I have seen a lot of organizations look for and create PowerShell scripts to detect inactive guest users in M365. These same organizations would then act on those inactive users, either asking an internal Sponsor to recertify access, or shutting off the inactive account.  Previously, a SharePoint Admin could set an expiration period on the Anonymous Access Sharing links.

Tenant Admins can now create policies to remove guest access to SharePoint Online and individual OneDrive accounts after a period.  This policy, when set, will not apply to guests who already have access to sites and documents. Rather, it will apply to guest user invited to a site after the policy is set.  It is a smart idea to audit and clean up your guest users before rolling out this expiration policy!

The Guest Access Policy in Action

Let us say we set guest expiration at 10 days.  When the guest access reaches that threshold, the guest loses access to all content in that site.  It is important to note that access expires on a site-by-site or individual OneDrive basis, and based on when a site/OneDrive owner invited that guest to a site or OneDrive.  Individual site administrators can extend this access up to the tenant policy limit. 

Let’s use the 10-day example again. A site admin can extend access for another 10 days, and there is no limit on the number of extensions.  Site admins will also receive weekly e-mail notifications about guests that will expire in the next three weeks. Site Admins will also see the below alert:

Extending or Shortening Microsoft 365 Guest Access

To extend guest access or remove guest access early, a Site Admin can go to the site, and click SETTINGS. In the Settings menu, the Site Admin can click SITE PERMISSIONS.  Under GUEST EXPIRATION, click MANAGE, and the expiration for each guest user will appear, and can choose to Extend or Remove Access.

An important note here: expiration only applies to guests who use sharing links or have direct permissions to the site. If the guest has access through a Microsoft 365 Group or a Microsoft Teams team, their access will not expire.

Managing guest users in Microsoft 365 can be a tough task. Our team of Microsoft 365 experts are well-versed in how to guide Site Admins towards best practices in the industry. Be sure to reach out if you or your organization need help managing your Microsoft 365 environment.