Skip to content

Control 4.4: Guest and External User Access Controls

Overview

Control ID: 4.4 Control Name: Guest and External User Access Controls Regulatory Reference: GLBA 501(b), 504(b), SEC Reg S-P, FINRA 4511 Setup Time: 30-45 min

Purpose

Control external and guest user access to SharePoint content that may be used by AI agents. This prevents unauthorized external parties from accessing regulated content and ensures agent knowledge sources are protected from external exposure. Proper guest access controls are critical for financial institutions where AI agents may process nonpublic personal information (NPI) and sensitive financial data.

Key Capabilities

Site-Level External File Sharing

Configure sharing permissions per site.

Navigation: SharePoint Admin Center → Sites → Active sites → Select site → Settings tab

Sharing Options:

Setting Description Use Case
Anyone Anonymous sharing links allowed Personal productivity only (if used)
New and existing guests Guests can be added and access content Team collaboration with controls
Existing guests Only previously invited guests Team collaboration (restricted)
Only people in your organization No external sharing Enterprise managed (regulated/sensitive)

Organization-Level Sharing Policies

Set default sharing restrictions across the tenant.

Navigation: SharePoint Admin Center → Policies → Sharing

Key Settings:

  • External sharing slider (Most permissive → Least permissive)
  • Guest access expiration
  • Sharing link defaults
  • Link expiration requirements

Data Access Governance Reports

Monitor external sharing activity.

Navigation: SharePoint Admin Center → Reports → Data access governance

Relevant Reports:

Report Purpose
Sharing links Monitor new sharing links created
Shared with 'Everyone except external users' Identify oversharing risks
Site permissions across your organization View sites with guest access

Prerequisites

Primary Owner Admin Role: SharePoint Admin Supporting Roles: SharePoint Site Collection Admin

Licenses Required

License Purpose Required For
Microsoft 365 E3/E5 SharePoint Online and core sharing controls All governance levels
SharePoint Online Plan 2 Advanced sharing governance features Level 2+
Microsoft Entra ID P1 Conditional Access for guests Level 2+
Microsoft Entra ID P2 Guest access reviews, risk-based policies Level 4

Permissions Required

Role Purpose Assignment Method
SharePoint Administrator Configure tenant and site sharing settings Microsoft 365 Admin Center
Entra ID Administrator Configure guest access policies Microsoft Entra Admin Center
Global Administrator Full tenant administration Microsoft 365 Admin Center (limited use)
Site Collection Administrator Configure site-level sharing SharePoint Admin Center

Dependencies

Dependency Description Verification
SharePoint Online SharePoint tenant provisioned Access SharePoint Admin Center
Governance classification Sites classified by sensitivity Review site metadata
Sensitivity labels Labels configured for content Purview compliance portal
Conditional Access Policies for guest users Entra ID portal

Pre-Setup Checklist

  • [ ] SharePoint Administrator role assigned
  • [ ] Current sharing settings documented
  • [ ] Site inventory with governance classifications available
  • [ ] Guest user inventory completed
  • [ ] Business justification process defined for exceptions
  • [ ] Conditional Access policies for guests reviewed
  • [ ] Emergency access procedures documented

Governance Levels

Baseline (Level 1)

Requirement Implementation
Restrict external sharing for sensitive sites Disable external sharing for regulated/sensitive sites
Document sharing settings Inventory current sharing configuration
Guest access monitoring Review sharing links report monthly

Implementation Steps:

  1. Navigate to SharePoint Admin Center
  2. Go to SitesActive sites
  3. For each regulated/sensitive site:
  4. Select the site
  5. Open Settings tab
  6. Set "External file sharing" to Only people in your organization
  7. Document configuration for compliance records
Requirement Implementation
Tier-based sharing policy Team collaboration: "Existing guests only"; enterprise managed: internal only
Guest access expiration Configure 30-day expiration for guest links
Time-limited access Set link expiration for collaborative sites
Sharing activity monitoring Weekly review of sharing reports

Additional Steps:

  1. Navigate to PoliciesSharing
  2. Configure organization defaults:
  3. Set external sharing to "Existing guests" or more restrictive
  4. Enable "Guest access expires automatically"
  5. Set expiration to 30 days
  6. Configure link settings:
  7. Default link type: "People in your organization"
  8. Require link expiration: 30 days maximum
  9. Schedule weekly sharing report reviews

