Control 4.4: Guest and External User Access Controls

Control ID: 4.4 Pillar: SharePoint Regulatory Reference: GLBA 501(b), SEC Reg S-P, FINRA 4511 Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03

Objective

Control external and guest user access to SharePoint content that may be used by AI agents. This control restricts unauthorized external parties from accessing regulated content and helps protect agent knowledge sources from external exposure.

Why This Matters for FSI

GLBA 501(b): Protect nonpublic personal information (NPI) from unauthorized access; enterprise sites must block external sharing
SEC Reg S-P: Safeguard customer information with controlled third-party access and expiration workflows
FINRA 4511: Prevent unauthorized external access to regulated books and records
SOX 302/404: Audit trails for guest access; certification requirements for internal controls

Control Description

This control establishes policies for managing external and guest user access to SharePoint sites that serve as AI agent knowledge sources. Proper guest access controls are critical for financial institutions where agents may process sensitive financial data.

Capability	Description
Site-Level Sharing	Configure sharing permissions per site (Anyone / Guests / Existing Guests / Internal Only)
Organization Policies	Set default sharing restrictions across the tenant
Guest Expiration	Automatically expire guest access after defined period
Domain Restrictions	Allow or block sharing with specific domains
Data Access Reports	Monitor external sharing activity

Key Configuration Points

Set organization-level sharing to "Existing guests" or more restrictive
Disable external sharing for Zone 3 (Enterprise Managed) sites
Configure guest access expiration (30 days for Zone 2, 90 days for Zone 1)
Set default link type to "Internal" with view-only permissions
Enable link expiration requirements (30 days maximum)
Configure domain allowlist for approved external partners

Technical Implementation Notes

Domain Allow/Block Lists

Configure domain restrictions to control which external organizations can receive shared content:

Allowlist: Specify approved partner domains (e.g., regulatory bodies, auditors, approved vendors)
Blocklist: Block known competitor domains or high-risk jurisdictions
Configuration: SharePoint Admin Center > Policies > Sharing > External sharing > More external sharing settings

Access Expiration Automation

SharePoint supports automatic guest access expiration at multiple levels:

Guest user expiration: Automatically revokes Entra ID guest accounts after defined period
Sharing link expiration: Forces link regeneration after expiration date
Site-level expiration: Can be more restrictive than tenant-level settings

B2B Integration Changes (July 2025)

Microsoft updated Entra B2B guest access policies in July 2025 (now fully enforced as of January 2026). Key changes affecting FSI organizations:

Guests from tenants that have disabled B2B collaboration require re-invitation
Cross-tenant access settings now override per-user guest policies
Conditional Access policies apply to guests based on their home tenant trust level

Review existing guest relationships and ensure cross-tenant access policies are configured appropriately.

Link Type Recommendations

For FSI organizations handling sensitive data:

Link Type	Recommendation	Rationale
Anyone (anonymous)	Disable for regulated content	No audit trail, no authentication
People in your organization	Limit to internal collaboration	Broad internal access
Specific people	Preferred for sensitive sharing	Named recipients, full audit trail
Existing guests	Use for established partner relationships	Controlled external access

Zone-Specific Requirements

Zone	Requirement	Rationale
Zone 1 (Personal)	ExternalUserSharingOnly; 90-day guest expiration; site owner approval	Low risk; minimal friction while maintaining controls
Zone 2 (Team)	ExistingExternalUserSharingOnly; 30-day expiration; manager + compliance approval	Shared agents increase blast radius; controls must be provable
Zone 3 (Enterprise)	Sharing Disabled; no exceptions; continuous audit	Highest risk; enterprise agents handle sensitive content

Roles & Responsibilities

Role	Responsibility
SharePoint Admin	Configure tenant and site sharing settings
Entra Global Admin	Configure guest access policies in Entra ID
Entra Security Admin	Configure Conditional Access for guest users
Compliance Officer	Approve guest access and review requirements

Control	Relationship
1.11 - Conditional Access	MFA and device compliance for external users
1.5 - DLP and Sensitivity Labels	DLP can block external sharing of labeled content
4.1 - Information Access Governance	Complements access restrictions with content discovery controls
4.2 - Site Access Reviews	Periodic reviews include guest access verification

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Portal Walkthrough — Step-by-step portal configuration
PowerShell Setup — Automation scripts
Verification & Testing — Test cases and evidence collection
Troubleshooting — Common issues and resolutions

Verification Criteria

Confirm control effectiveness by verifying:

Zone 3 sites have external sharing set to "Disabled"
Zone 2 sites are restricted to "Existing guests only" or more restrictive
Guest access expiration is enabled at 30 days for regulated sites
Default link type is set to "Internal" at organization level
No unauthorized sharing links exist in Data access governance reports
Verify domain allowlist/blocklist configuration restricts sharing to approved domains
Verify external sharing links have maximum expiration set (30-day maximum recommended)
Verify B2B cross-tenant access policies are configured for approved partner organizations
Verify guest access audit logging is enabled and captures sharing events

Additional Resources

Updated: February 2026 | Version: v1.2 | UI Verification Status: Current