Digital collaboration with external organizations is part of everyday business, especially with remote work. Get visibility into your teams’ external access practices and control Microsoft Teams’ external users securely with these step-by-step best practices (with pictures).
Suggested reading: Microsoft Teams governance best practices for secure collaboration
Should those budget spreadsheets still be shared with your organization’s former accounting firm? Who still has access to last quarter’s user research reports?
These kinds of questions were constantly coming up within the ShareGate team—and became an important part of planning our Teams management tool for secure collaboration ShareGate Apricot.
Get a better understanding of how sharing is being used in your organization’s Teams by conducting regular access reviews.
Collaborating with external users in Teams? Download our latest eBook, Sharing is caring: A ShareGate guide to creating a productive and secure guest sharing environment in Microsoft Teams.
updated ebook — Content revisited
A free guide to securing external collaboration in Microsoft Teams
Create a productive and secure guest sharing environment in Microsoft Teams without hindering on end user productivity.
Why are external access reviews important to do on a regular basis?
Microsoft Teams enables you to collaborate internally and with users from external organizations—such as clients, vendors, or partners.
Depending on your settings, users can invite anyone with an email to join existing teams and channels—where they can access team resources, conversations, and shared files.
But the convenience of self-service has led to a need for better access management capabilities. Consider the following:
- When a new employee joins your organization, how do you make sure they have the right access to be productive?
- As employees move between project-based teams or leave the company, how do you ensure their old access is removed—especially when it involves guests?
While too many restrictions can hurt user adoption, excessive access rights are equally undesirable. The latter situation indicates a lack of control over access and can lead to audit findings and compromises.
As an IT admin, you need to proactively engage with team owners to make sure they review who has access to their resources. In other words, you need to be conducting regular access reviews.
Option #1: Verify external guest user access directly in Microsoft Teams
Depending on how your SharePoint sharing settings are configured, guest users in Teams likely have access to their team’s shared documents. So reviewing a list of your guest users can help give you some idea of what’s been shared with whom.
See your guest users: Microsoft Teams admin center
As a global admin, you can view all of your teams’ guest users in the Microsoft Teams admin center (Teams drop-down > Manage teams).
From there, you can see a list of all your teams along with the number of guests each one has:
Then, click on an individual team to see who the guests are within that team (those users will have ‘Guest’ listed next to their name in the Role column).
See a team’s guest users: Microsoft Teams app
Since owners know who their team needs to collaborate with on a regular basis, they’re the ones who can validate guest access.
You can either send owners a list of their team’s guest users to review—or ask them to check guest membership for themselves in the Teams app by selecting More options next to their team name > Manage team > Members.
Any guests that shouldn’t have (or no longer need) access to their team can be deleted in the same interface in Teams.
You’ll probably need to follow up with various owners to make sure they’ve actually reviewed membership.
Then, you still have to log any changes they make for audit and compliance purposes. After all of that is finally said and done, you’ll be just about ready to start on the next review; for ongoing security, you need to review guest access regularly.
Aside from requiring quite a bit of manual work, this option is problematic because you can only see external users that were added as members to that team (i.e. granted guest access). If a user shared a file directly with someone outside the organization, they won’t be listed as a guest.
Option #2: Manually review external sharing links for each team’s SharePoint site
To make sure you catch all external sharing links, including those shared with external users who aren’t team guests, it’s possible to generate a report on file and folder sharing in each team’s associated SharePoint site.
Report on externally shared files and folders for each SharePoint site
Running a file and folder sharing report on a given SharePoint site can help you understand how sharing is being used within the associated team.
The resulting CSV file will tell you if any files or folders are being shared with guests, and includes sharing info for every unique file, user, permission, and link on that SharePoint site.
To run the sharing report for a SharePoint site:
- Navigate to the team’s associated SharePoint site where you want to run a report.
- Click on the site’s Settings menu, then select Site usage.
Scroll down to the Shared with external users section and click Run report.
Choose the location where you want to save the report, then click Save.
When the report is finished, it will appear in the location you chose on that SharePoint site.
For more details and step-by-step instructions, check out the official Microsoft documentation.
You need to run a report for every single SharePoint site connected to one of your Microsoft teams—so right off the bat this option requires quite a bit of heavy lifting for IT.
Validate external sharing links, and revoke access as needed
Once you’ve run reports for every team’s SharePoint site, you still need to:
- Send each team’s report to the owner(s) to validate, then follow up with them to track their progress.
- If they determine that changes need to be made to a sharing link (or access should be revoked), you have to go in SharePoint and do it one file or folder at a time.
You can find more details on how to stop sharing a file or folder in our blog post on the subject.
- Then, just like option #1, you have to manually log any changes for compliance and internal auditing reasons.
- Repeat the entire process over again.
With all the manual labor involved, this option is probably even more time-consuming than the first one. And by the time you make it through one review, get ready to start the whole convoluted process over.
To keep your data secure and ensure external users have access to the right things, you need to repeat this process on an ongoing basis.
Option #3: Schedule automatic external sharing reviews
Sure, it’s possible to review what’s been shared and who has access manually. But that could be a full-time job in and of itself, so we don’t recommend it.
Even if your owners complete the reviews when you tell them to (and they won’t, it’s a tedious task to undertake using Microsoft’s out-of-the-box solutions), you’ll still need to log any changes.
The truth is there’s simply no easy way to review external access for each of your teams using Microsoft’s out-of-the-box solutions. You’re much better off leaving all that work to ShareGate Apricot’s automated governance tools for easy security and compliance in Teams.
ShareGate Apricot gives you full visibility into who’s shared what, when, and with whom. Simply connect your tenant to our software to see every single link to files shared externally by each of your teams. We do all the heavy lifting for you—no need to code, script, search audit logs, or manually pull reports anymore.
Exactly how to enable automated external sharing reviews in ShareGate Apricot
We’ve come up with a better way to confirm that every single link to files shared externally should still be shared: automated external sharing reviews.
With ShareGate Apricot, scheduling reviews is as easy as:
- Set up your external sharing policy in the app settings.
- Choose the frequency at which you want external sharing reviews to occur (say, every 90 days).
- Schedule the date you want the review to begin.
And off you go! Simply set it and forget it.
Get the answers you need from Team owners who have them, without having to ask
Did we mention that ShareGate Apricot saves you the trouble of contacting every single owner to validate which links should be shared?
Once your external sharing policy is set, team owners you’ve entrusted will receive an automatic email asking them to review all of their team’s external sharing links.
In just a few clicks, entrusted owners can delete links to sensitive files through our easy-to-use interface—no need to go to each of their SharePoint team sites to revoke access.
Owners have 14 days to complete the review, with a reminder email sent after 7 days if they haven’t reviewed all of their teams yet—no need for you to manually follow up!
Track your reviews progress and log changes in ShareGate Apricot automatically
Once an external sharing review has started, you can track its progress and view your results at the end.
You can also check which owners haven’t completed their reviews and follow up with them if needed. Throughout the process, we log every action taken during those reviews—so you can easily perform internal audits.
ShareGate Apricot automates complex external sharing review process for you. Easily perform external reviews regularly and keep your data secure over time—giving you greater peace of mind.