Regulated/High-Risk (Level 4)

Requirement Implementation
No external access to regulated content Regulated/sensitive sites are internal only
Guest access audit trail All guest activities logged and reviewed
Conditional access for external users MFA required for all guest access
Quarterly guest access certification Review and certify all guest accounts

Additional Requirements:

  • Configure Conditional Access policies for guest users
  • Implement guest access reviews in Entra ID
  • Block guest access to sensitivity-labeled content
  • Document all approved external sharing exceptions

Setup & Configuration

PowerShell Configuration

Connect to SharePoint Online

# Install SharePoint Online Management Shell (if needed)
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force

# Connect to SharePoint Online Admin Center
$adminUrl = "https://yourtenant-admin.sharepoint.com"
Connect-SPOService -Url $adminUrl

Get Tenant Sharing Settings

# Get current tenant-level sharing configuration
Get-SPOTenant | Select-Object `
    SharingCapability, `
    SharingDomainRestrictionMode, `
    SharingAllowedDomainList, `
    SharingBlockedDomainList, `
    DefaultSharingLinkType, `
    DefaultLinkPermission, `
    RequireAnonymousLinksExpireInDays, `
    ExternalUserExpirationRequired, `
    ExternalUserExpireInDays

Set Tenant Sharing Settings

# Configure restrictive tenant-level sharing for regulated environments
Set-SPOTenant `
    -SharingCapability ExistingExternalUserSharingOnly `
    -DefaultSharingLinkType Internal `
    -DefaultLinkPermission View `
    -RequireAnonymousLinksExpireInDays 30 `
    -ExternalUserExpirationRequired $true `
    -ExternalUserExpireInDays 30 `
    -PreventExternalUsersFromResharing $true

# Optional: Configure domain restrictions for approved partners
Set-SPOTenant `
    -SharingDomainRestrictionMode AllowList `
    -SharingAllowedDomainList "approvedpartner.com trustedvendor.com"

Get Site-Level Sharing Settings

# Get sharing settings for a specific site
$siteUrl = "https://yourtenant.sharepoint.com/sites/YourSite"
Get-SPOSite -Identity $siteUrl | Select-Object `
    Url, `
    SharingCapability, `
    DisableSharingForNonOwnersStatus, `
    SharingAllowedDomainList, `
    SharingBlockedDomainList, `
    ExternalUserExpirationInDays

# Get sharing settings for all sites
Get-SPOSite -Limit All | Select-Object Url, SharingCapability | Export-Csv -Path "SiteSharingSettings.csv" -NoTypeInformation

Set Site-Level Sharing Settings

# Enterprise managed (regulated/sensitive): Disable external sharing completely
Set-SPOSite -Identity "https://yourtenant.sharepoint.com/sites/RegulatedSite" `
    -SharingCapability Disabled

# Team collaboration: Restrict to existing guests only
Set-SPOSite -Identity "https://yourtenant.sharepoint.com/sites/CollaborationSite" `
    -SharingCapability ExistingExternalUserSharingOnly `
    -DisableSharingForNonOwnersStatus $true `
    -ExternalUserExpirationInDays 30

# Personal productivity: Allow new guests with controls
Set-SPOSite -Identity "https://yourtenant.sharepoint.com/sites/PersonalSite" `
    -SharingCapability ExternalUserSharingOnly `
    -ExternalUserExpirationInDays 90

Bulk Configure Regulated/Sensitive Sites

# Import regulated/sensitive sites and disable external sharing
$regulatedSites = Import-Csv -Path "RegulatedSites.csv"

foreach ($site in $regulatedSites) {
    Write-Host "Configuring regulated/sensitive site: $($site.Url)" -ForegroundColor Yellow
    Set-SPOSite -Identity $site.Url -SharingCapability Disabled
    Write-Host "External sharing disabled for: $($site.Url)" -ForegroundColor Green
}

