Giving external parties access without leaving the door wide open

Consultant, accountant, freelance dev, partner company. All people who aren't employees but still need access to something. Here's a pattern that works — without ending up with 47 ghost accounts two years down the line.

External parties are the category where access hygiene goes off the rails most easily. They're not in your HR system, their onboarding is informal, and you often don't notice they've left until someone says "oh, we haven't worked with them for six months."

Six rules that prevent the problem

1. A separate naming convention. ext.jane.doe@yourcompany.com or based on the external party's company name. Immediately clear at a glance.
2. End date required. See temporary access. Don't fill in "unknown" — pick a date, even if it's 12 months out, but make it a date.
3. Minimal scope. Not a full M365 account with broad permissions; guest access to specific SharePoint sites or a single shared mailbox is preferable.
4. No privileged access. A consultant can view things, not make admin-level changes — or only with an explicit scope and end date.
5. A separate section in your password vault. Keep external credentials separate from internal shared credentials.
6. A named owner. For each external party: who inside your company is responsible? When that person leaves, someone needs to take over.

The review pattern

Every quarter during your review: handle the "external parties" section separately. Ask the internal contact: "still relevant? Is the end date still accurate?" No response = deactivate the account until you hear back.

What about accountants and bookkeepers?

They fall under "external party" but with a long-term relationship. The pattern: access to the accounting app only, no email account in your tenant, and an annual review tied to the contract duration. See also setting up access for an external accountant.