Microsoft Guest Access – Everything You Need to Know

Team collaboration tools are taking the enterprise by storm. Platforms including Microsoft Teams, Cisco Webex, and Slack bring together data, documents, workflows, and applications into a virtual workspace, enabling employees to interact and work together asynchronously and in real time, regardless of their location.

According to Nemertes Research, nearly 70% of organizations are now using a team collaboration application. Currently, 44.2% of organizations rely on guest accounts to enable external access to their team collaboration instances or allow their employees to use external team collaboration apps to connect with partner organizations.

In 2017, Microsoft introduced Microsoft Teams at Ignite. Microsoft Teams is a team collaboration platform that brings together everything a team needs to collaborate: chat and threaded conversations, meetings & video conferencing, content collaboration with the power of Microsoft 365 applications, and the ability to create and integrate apps and workflows. 

Today Microsoft Teams is the leading team collaboration platform with 115 million daily active users (DAU) worldwide, up from 44 million in March 2020.

Unlike Skype for Business, Microsoft Teams does not offer direct federation, where organizations on Microsoft Teams can connect directly.

Instead, Microsoft Teams provides Guest Access to allow users to collaborate with people outside their organization by granting them access to existing teams and channels in Teams. Guests in Teams can participate with full access to team chats, meetings, and files.

In general, the guest access method works well when companies need to add a few external members to a team. However, this capability can quickly become unmanageable when working with other companies that may require hundreds or more guest accounts.

There are three critical issues with Microsoft guest accounts or guest access: cost, security, governance and administrative burden.

Team collaboration guest accounts can be a ticking security time bomb: an unwitting vector for in-bound cyber threats and outbound data loss. According to a recent New York Times article, cybersecurity experts say companies can track phishing attacks and malware all they want. Still, as long as they are blindly trusting vendors and cloud services like Microsoft, Salesforce, Google's G-Suite, Zoom, Slack, SolarWinds, and others—and giving them broad access to employees and corporate networks—they will never be secure.

Microsoft Guest Access allows Teams users to invite ANY external users with a business or consumer email account, such as Gmail, to participate as a guest in Microsoft Teams tenants with full access to team chats, meetings, and files.

Compared to enterprise account password policies, guest accounts' password policy in most cases only requires letters and numbers and does not include Two-Factor Authentication (2FA). It is also nearly impossible to control whether guests have robust security measures like password complexity check and password expiration.

Guest accounts are the digital equivalent of letting an unvetted user walk straight past front-desk security and into your main building. The following are security risks associated with guest accounts:

1. Microsoft Teams Guest Users: without policies, guests can see internal/sensitive content.
   
   
2. Access from Unmanaged Devices or Untrusted Locations: Teams can be used on unmanaged devices, potentially resulting in data loss.
   
   
3. Malware Uploaded via Teams: file uploads from guests or unmanaged devices may contain malware.
   
   
4. Data Loss via Teams Chat and File Shares: file shares in Teams can lose confidential data.
   
   
5. Data Loss via Other Apps: Teams app integration can mean data may go to untrusted destinations.
   
   
6. Slow Security is Worse than no Security: security actions need to be near real-time, or the data is already gone.
   
   
7. Inconsistent Control across Applications: Teams policies should be consistent with data controls for other cloud apps and non-cloud controls such as file transfer via email, USB stick, and more.
   
   
8. Missing Risky Behavior Patterns: user behavior can indicate lost credentials and rouge users, but Teams does not review and detect these patterns.
   
   
9. Simple Controls for a Complex World: comprehensive and flexible controls are needed to ensure security without losing functionality.

There are also risks associated with allowing your employees to take on guest accounts from external third parties to collaborate with them. In so doing, they may be unwittingly exposed to malware or even carry malware into third-party environments. With no means for IT to track the usage of this type of guest account, there's also a risk of unintended or deliberate data disclosure.

Moreover, administrators have no idea how far away from home their users are playing. Once someone accepts an invitation from another platform, everything they do inside that platform is invisible to their home platform's administrator. For instance, given Microsoft Teams' success, a user can end up being a guest in a surprising number of Microsoft Teams tenants.

Guest accounts individually may seem like a trivial cost to bear. But these soon mount up once you calculate that hundreds or even thousands of users may need access and that over two-fifths of organizations run multiple collaboration apps, meaning one user may need several guest accounts. So, what might the financial burden be?

Microsoft Teams can cost between $3 and $6 per user per month. McAfee's study of its customers shows that between January-April 2020, they have added an average of 2,906 Microsoft Teams guest accounts each month. With an average of 367 teams added each month, the cost of new guest accounts is nearly $6 million per month across this sample customer base alone.