Export Guest Access Configuration

# Export comprehensive guest access audit report
$allSites = Get-SPOSite -Limit All
$guestAccessReport = @()

foreach ($site in $allSites) {
    $guestAccessReport += [PSCustomObject]@{
        SiteUrl = $site.Url
        SharingCapability = $site.SharingCapability
        ExternalUserExpiration = $site.ExternalUserExpirationInDays
        NonOwnerSharingDisabled = $site.DisableSharingForNonOwnersStatus
        Template = $site.Template
        Owner = $site.Owner
    }
}

$guestAccessReport | Export-Csv -Path "GuestAccessConfiguration_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Guest access configuration exported successfully" -ForegroundColor Green

Audit Guest Access

# Get all external users across the tenant
Get-SPOExternalUser -PageSize 50 | Select-Object `
    DisplayName, `
    Email, `
    AcceptedAs, `
    WhenCreated, `
    InvitedBy | Export-Csv -Path "ExternalUsers_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# Get external users for a specific site
$siteUrl = "https://yourtenant.sharepoint.com/sites/YourSite"
Get-SPOExternalUser -SiteUrl $siteUrl | Select-Object DisplayName, Email, AcceptedAs, WhenCreated

# Remove expired or unauthorized external users (requires Microsoft Graph PowerShell)
# Note: Remove-SPOExternalUser was deprecated July 2024
$externalUser = Get-MgUser -Filter "userType eq 'Guest' and mail eq 'user@external.com'"
Remove-MgUser -UserId $externalUser.Id -Confirm:$false

Step 1: Inventory Current Sharing State

Assess current external sharing:

  1. Navigate to ReportsData access governance
  2. View "Site permissions across your organization" report
  3. Identify sites with guest access enabled
  4. Export report for analysis
  5. Cross-reference with governance classification

Step 2: Configure Site-Level Restrictions

For regulated/sensitive sites:

  1. Navigate to SitesActive sites
  2. Select the site
  3. Open Settings tab
  4. Set "External file sharing" to Only people in your organization
  5. Repeat for all regulated/sensitive sites

For collaborative sites:

  1. Set "External file sharing" to Existing guests at most
  2. Document any approved guest access with business justification

Step 3: Configure Organization Policies

Set organization defaults:

  1. Navigate to PoliciesSharing
  2. Configure external sharing level
  3. Enable guest access expiration (30 days recommended)
  4. Set default link type to internal
  5. Enable link expiration requirements

Step 4: Implement Monitoring

Establish ongoing monitoring:

  1. Schedule weekly review of sharing reports
  2. Configure alerts for new external sharing (if available)
  3. Document all guest access approvals
  4. Review expired guest accounts quarterly

Step 5: Document Procedures

Create procedures for:

  • Requesting guest access (approval workflow)
  • Reviewing guest access (quarterly certification)
  • Revoking guest access (termination process)
  • Exception handling (documented justification)

Financial Sector Considerations

Regulatory Mapping

Regulation Requirement How This Control Addresses
GLBA 501(b) Protect NPI from unauthorized access Restricts external access to customer data; enterprise managed sites block external sharing
SEC Reg S-P Safeguard customer information Controls third-party access with expiration and approval workflows
FINRA 4511 Protect books and records Prevents unauthorized external access to regulated records
SOX 302/404 Internal controls over financial reporting Audit trails for guest access; certification requirements
NYDFS 500 Third-party service provider policies Domain restrictions and access reviews for external parties

Governance Tier External Sharing Requirements

Governance Tier Sharing Capability Guest Expiration Domain Restrictions Approval Required
Personal Productivity ExternalUserSharingOnly 90 days None Site owner
Team Collaboration ExistingExternalUserSharingOnly 30 days Allowlist only Manager + Compliance
Enterprise Managed Disabled N/A N/A Not permitted

