Working with clients and contractors safely — guest access and external sharing in Microsoft 365
Microsoft 365 makes it easy to invite outsiders into Teams and share files externally. That's useful. But left on default settings, it can also leave your data wider open than you realise.
Working with people outside your business — clients, contractors, accountants, designers — is just part of running a business. Microsoft 365 makes this easy: you can invite someone into a Teams channel, share a SharePoint folder, or send a OneDrive link in about thirty seconds.
That convenience is genuinely useful. It also comes with settings that, left on defaults, can quietly expose more than you intend.
What 'guest access' actually means
When you invite someone external into Microsoft Teams or SharePoint, Microsoft 365 creates what's called a guest account for them in your directory. They get access to whatever you share — a channel, a folder, a site — and they can participate like a partial team member.
The guest relationship continues until someone removes it. If you brought in a freelance designer for a website project, finished six months ago, and nobody removed their access, they can probably still log into your Teams and see the channels they were in.
Multiply that by every contractor, vendor, and client who's ever been invited, and the picture gets complicated quickly.
The default is: anyone on your team can invite guests
In most Microsoft 365 tenants (a 'tenant' is your business's Microsoft account), any employee can invite an outside guest. They don't need to ask an administrator; they just click 'invite' in Teams or share a folder in SharePoint.
That's convenient when a colleague needs to loop in a vendor at 4pm on a Friday. It's also a risk if an employee account gets compromised — an attacker who takes over that account can quietly invite another external account they control, giving themselves access to your files without needing to break in a second time.
One change worth making: restrict guest invitations to administrators, or at least a small group of trusted people. It adds a light layer of friction that catches careless sharing and gives you a record of who's been invited.
'Anyone with the link' links
Microsoft 365 lets you create sharing links in two broad flavours. One requires the recipient to sign in with a verified account — their own Microsoft account, or a one-time passcode sent to their email. The other — called an 'anyone with the link' link — works for literally anyone who has the URL, no sign-in required.
The 'anyone' link is tempting because it's frictionless: you paste it in an email, the client clicks it, done. The problem is that link doesn't expire by default, and you can't easily revoke it once it's been forwarded. A file you shared with a client in 2024 might still be accessible to anyone who has that URL — and you have no way of knowing who that is.
Practical guardrail: configure your tenant so that sharing links default to requiring sign-in, and set an expiry on links when they're created. You can still create 'anyone' links when you genuinely need to — but it should be a deliberate choice, not the default.
Old guest access that nobody removed
This is the most common problem in small business tenants, and the most overlooked. Guests accumulate. A project ends, the contractor moves on, and the access stays — sometimes for years.
Reviewing and cleaning up guest access is not exciting work, but it's worth doing on a schedule. Quarterly is usually enough for a small team.
The review can be simple: look at the list of external guests in your Microsoft 365 admin centre, check when each one last signed in, and remove anyone who's clearly no longer active. Microsoft 365 does have a feature called access reviews that can automate some of this, depending on your subscription level.
Know what you're actually sharing
Files shared externally can end up being more sensitive than whoever shared them realised. A folder shared with a contractor might contain subfolders they were never meant to see. A 'here's the project folder' link might give read access to the entire SharePoint site.
Before sharing, it's worth spending thirty seconds checking: what exactly is this link giving access to? Just this file, or everything up the tree? Microsoft 365 will tell you — the sharing dialog shows the scope — but it's easy to miss if you're moving quickly.
The bigger picture
External collaboration is not a security problem — it's a business necessity. The goal isn't to lock everything down; it's to make sure the access you've granted is the access you meant to grant, to people who still need it. A light review habit takes care of most of this.
Tenant Strike checks your Microsoft 365 guest access settings and external sharing configuration in read-only mode — who can invite guests, what link types are allowed, how many guests are in your tenant and when they last signed in. A five-minute scan gives you a plain-English picture of what's open and what to tighten up.
AI-researched from public sources. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.