When it comes to data protection, we usually throw out all of our security protections when external collaboration and guest users are added to the mix. Guest users can:
In this article, we'll share the top policy to configure data protection for secure guest access that actually requires the user to use only browser based access and prevents them from downloading documents locally.
In a previous blog post, we discussed the recommended policies to restrict access to only managed devices within the organization. The key thing to note is that if you do not exclude Guest users from those policies, its highly likely they will be blocked. This is dependent on a few different factors such as the types of links being shared with them (Anyone vs New and Existing Guest) and how they are accessing your tenant. (are they using a VPN, are they using CloudPC/AVD, are they using their own personal device). The highest probability is that they are using their own corporate or personal device which would prevent them from collaborating on documents being shared with them, access to shared Teams/document repositories, etc.
If we were to exclude them from the required managed device policy, I do not like to leave their access wide-open, hence the policies we are about to cover.
When users share documents with SharePoint/OneDrive, the default settings in M365 create what is known as an anyone link. Anyone meaning users can share a link to access a corporate document that anyone in the world could access without verifying their identity. Imagine someone being able to access a sensitive corporate document from the outside as quickly as they can access Google search.
Within the SharePoint admin center, you can go to Sharing and see your default policies. Ideally, you can swap this to new or existing guest. With this setting in place, external users will have to register as a guest user within your organization before they can access a document that is shared with them. If this is set to Anyone, our policy to require managed devices would not impact these users but is not preferred from a data protection perspective so the recommendation is to change this setting.
Just a word of caution here. You really want to be careful in enabling this setting. In most cases this will be a significant change to end-users and you will want to send out communications of the change before turning it on.
The policy we'll explore extends protections further by restricting the Guest user from downloading files shared with them locally on their device. This provides both data exfiltration protection and ensures our corporate documents are not being downloaded to a device that has potentially been compromised with malware/ransomware/etc.
This setting creates two conditional access policies in Entra:
Guest users will be prevented from opening documents shared with them on their desktop applications and they will see a banner message that prevents them from downloading the document locally.
Be very careful turning this setting on and understand the impacts to the organization. This setting is highly restrictive (not just for Guest) and needs to be communicated appropriately to the organization and end-users before going live.
3 min read
Daniel Johnson: Jul 1, 2025 3:06:23 PM
New Ways to Share and Explore Data You asked and we delivered -- here are three new features of CloudCapsule Premium released in June. Our team has...
14 min read
Nick Ross: Jun 30, 2025 4:35:44 PM
Microsoft 365 Updates for June 2025 Check out the latest updates from Microsoft including Teams, Outlook, Intune, Copilot, and more!
5 min read
Nick Ross: Jun 25, 2025 3:51:04 PM
In this post, we’ll explore how the Australian Cyber Security Centre’s Essential Eight framework maps directly to Microsoft 365 security...
Nick Ross