FSI Configuration Example

# FSI SharePoint Guest Access Configuration
fsi_sharepoint_guest_access:
  tenant_settings:
    sharing_capability: "ExistingExternalUserSharingOnly"
    default_link_type: "Internal"
    require_link_expiration: true
    max_link_expiration_days: 30
    external_user_expiration: true
    external_user_expiration_days: 30
    prevent_external_resharing: true
    domain_restriction_mode: "AllowList"
    allowed_domains:
      - "approvedvendor.com"
      - "regulatoryagency.gov"

    tier_configurations:
        tier_1_personal_productivity:
      sharing_capability: "ExternalUserSharingOnly"
      guest_expiration_days: 90
      approval_workflow: "SiteOwner"

        tier_2_team_collaboration:
      sharing_capability: "ExistingExternalUserSharingOnly"
      guest_expiration_days: 30
      disable_non_owner_sharing: true
      approval_workflow: "ManagerAndCompliance"

        tier_3_enterprise_managed:
      sharing_capability: "Disabled"
      exceptions: "None"
      audit_frequency: "Continuous"

  monitoring:
    guest_access_review_frequency: "Quarterly"
    sharing_report_review: "Weekly"
    alert_on_new_external_sharing: true
    compliance_reporting: "Monthly"

Zone-Specific Configuration

Zone 1 (Personal Productivity):

  • Apply a baseline minimum of Guest and External User Access Controls that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
  • Avoid expanding scope beyond the user’s own data unless explicitly justified.
  • Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

  • Apply the control for shared agents and shared data sources; require an identified owner and an approval trail.
  • Validate configuration in a pilot environment before broader rollout; retain evidence (screenshots/exports/logs).
  • Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

  • Require the strictest configuration for Guest and External User Access Controls and enforce it via policy where possible (not manual-only).
  • Treat changes as controlled (change ticket + documented testing); retain evidence (screenshots/exports/logs).
  • Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Test Procedure

  1. Navigate to SharePoint Admin Center → Sites → Active sites
  2. Select a regulated/sensitive site and check Settings panel
  3. Verify "External file sharing" is set to internal only
  4. Navigate to Policies → Sharing
  5. Verify organization-level sharing settings
  6. Navigate to Reports → Data access governance
  7. Run sharing reports to identify any external sharing

Expected Results:

  • [ ] Regulated/sensitive sites have external sharing disabled
  • [ ] Organization defaults restrict external sharing
  • [ ] Guest access expiration is configured
  • [ ] No unauthorized sharing links exist
  • [ ] Sharing reports accessible for monitoring

Verification Evidence

Evidence Type Location Retention
Site sharing settings screenshot Active sites → Settings 1 year
Organization sharing policy screenshot Policies → Sharing 1 year
Sharing links report export Data access governance 1 year
Guest access review records Governance documentation 6 years

Troubleshooting & Validation

Common Issues and Solutions

Issue Cause Solution
Cannot share with external users Tenant or site sharing disabled Verify sharing capability at tenant and site level; check if site inherits from tenant
Guest user cannot access content Conditional Access blocking Review CA policies for guest users; check named locations and device compliance
Sharing option grayed out Insufficient permissions or policy Confirm user has owner/member role; check if site allows non-owner sharing
External user link expired Automatic expiration configured Re-invite guest user; consider extending expiration period if business-justified
Domain blocked for sharing Domain restriction policy Add domain to allowed list if approved; document business justification

Additional Troubleshooting Steps

  1. Verify tenant sharing hierarchy: Site sharing cannot be more permissive than tenant settings
  2. Check sensitivity labels: Labels may block external sharing regardless of site settings
  3. Review Conditional Access: Guest-specific policies may require MFA or compliant devices
  4. Audit recent changes: Use SharePoint Admin Center audit logs to identify configuration changes
  5. Test with different user: Confirm issue is not user-specific permission problem

Additional Resources

Control Relationship Priority
1.11 Conditional Access and Phishing-Resistant MFA MFA and device compliance requirements for external users High
1.5 Data Loss Prevention (DLP) and Sensitivity Labels DLP policies can block external sharing of labeled content High
1.6 Microsoft Purview DSPM for AI Data security posture for external collaboration High
4.1 SharePoint Information Access Governance (IAG) Complements access restrictions with content discovery controls Medium
4.2 Site Access Reviews and Certification Periodic reviews include guest access verification Medium
4.3 Site and Document Retention Management Inactive sites may have stale guest access Low
2.1 Managed Environments Environment boundaries for agent knowledge sources Medium

Support & Questions

For implementation support or questions about this control, contact:

  • SharePoint Administrator: Sharing configuration
  • Security Administrator: Conditional access policies
  • Compliance Officer: Guest access requirements

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification