Are Your Microsoft 365 Guest Policies Really Enforced? Check Your Tenant to Avoid Security Gaps

🛡️ Ensuring Guest Policies Are Enforced in Microsoft 365

1. Many orgs enable Azure AD Conditional Access for guests—MFA, limited access by location, terms-of-use acceptance, and access reviews—to secure all external users.
2. However, in tenants created before June 2023 (or where Entra B2B integration hasn’t been enabled), sharing a document directly with an external via SharePoint may bypass these policies. That’s because the user isn’t added to Azure AD as a true guest—they become a SharePoint-only guest authenticated via OTP, not subject to MFA or Conditional Access (cloudprotect.ninja, identity-man.eu).
3. To check this, run the following in PowerShell:

# Connect to SharePoint Online
Connect‑SPOService ‑Url https://<tenant>-admin.sharepoint.com

# Check B2B integration status
Get‑SPOTenant | Select EnableAzureADB2BIntegration

If False, your SharePoint-only guest links are bypassing your guest policies.

1. Microsoft recommends enabling SharePoint/OneDrive + Azure AD B2B integration, ideally alongside Azure AD OTP for guests, so that:
   • A proper guest account is created in Azure AD.
   • All Conditional Access policies (MFA, device/location, access reviews) fully apply (learn.microsoft.com, blog.admindroid.com).
2. Microsoft doc:

   “When using Microsoft Entra B2B integration, Microsoft Entra external collaboration settings … apply.” (learn.microsoft.com)

3. Upon enabling:
   • Legacy SharePoint-only guests are automatically converted upon sign-in.
   • New SharePoint shares create Azure AD B2B guest accounts.
   • Conditional Access, Access Reviews, MFA—everything works as expected (cloudprotect.ninja).

✅ Recommended action

• Check your tenant:

  Get-SPOTenant | Select EnableAzureADB2BIntegration
  

• If False, run:

  Set-SPOTenant -EnableAzureADB2BIntegration $true
  

• Ensure Email one-time passcode is enabled under Azure AD → External Identities (identity-man.eu, cloudprotect.ninja).
• Optionally, run a script (e.g., from CloudProtectNinja) to report SharePoint-only guests across sites (cloudprotect.ninja).

📖 Useful references

• Microsoft Docs – Azure AD B2B integration for SharePoint & OneDrive (learn.microsoft.com)
• Entra External Identities overview – guest management & integration (learn.microsoft.com)
• CloudProtectNinja – script to report SharePoint-only guests (cloudprotect.ninja)
• Identity‑Man blog – deep dive on enabling integration + OTP flow (identity-man.eu)

Need any help?

Contact us