Guest access in M365: securely granting clients and partners access

Sharing Teams channels with a partner, a SharePoint site for a client project — that's guest access. Here's how to manage it before you end up with 200 guests a year down the line.

Guest access = someone outside your tenant (a Gmail account, another business tenant) who has access to specific resources. Powerful, but it leaks fast if you don't manage it.

How does it work?

You invite an external email address to a Team, SharePoint site, or direct file share. M365 creates a guest user in your tenant. That guest can access what you share — nothing else.

Management discipline

• Keep an inventory. Portal.office.com → Users → Guest users. See who's there, since when, and when they were last active.
• Review every quarter — alongside your regular access review.
• Set an expiry date up front — via the Access Review feature in Entra Premium P2, or triggered manually at the end of a project.
• No guests in the Global Admin role. Ever.

Tenant-level settings

• Who can send invitations? Admins only, or all users? For many SMBs: allow all users + quarterly guest review.
• Which guests can be invited? Block problematic domains.
• Should guests be required to use MFA? Yes.

When a client project ends

Remove the guest user entirely rather than just "removing them from the Team". Otherwise they linger in your user list as a potential backdoor.

See also: Teams external guests, external party access.