specific policies ensures only approved organizations can access your resources.

EXT-03HighLevel 3Auto-fix

Restrict Guest Access to Allowlisted Domains

At Level 3, external collaboration is tightly controlled. Only pre-approved partner organizations can access your tenant. This prevents social engineering and limits data exposure to vetted third parties.

Ready to implement guest & external access controls?

TrueConfig continuously monitors your Microsoft 365 tenant and helps you maintain compliance with these security controls.