Azure SharepointSharepoint

New Expiring Access Policy to Control Guest Access to SharePoint Online Sites


SharePoint Sharing Involved Only – Not Microsoft 365 Groups

Sometimes Microsoft publishes text in message center notifications that is, to be blunt, misleading. Such is the case for MC220791 published August 21, 2020, updated May 7, 2021 (Microsoft 365 Roadmap item 43797). You can see from the dates that this change has been bubbling up for a long time. It is now available in Office 365 tenants, and it’s a good change because it allows organizations to control how long people outside their tenant can access content in SharePoint Online sites and OneDrive for Business accounts after gaining that access. In other words, you can cut off everlasting access.

Explaining the Guest Expiration Policy

Here’s how Microsoft explains the change:

@In order to better manage sharing, tenant admins will be able to create a policy to revoke guest access to SPO sites and individual OneDrives after a defined period of time. With this policy, you can limit guest user access; thus guests who are no longer active partners will not retain indefinite access to documents and files.

  • This policy is not retroactive; it does not apply to guests who already have access to sites, documents and files.
  • The policy applies to a user’s access to a given SPO site or individual OneDrive. When the access period reaches your policy threshold, such as 10 days, then the guest loses access to all content in that site. Guest access expires on a site-by-site basis, determined by when the guest was granted access to each site, whether that is an SPO site or an individual OneDrive.
  • After a guest loses access to a site, any user with the ability to share content externally can re-invite the guest to each document or item as needed.”

The first thing that came into my head after reading MC220791 was “what about guest access to SharePoint Online files gained through membership of Microsoft 365 groups and teams?”

The only documentation I could find said:

“Guest membership applies at the Microsoft 365 group level, therefore guests who have permission to view a SharePoint site or use a sharing link may have also access to a Microsoft Teams team or security group. Therefore, when SharePoint site or sharing link access expires, some guest users may still have access to a Team or security group elsewhere. 

The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied.

Guest user expiration policy applies to guest users only. Standard user expiration can be set manually on any user in a site collection, and any user with an expiration value will be removed when the expiration passes unless they are site admins, in which case the expiration will be deferred until they are no longer site admins, or expiration value is cleared for them.”

The text isn’t very clear, but it can be read to imply that guest members of group-enabled SharePoint Online sites are affected by the guest expiration policy. Thankfully, the policy is not retrospective, but if guest members of groups and teams are within scope, the implementation of a guest expiration policy for a tenant could have an unexpected side-effect.

No Effect on Microsoft 365 Groups and Teams

I checked with Microsoft, and they confirmed that the guest expiration policy has no effect on guests belonging to Microsoft 365 groups and teams. The policy is directed solely at:

  • Sharing links created to allow guest access to documents, folders, and lists.
  • Changes made to SharePoint group membership for a site (not Microsoft 365 group membership).
  • Direct permission changes made to allow access to content for guest users.

If your usage of SharePoint Online is mainly for document management for Microsoft 365 groups and teams, you probably never update the SharePoint group membership for a site or add a direct permission for a guest, so sharing links might be the only element affected if the tenant implements a guest expiration policy.

Implementing Guest Expiration for SharePoint Online Sites

As is usual for SharePoint Online settings, the guest expiration policy comes in a general tenant setting which can be overridden on a site-by-site basis. To create the tenant-wide policy, go to the Policies section of the SharePoint Online admin center, select Sharing, and open More external sharing settings. You’ll then see the option to enable the policy to control Guest access to a site or OneDrive will expire automatically after this many days. To enable the policy, set the checkbox and select an expiration period of between 30 and 730 days.

Configuring the tenant-wide guest expiration policy for SharePoint Online and OneDrive for Business
Figure 1: Configuring the tenant-wide guest expiration policy for SharePoint Online and OneDrive for Business

The new policy applies to any new sharing links, group changes, or direct permissions made afterwards. You can also use PowerShell to control the policy. This command sets the policy for a 60-day period:

Make sure that you download and use the latest version of the SharePoint Online management module from the PowerShell gallery. At the time of writing, the latest version is 16.0.21411.12000, which is what I used for testing.

Site-Specific Expiration Settings

Global and SharePoint administrators can change the policy for an individual site through the SharePoint Online admin center (select the site and update its policy settings as shown in Figure 2). The guest expiration settings only appear if the sharing setting for the site allows external sharing.

Configuring the guest expiration policy for a specific SharePoint Online site
Figure 2: Configuring the guest expiration policy for a specific SharePoint Online site

Alternatively, you can use PowerShell to apply a site-specific guest expiration setting. This command updates a site to set the maximum expiration period:

During testing, I noted that the SharePoint admin center and individual site settings sometimes didn’t synchronize after making changes with PowerShell. This is likely to be due to cached data. Things will settle down eventually and all components will agree about the expiration period.

Changes made to apply guest expiration at the tenant or site levels apply only to new sharing after the policy becomes effective. Sharing expiration never applies to tenant accounts.

What Site Administrators Do

Site administrators cannot change the tenant-wide guest expiration settings and are limited to managing the extension or removal of access for guests, accessed through Site permissions and then Guest expiration. If a previous tenant-wide policy was in place which might have affected guest access, you’ll see a warning to that effect (Figure 3). A site administrator can extend guest access at any time up to the point it expires. Once expiration happens, it happens, and the guest will need a new permission to access whatever content you want to share with them.

Where you manage guest expiration for a site
Figure 3: Where you manage guest expiration for a site

Value Depends on Your Perspective

If you’re used to traditional SharePoint and operate sites for more than Microsoft 365 groups and teams, you’ll probably find value in the guest expiration policy. It’s certainly something worth considering in a data governance strategy. But if SharePoint Online activity in your tenant is driven by Microsoft 365 groups and teams, then guest access to information remains unaffected by this policy and you can probably ignore it or go ahead and set a long expiration period (like 730 days) for the tenant. Which is what I ended up doing.

Source Practical365

Chioma Ugochukwu

The author Chioma Ugochukwu

Leave a Response