- Download files locally
- Access sensitive documents on insecure devices
- Do not even need to prove their identity (by default, setting dependent)
Considerations with other policies
In a previous blog post, I talked about the recommended policies to restrict access to only managed devices within the organization. The key thing to note is that if you do not exclude Guest users from those policies, its highly likely they will be blocked. This is dependent on a few different factors such as the types of links being shared with them (Anyone vs New and Existing Guest) and how they are accessing your tenant. (are they using a VPN, are they using CloudPC/AVD, are they using their own personal device). The highest probability is that they are using their own corporate or personal device which would prevent them from collaborating on documents being shared with them, access to shared Teams/document repositories, etc.
If we were to exclude them from the required managed device policy, I do not like to leave their access wide-open, hence the policies we are about to cover.
Requiring Authenticated Guest Access
When users share documents with SharePoint/OneDrive, the default settings in M365 create what is known as an anyone link. Anyone meaning users can share a link to access a corporate document that anyone in the world could access without verifying their identity. Imagine someone being able to access a sensitive corporate document from the outside as quickly as they can access Google search.
Within the SharePoint admin center, you can go to Sharing and see your default policies. Ideally, you can swap this to new or existing guest. With this setting in place, external users will have to register as a guest user within your organization before they can access a document that is shared with them. If this is set to Anyone, our policy to require managed devices would not impact these users but is not preferred from a data protection perspective so the recommendation is to change this setting.
- Requires the user to specify email addresses of who they are sharing with.
- External User will need to accept invitation (they will get an email)
Restricting Access on Guest Device
The policy i am going to show you extends our protections further by restricting the Guest user from downloading files shared with them locally on their device. This provides both data exfiltration protection and ensures our corporate documents are not being downloaded to a device that has potentially been compromised with malware/ransomware/etc.
In the SharePoint Admin Center
In Entra
This setting creates two conditional access policies in Entra:
- Restricts Mobile Apps and Desktop client access to devices that are marked as compliant or are hybrid joined in Entra.
- Restricts Browser access for SharePoint Online to use “app enforced restrictions.” This is what is show in the above support article and helps us restrict access on unmanaged devices.
End-User Experience
Guest users will be prevented from opening documents shared with them on their desktop applications and they will see a banner message that prevents them from downloading the document locally.
Conclusion
Be very careful turning this setting on and understand the impacts to the organization. This setting is highly restrictive (not just for Guest) and needs to be communicated appropriately to the organization and end-users before going live.