Configuring Guest Access and Sharing in the Microsoft Entra Admin Center
Overview
The Microsoft Entra admin center provides centralized control for managing guest access and external collaboration across your Microsoft 365 environment. It defines how external users are invited, what information they can see, and how they interact with Teams, SharePoint, and other resources. Properly configuring guest access is critical to maintaining both collaboration efficiency and data security within an organization.
In this section, you’ll learn how to manage guest access in Microsoft Entra, limit who can invite guests, apply sensitivity labels for granular control, and remove guest users when they’re no longer needed.
1. Configuring Guest Access in the Microsoft Entra Admin Center
To manage guest access at the directory level:
- Go to the Microsoft Entra admin center → https://entra.microsoft.com.
- Navigate to Users → User settings.
- Under Guest user access, you’ll find three levels of access permissions: Option Description Guest users have the same access as members (most inclusive) Guests can view most directory information and access resources similar to internal users. Guest users have limited access to properties and memberships of directory objects Restricts guests from viewing certain directory details, such as group memberships or user profiles. Guest users access only their own directory objects (most restrictive) Guests can access only their own account details; they cannot browse directory information.
Recommendation:
Select “Guest users have limited access to properties and memberships of directory objects”. This setting maintains collaboration while preventing guests from seeing sensitive organizational data.
Note: Changing this setting automatically updates the External collaboration settings under Identity → External Identities.
2. Limiting Who Can Invite Guests
To prevent “guest sprawl” — an uncontrolled increase in external accounts — you can limit who has permission to invite guests. This ensures that only authorized individuals, such as trained administrators or project leads, can extend invitations.
Creating a Guest Inviter Group
- In the Microsoft Entra admin center, go to Groups → All groups → New group.
- Keep the Group type as Security.
- Provide a Name (e.g., Guest Inviters) and a clear Description (e.g., Individuals who may invite guests to groups in our organization).
- Under Microsoft Entra roles can be assigned to the group, select Yes.
- Add appropriate Owners and Members.
- Under Roles, choose Guest inviter, then select Add role → Select.
- Once done, select Create.
This group now contains users who are authorized to invite external guests. All other users will be blocked from doing so.
Adjusting External Collaboration Settings
Next, link this group to your guest invitation policy:
- Go to Identity → External Identities → External collaboration settings.
- In the Guest invite settings section, choose Only users assigned to specific admin roles can invite guest users.
- Save the changes.
Important: Global Administrators can always invite guests, even if they aren’t members of the Guest Inviters group.
3. Restricting Guest Access for Specific Teams Using Microsoft Graph PowerShell
Some organizations may need to restrict guest access for specific Microsoft Teams groups. You can use Microsoft Graph Beta PowerShell to disable or enable guest access at the group level.
Steps:
- Open PowerShell as an administrator.
- Run the following commands, replacing
<TeamGroupName>with your team’s name:
Connect-MgGraph
$GroupName = "<TeamGroupName>"
$templateId = (Get-MgBetaDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}).Id
$groupID = (Get-MgBetaGroup -Filter "DisplayName eq '$GroupName'").Id
$params = @{
templateId = "$templateId"
values = @(
@{
name = "AllowToAddGuests"
value = "false"
}
)
}
New-MgBetaGroupSetting -GroupId $groupID -BodyParameter $params
To re-enable guest access, change false to true.
Why this matters:
This approach gives administrators fine-grained control over which Teams can include guests — ideal for highly confidential projects or regulated environments.
4. Using Sensitivity Labels to Control Guest Access
Sensitivity labels (created in Microsoft Purview) allow administrators to automatically enforce guest access policies based on the classification of a team or group. For instance, teams labeled “Confidential” can automatically block guest access, while “Public” teams can allow it.
Steps to Create and Apply a Sensitivity Label:
- Go to Microsoft Purview → https://purview.microsoft.com.
- Select Information protection → Sensitivity labels → Create a label.
- Enter a name (e.g., Restricted) and a description explaining the label’s purpose (e.g., Applies guest user restrictions for groups).
- Set the scope to Groups & sites only.
- Under Groups & sites settings, you can configure:
- Privacy and external user access: Choose whether group owners can add guests.
- External sharing and Conditional Access: Define if and how content can be shared externally.
- Private Teams & shared channel settings: Control discoverability and sharing limitations.
- Configure the following based on your requirements:
- Privacy: Choose between Public or Private teams.
- External user access: Uncheck this option to block guests.
- External sharing: Limit sharing to internal users only.
- Conditional Access: Apply policies to enforce MFA or device compliance.
- Shared channel settings: Allow internal collaboration only.
- Review your configuration and select Create label.
- Publish the label as part of a label policy in Microsoft Purview.
Once published, users can select this label when creating new teams or groups in Microsoft Teams. The assigned label will automatically apply the configured guest access rules.
Example:
A “Confidential” label might block external sharing entirely, while a “Project Collaboration” label might allow limited guest access with MFA enforced.
5. Removing Guest Users from Teams and Microsoft Entra ID
Over time, guest users may need to be removed due to project completion or access review policies.
Removing a Guest from a Team
- In Microsoft Teams, open the desired team.
- Select the ellipsis (⋯) → Manage team.
- Under Members, expand Members and guests.
- Locate the guest user and select X to remove them.
This removes the user’s access to that team immediately.
Note: Removing a guest from a team does not delete their account from Entra ID.
Removing a Guest from Microsoft Entra ID
- Go to the Microsoft Entra admin center → Users → All users.
- Filter by User type: Guest to see all external accounts.
- Select the guest you want to remove.
- Click Delete → OK to confirm.
Removing a guest from Entra ID revokes access to all Teams, SharePoint, and other shared resources across Microsoft 365.
6. Best Practices for Managing Guest Access
✅ Use Entra ID as the control hub. Manage all external collaboration policies here for consistency.
✅ Restrict invitations. Assign the Guest Inviter role only to trained personnel.
✅ Apply sensitivity labels. Automate restrictions and enforce compliance through Microsoft Purview.
✅ Monitor guest activity. Regularly review access through Access Reviews in Entra ID or Microsoft 365 Audit Logs.
✅ Remove inactive guests. Apply lifecycle policies or scheduled reviews to clean up unused accounts.
✅ Combine with Conditional Access. Enforce MFA and compliant device requirements for all guests.
Summary
Configuring guest access in the Microsoft Entra admin center allows organizations to securely collaborate with external users while maintaining control over their data. From defining directory-level permissions and restricting invitations to applying sensitivity labels and automating reviews, Entra ID provides all the tools necessary to protect information in a modern collaborative environment.
By combining Entra ID, Microsoft Teams, SharePoint, and Purview sensitivity labels, administrators can create a unified security model that balances accessibility with compliance — ensuring that every guest’s access aligns with your organization’s data protection policies.
