The Problem with Guest Accounts (Going Outside Your Tenant)

Good Visibility Over Guest Activity for Host Office 365 Tenants

From a host tenant perspective, Microsoft has done a great job with Azure B2B Collaboration, the foundation for guest user access for applications like Teams and Planner. External people can be invited to join groups and teams or share documents and folders (including now through @mentions in comments in Office documents). After they redeem their invention, the external people become fully-fledged guest users in the tenant and enjoy full secure access to the resources they’ve been asked to share.

Just about the only thing a tenant administrator must worry about is an occasional review of guest accounts with the intention of removing accounts no longer actively used. Or maybe implement a blacklist for domains you don’t want guest users to come from.

Reporting Guest Activity

Enabling external people to share tenant resources is good. Knowing what guests do inside the tenant is even better. The Office 365 audit log is a great source of information about some guest activity. You can discover who creates guest accounts or what external people accept sharing invitations or how guest users access documents stored in SharePoint Online or OneDrive for Business. Exchange Online message traces reveal what email goes to guest users (albeit somewhat painfully).

The Teams user activity API in the Microsoft Graph gives an insight into chat and channel activity, but not for guest users (an API must be available because the usage reports in the Teams admin center include guest user data). I can’t find any source of information about guest activity in Planner either. Even so, a tenant administrator can track a lot of what guest accounts do inside different applications.

What Do Guest Users Do Outside Their Home Tenant?

The situation is very different for home tenants. Administrators have no idea how far away from home their users are playing. Once someone accepts an invitation from another Office 365 tenant, everything they do inside that tenant is invisible to the administrator of their home tenant. People can have accounts in multiple tenants. Given the success of Teams, a user can end up being a guest in a surprising number of tenants.

The Elusive My Account Portal Lists Guest Accounts

For example, when I accessed the Organizations page (Figure 1) in the My Account portal (possibly the hardest portal to discover in the Microsoft 365 universe), I saw that I had guest accounts in some tenants I couldn’t remember joining (the effect of age on memory is a terrible thing).

Image 1 Expand
Azure AD Tenants
Figure 1: Listing the tenants where a user has a guest account (image credit: Tony Redmond)

Clicking the Leave organization link invokes a process to remove guest access from a selected tenant. The page logs into the selected organization, removes the guest account, and returns. Or signals an error, always reported as an “expected error” (Figure 2) as if the Azure Active Directory programmers envisaged some cases when errors would be expected. With persistence and multiple sign-ins, the guest account goes away, complete with any access you had to resources like teams, groups, and documents in that tenant.

Image 2 Expand
Unexpected Error
Figure 2: An unexpected error occurs when removing a guest account (image credit: Tony Redmond)

No Insight for Tenant Administrators

The irritating thing is that while individuals can see a list of the tenants where they have guest access, there’s no way for a tenant administrator to see the same information across all tenant users, possibly because of some concerns about personal data and privacy.

Tenant administrators can’t gain access to audit data from other tenants to understand what their users do in that tenant. Although Office 365 is a multi-tenant environment, strict security boundaries keep tenant data private. However, the shared multi-tenant nature of Office 365 makes it possible to consider cross-tenant federation for activity tracking.

For instance, a federation mechanism could be created to allow tenants to share data from the Office 365 audit log about guest activity. I could agree with the administrator of the Microsoft tenant that I could see audit events generated by people from my tenant when they used guest access to Microsoft’s tenant. In return, I could grant access to Microsoft to retrieve audit records for Microsoft user accounts from my tenant. It’s easy to tie guest accounts back to their home account (as seen in the My Account portal), so it should be straightforward to create a federation mechanism like the one described above.

Is Tracking of Guest Activity Necessary?

Some will ask if it is necessary or desirable for a tenant administrator to gain some knowledge about what users do when they access other tenants as guests. For some organizations, the answer is clear. They don’t need to do this and probably don’t want to do it either. For others, most likely those operating in heavily regulated industries, the answer is more nuanced.

Compliance is the obvious driver for why such oversight might be needed. Companies invest heavily in technologies like communications compliance policies to ensure that work meet regulatory and legal requirements. Everything works well if the data being monitored remains inside the tenant. But if someone becomes a guest in another tenant and begins communicating there (for instance, inside Teams chats or channel conversations), there’s no trace of what they are doing visible to their home tenant and the compliance regime of that tenant is undermined.

No Easy Answers

The success of Azure B2B collaboration and applications like Teams mean that many guest accounts exist in Office 365 tenants. It’s less than four years since Microsoft introduced guest access for Office 365 Groups (now Microsoft 365 Groups). The external collaboration space has expanded greatly since but the management of how that collaboration happens has not kept pace. No easy answers exist, but as Microsoft builds new features and functionality around applications like Teams, I’d like to see some attention given to oversight of outbound guest access. It just makes sense.