Featured image of post External User Access Reviews in Office 365
Microsoft365 Governance

External User Access Reviews in Office 365

Learn how to set up and conduct external user access reviews in Office 365 to ensure secure, appropriate, and compliant collaboration.

Understanding External User Access

Before diving into the reviews, it’s important to understand what external access entails. External users in O365 are individuals who are not employees, or onsite agents for your organization. They could be partners, vendors, or consultants who need access to certain parts of your O365 environment, such as SharePoint sites or Microsoft Teams.

The Need for Access Reviews

The principle of least privilege mandates that users should have access only to the information and resources that are absolutely necessary for their work. Over time, access requirements can change, and periodic reviews ensure that external users only have the access they need. This is where O365’s access review feature comes into play, allowing for the systematic verification and auditing of user privileges.

Setting Up Access Reviews

To set up access reviews in O365, follow these steps:

  1. Navigate to the Access Reviews Dashboard: Access this via the Microsoft 365 compliance center or Azure Active Directory (EntraID) portal. Access Review

  2. Create a New Access Review: Specify the scope of the review, whether it’s targeted at guest users across all Microsoft Teams and Groups or specific ones. Scope of Review Targeted Guest Users

  3. Define Review Settings: Choose who will perform the review (group owners, specific users, or application owners), set the frequency (one-time or recurring), and establish the start and end dates. Review Settings Frequency and Dates

  4. Customize Review Settings: Decide on the outcomes for denied access, such as automatic removal or a manual step, and whether reviewers receive reminders. Customize Review Settings

  5. Review and Confirm: Double-check the settings, and then create the access review. Review and Confirm

Conducting the Review

Once set up, designated reviewers will be notified to examine the access rights of external users. Reviewers can approve or deny access for each user, and they can provide reasons for their decisions. It’s best practice to include guidelines for making these decisions to ensure consistency and compliance.

Examples of Access Reviews in Action

  • Vendor Access Review: A company conducts quarterly reviews of vendor access to its internal procurement system to validate that only current vendors have access.

  • Consultant Project Completion: Upon the completion of a project, the external consultant’s access to the project’s SharePoint site is reviewed and revoked if no longer needed.

  • Partner Collaboration: Annual reviews of a partner organization’s access to shared Teams channels are performed to ensure that only relevant individuals retain access.

Best Practices

  • Regular Schedule: Conduct access reviews on a regular schedule to maintain security hygiene.

  • Clear Documentation: Keep detailed records of each review for auditing purposes.

  • User Notification: Inform external users about the review process to ensure transparency and avoid confusion if access is altered or revoked.

Conclusion

Access reviews in O365 are an essential practice for maintaining secure and efficient collaborations with external users. By regularly reviewing and adjusting access rights, organizations can protect sensitive information while facilitating productive partnerships. With O365’s robust access review tools, you can ensure that your external collaborations are both productive and secure.

Comments

You can use your Bluesky account to reply to this post. Learn how this is implemented here.