When it comes to data protection, we usually throw out all of our security protections when external collaboration and guest users are added to the mix. Guest users can:
In this article, we'll share the top policy to configure data protection for secure guest access that actually requires the user to use only browser based access and prevents them from downloading documents locally.
In a previous blog post, we discussed the recommended policies to restrict access to only managed devices within the organization. The key thing to note is that if you do not exclude Guest users from those policies, its highly likely they will be blocked. This is dependent on a few different factors such as the types of links being shared with them (Anyone vs New and Existing Guest) and how they are accessing your tenant. (are they using a VPN, are they using CloudPC/AVD, are they using their own personal device). The highest probability is that they are using their own corporate or personal device which would prevent them from collaborating on documents being shared with them, access to shared Teams/document repositories, etc.
If we were to exclude them from the required managed device policy, I do not like to leave their access wide-open, hence the policies we are about to cover.
When users share documents with SharePoint/OneDrive, the default settings in M365 create what is known as an anyone link. Anyone meaning users can share a link to access a corporate document that anyone in the world could access without verifying their identity. Imagine someone being able to access a sensitive corporate document from the outside as quickly as they can access Google search.
Within the SharePoint admin center, you can go to Sharing and see your default policies. Ideally, you can swap this to new or existing guest. With this setting in place, external users will have to register as a guest user within your organization before they can access a document that is shared with them. If this is set to Anyone, our policy to require managed devices would not impact these users but is not preferred from a data protection perspective so the recommendation is to change this setting.
Just a word of caution here. You really want to be careful in enabling this setting. In most cases this will be a significant change to end-users and you will want to send out communications of the change before turning it on.
The policy we'll explore extends protections further by restricting the Guest user from downloading files shared with them locally on their device. This provides both data exfiltration protection and ensures our corporate documents are not being downloaded to a device that has potentially been compromised with malware/ransomware/etc.
This setting creates two conditional access policies in Entra:
Guest users will be prevented from opening documents shared with them on their desktop applications and they will see a banner message that prevents them from downloading the document locally.
Be very careful turning this setting on and understand the impacts to the organization. This setting is highly restrictive (not just for Guest) and needs to be communicated appropriately to the organization and end-users before going live.
4 min read
Nick Ross: Mar 31, 2025 12:15:00 AM
When it comes to data protection, we usually throw out all of our security protections when external collaboration and guest users are added to the...
5 min read
Nick Ross: Mar 27, 2025 12:15:00 AM
Are you looking to streamline vendor onboarding requests in your organization? In this post we’ll explore an end-to-end automation built in Power...
5 min read
Nick Ross: Mar 24, 2025 12:15:00 AM
By default in Microsoft 365 Users can register or join any device into your active device inventory in Entra. Additionally, a common method of...
Nick Ross