Control 4.4: Guest and External User Access Controls
Control ID: 4.4
Pillar: SharePoint
Regulatory Reference: GLBA 501(b), SEC Reg S-P, FINRA 4511, FINRA 25-07, SOX 302/404
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Control external and guest user access to SharePoint content that may be used by AI agents. This control restricts unauthorized external parties from accessing regulated content and helps protect agent knowledge sources from external exposure.
Why This Matters for FSI
- GLBA 501(b): Protect nonpublic personal information (NPI) from unauthorized access; enterprise sites must block external sharing
- SEC Reg S-P: Safeguard customer information with controlled third-party access and expiration workflows
- FINRA 4511, FINRA 25-07: Prevent unauthorized external access to regulated books and records
- SOX 302/404: Audit trails for guest access; certification requirements for internal controls
No Companion Automation Solution
No companion automation solution is currently published for this control. See the Solutions Index for the full catalog of available solutions, or the Solutions Integration overview for how solutions map to controls.
Control Description
This control establishes policies for managing external and guest user access to SharePoint sites that serve as AI agent knowledge sources. Proper guest access controls are critical for financial institutions where agents may process sensitive financial data.
| Capability | Description |
|---|---|
| Site-Level Sharing | Configure sharing permissions per site (Anyone / Guests / Existing Guests / Internal Only) |
| Organization Policies | Set default sharing restrictions across the tenant |
| Guest Expiration | Automatically expire guest access after defined period |
| Domain Restrictions | Allow or block sharing with specific domains |
| Data Access Reports | Monitor external sharing activity |
Key Configuration Points
- Set organization-level sharing to "Existing guests" or more restrictive
- Disable external sharing for Zone 3 (Enterprise Managed) sites
- Configure guest access expiration (30 days for Zone 2, 90 days for Zone 1)
- Set default link type to "Internal" with view-only permissions
- Enable link expiration requirements (30 days maximum)
- Configure domain allowlist for approved external partners
Technical Implementation Notes
Domain Allow/Block Lists
Configure domain restrictions to control which external organizations can receive shared content:
- Allowlist: Specify approved partner domains (e.g., regulatory bodies, auditors, approved vendors)
- Blocklist: Block known competitor domains or high-risk jurisdictions
- Configuration: SharePoint Admin Center > Policies > Sharing > External sharing > More external sharing settings
Access Expiration Automation
SharePoint supports automatic guest access expiration at multiple levels:
- Guest user expiration: Automatically revokes Entra ID guest accounts after defined period
- Sharing link expiration: Forces link regeneration after expiration date
- Site-level expiration: Can be more restrictive than tenant-level settings
Entra B2B Cross-Tenant Access Coordination
SharePoint external sharing interacts with Entra cross-tenant access settings and B2B collaboration policies. Misalignment between SharePoint sharing capability and tenant-level B2B trust can produce unexpected access denials or, conversely, broader access than intended.
Key coordination points for FSI organizations:
- Cross-tenant access settings (inbound and outbound) generally take precedence over per-site SharePoint sharing for B2B guests; verify both layers when troubleshooting access issues.
- Conditional Access policies that target "Guest or external users" evaluate the guest based on their home tenant trust level — confirm that MFA and device-compliance requirements apply to all in-scope guest sessions.
- Before changing tenant-level sharing capability, review the current external user inventory and any active partner-organization configurations in Entra ID > External Identities > Cross-tenant access settings.
- Consult Microsoft Learn: Cross-tenant access overview for the authoritative current behavior; B2B policy semantics evolve and should be re-verified each change window.
Link Type Recommendations
For FSI organizations handling sensitive data:
| Link Type | Recommendation | Rationale |
|---|---|---|
| Anyone (anonymous) | Disable for regulated content | No audit trail, no authentication |
| People in your organization | Limit to internal collaboration | Broad internal access |
| Specific people | Preferred for sensitive sharing | Named recipients, full audit trail |
| Existing guests | Use for established partner relationships | Controlled external access |
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | ExternalUserSharingOnly; 90-day guest expiration; site owner approval | Low risk; minimal friction while maintaining controls |
| Zone 2 (Team) | ExistingExternalUserSharingOnly; 30-day expiration; manager + compliance approval | Shared agents increase blast radius; controls must be provable |
| Zone 3 (Enterprise) | Sharing Disabled; no exceptions; continuous audit | Highest risk; enterprise agents handle sensitive content |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| SharePoint Admin | Configure tenant and site sharing settings |
| Entra Global Admin | Configure guest access policies in Entra ID |
| Entra Security Admin | Configure Conditional Access for guest users |
| Compliance Officer | Approve guest access and review requirements |
Related Controls
| Control | Relationship |
|---|---|
| 1.11 - Conditional Access | MFA and device compliance for external users |
| 1.5 - DLP and Sensitivity Labels | DLP can block external sharing of labeled content |
| 4.1 - Information Access Governance | Complements access restrictions with content discovery controls |
| 4.2 - Site Access Reviews | Periodic reviews include guest access verification |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Zone 3 sites have external sharing set to "Disabled"
- Zone 2 sites are restricted to "Existing guests only" or more restrictive
- Guest access expiration is enabled at 30 days for regulated sites
- Default link type is set to "Internal" at organization level
- No unauthorized sharing links exist in Data access governance reports
- Verify domain allowlist/blocklist configuration restricts sharing to approved domains
- Verify external sharing links have maximum expiration set (30-day maximum recommended)
- Verify B2B cross-tenant access policies are configured for approved partner organizations
- Verify guest access audit logging is enabled and captures sharing events
Additional Resources
- Manage sharing settings in SharePoint
- External sharing overview
- Guest access expiration
- Data access governance reports
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current