Because Microsoft Teams does not provide direct federation, even for Teams-to-Teams, users may end up with multiple guest accounts and identities. One of the very often heard challenges with Teams is switching between your Teams home account, where you do most of your work, and your Teams guest accounts, where you work with external parties.

As a host user, you are continually wondering when external colleagues have read your messages. As a guest user, you don't want to miss anything important from teams where you are a guest.

This can become painful when you are a guest in multiple Teams tenants and have to switch between them and your home account to keep by with conversation, tasks, files, and workflows.

Studies show poor communication could cost a company employing 100 workers around $420,000 per year.

Guest accounts could be costing your organization in unexpected ways. One of the most complex collaboration security issues is guest accounts. Beyond choosing whether to enable or disable guest access, there are numerous decisions to be made around who should be allowed to be a guest, what they should be able to access, and the duration of their guest access privileges.

One common issue with guest accounts is that a team will initially allow a guest because of a business need, but no one remembers removing the guest once the project ends. These guests can linger in workspaces indefinitely. To ensure security, consider an audit process for guests, reviewing the business need periodically. The review audit should typically be mapped to the workspace's sensitivity level and conducted monthly or quarterly.

Collaboration security and governance involve the creation, management, and enforcement of complex policies. However, even before the step of creating and enforcing policies, IT must make several nuanced decisions. These decisions will impact the business for years to come as the collaboration environment continues to grow. That means companies must hire security consultants to guide them through crucial governance challenges and a targeted approach to ensure their collaboration environment is set up for success. 

Guest accounts can trigger compliance issues. IT administrators have no idea how far away from home their users are playing. Once users accept other companies' invitations, everything they do inside that platform is invisible to their home platform's administrator. People can have accounts on multiple platforms.

Compliance is the obvious driver for why such oversight might be needed. Companies invest heavily in technologies like communications compliance policies to ensure their company remains within regulatory and legal requirements. Everything works well if collaboration activity remains inside the company. But suppose someone becomes a guest in another platform and begins communicating there. In that case, there's no trace of what they are doing visible to their company, which undermines a carefully built compliance regime.

Guest accounts individually may seem like a trivial cost to bear. But these soon mount up once you calculate that hundreds or even thousands of users may need access and that over two-fifths of organizations run multiple collaboration apps, meaning one user may need several guest accounts. So, what might the financial burden be?

Microsoft Teams can cost between $3 and $6 per user per month. McAfee's study of its customers shows that between January-April 2020, they have added an average of 2,906 Microsoft Teams guest accounts each month. With an average of 367 teams added each month, the cost of new guest accounts is nearly $6 million per month across this sample customer base alone.

NextPlane enables users on Microsoft Teams to connect with their colleagues, clients, and partners inside or outside the enterprise. Users can chat and DM each other with rich text, GIF, and emoji reactions, share presence status, participate in channels, and share files without leaving their preferred platforms. That means:

• There's no need to buy expensive guest accounts for external collaboration.
• Your internal users can stay on corporate-controlled collaboration platforms, boosting security and compliance.
• Employee productivity is enhanced because your users and their external colleagues can stay on their preferred platforms.
• IT administrators are freed from making time-consuming decisions around guest account privileges and adjusting security policies.

Unlike Microsoft Guest accounts for Teams, NextPlane gives admins user-level control on their companies' external collaboration. It also allows them to track and control their users by federated domains. To provide Teams admins with user-level control, users must install the nextplane App on their Teams clients.

The nextplane App takes advantage of the Microsoft Bot Framework to provide a richer collaboration experience for both Teams and non-Teams users who are able to:

• Add external contacts
• See external contacts' profiles
• Share presence Status
• Send messages with rich text, GIFs, and emoji reactions
• Join and participate in Slack channels

Microsoft Teams users only need the nextplane App, which is available from NextPlane for MS Teams.

The nextplane App is not an executable code. It's a registration of NextPlane ConverseCloud within the Microsoft Teams' infrastructure. This registration provides NextPlane ConverseCloud with an access token to call Microsoft Teams API methods and listen to Teams events on behalf of NextPlane.

The nextplane App passes only chat messages between Microsoft Teams users and the NextPlane ConverseCloud. It treats Microsoft Teams chat inputs as a command and translates them into contact requests, such as SIP invites, and sends them to non-Teams contacts. When the contact requests are accepted, it sends Teams users a link to the peer-to-peer chat channel with invited contacts.

Using the NextPlane Management Portal, admins can seamlessly connect different collaboration platforms within a company or partners such as customers, partners, or suppliers outside the company. The NextPlane Management Portal provides customers with trailing 12 months of charts and graphs depicting the number of unique users, the number of messages exchanged, and detailed usage reports by internal and external federated domains and platforms.