Skip to main content

Your Tenant Has Two Doors for Guests. Most Admins Only Watch One.

Nick Ross5 min read

TL;DR

  • Guest users enter a Microsoft 365 tenant two ways: deliberate invitations through Entra or Teams, and automatic identity creation triggered by everyday SharePoint and OneDrive file shares.
  • Default Entra settings let regular members, non-admins, and even existing guests invite new guests without any IT approval.
  • When SharePoint B2B integration is enabled, sharing a file externally silently creates a guest identity in Entra with no admin approval, no owner, and no expiration.
  • As of March 2026 the SharePoint B2B integration setting is not visible in any admin portal and must be checked with PowerShell.
  • In a guest-related incident, the question is rarely whether sharing was enabled; it is why that person still had access years later.

Ask an administrator how guest users get created in their tenant and the answer comes fast: someone sends an invite.

That answer explains maybe half the guest accounts in most Microsoft 365 environments. The other half arrived through a quieter mechanism that IT never directly approved, and the difference between the two paths comes down to a single tenant setting most admins have never checked.

Guest access itself is one of the best collaboration features in Microsoft 365. It lets organizations work with vendors, consultants, customers, and partners without creating full internal accounts. The problem is not that guests exist. The problem is that they do not all arrive with the same level of intent, visibility, or oversight. This post walks through both creation paths, why tenants accumulate hundreds or thousands of guests over time, and the SharePoint B2B integration setting that changes how guest identities get made.

We see this constantly in the field. CloudCapsule automates the discovery, monitoring, and reporting of all guest users and guest settings in a tenant, and a 60-second assessment is usually enough to surprise whoever thought the front door was the only door.

CloudCapsule guest user monitoring and reporting dashboard

The front door: deliberate invitations through Entra

Start with the path everyone expects. Your company engages a managed service provider, a security consultant, or an outsourced accounting firm, and the partner needs more than a single file: a Teams workspace, a SharePoint site, maybe a line-of-business application.

The structured way to grant that is inviting the guest directly into Microsoft Entra. Someone with appropriate permissions adds the external user as a guest, then assigns them to a group, and the group grants access to applications, SharePoint sites, Teams workspaces, or other resources.

This process is deliberate and auditable. Look at the account in Entra and its purpose is obvious: that user represents the accounting vendor, and their presence maps to a specific collaboration. This is the front door, and it works the way governance is supposed to work.

Who can open the door? By default, almost everyone

Before looking at the second path, check who is allowed to use the first one. In many Microsoft 365 tenants, the default configuration is far looser than admins assume.

You can see the configuration in Microsoft Entra under the guest invitation restrictions setting.

Guest invite restriction settings in Microsoft Entra

In many environments the defaults allow:

  • Members to invite guests
  • Non-admins to invite guests
  • Even existing guest users to invite additional guests

Guest creation is not an admin privilege in these tenants. Any regular user can bring in external collaborators without IT approval. Convenient for collaboration, and exactly how tenants end up with guest sprawl.

One more default worth knowing: a guest can enumerate every user in the tenant. That is a serious security concern. Attackers have breached guest accounts and used tools like GraphRunner to enumerate the entire directory, which is reconnaissance for lateral movement.

Watch it happen in Teams

A team owner wants to collaborate with someone outside the organization, so they add the external email address as a member of the team.

Adding an external user as a member of a Microsoft Team

The external user gets an email saying they have been added. When they accept, Microsoft creates a guest account in the tenant directory. The user signs in, completes onboarding (which may include setting up multi-factor authentication for the tenant they are accessing), and a guest identity appears in Microsoft Entra, typically with an invitation type of external Azure AD invitation.

Guest identity created in Microsoft Entra after a Teams invitation

No administrator approved anything. The team owner created a directory identity by inviting someone to a team, and in many environments those identities stay active long after the original collaboration ends.

The side door: a file share that mints an identity

Now the path that surprises organizations. Picture three ordinary moments:

  • HR works with a recruiter.
  • Legal reviews a contract with an external attorney.
  • Finance sends a spreadsheet to an external auditor.

In each one, a user clicks Share in SharePoint, Teams, or OneDrive and types an external email address.

Sharing a document externally from SharePoint

The recipient gets the link and signs in to open the document. Behind the scenes, something bigger may have happened: a guest identity may have been created automatically in Microsoft Entra. That person is now part of your tenant's identity inventory, and IT never invited them.

This is the moment organizations ask "how did that person get access?" and "why do we have so many external users?" The answer is usually SharePoint B2B integration.

The setting that decides: SharePoint B2B integration

SharePoint does more than share files. It can talk directly to Microsoft Entra and create identities when external sharing occurs, and whether it does depends on the tenant-level SharePoint B2B integration setting.

When the integration is enabled, SharePoint automatically creates guest users in Entra as part of the sharing experience. No admin approval, no group membership, nothing. Excellent for collaboration, but it means guest accounts can exist with:

  • No clear owner
  • No group assignment
  • No expiration policy

Over time, that is how tenants accumulate hundreds or thousands of guests created by everyday work. Microsoft documents the sharing behavior in Secure external sharing in SharePoint (opens in new tab).

Check the setting with PowerShell

As of March 2026 this setting is not visible in any graphical admin portal. You have to check it from the SharePoint Online Management Shell, per Microsoft's documentation on Entra B2B integration for SharePoint and OneDrive (opens in new tab):

powershell
Connect-SPOService -Url https://yourtenant-admin.sharepoint.com
Get-SPOTenant | Select-Object EnableAzureADB2BIntegration

# To change it:
Set-SPOTenant -EnableAzureADB2BIntegration $false   # or $true

The value determines which experience external recipients get:

  • False: SharePoint uses a verification code flow for external users, and no guest identity is created in Entra.
  • True: SharePoint creates a guest user in Microsoft Entra when external sharing occurs.

What the code flow looks like (B2B disabled, no guest created)

External recipient receiving a one-time verification code
Entering the verification code to access the shared document

What the sign-in flow looks like (B2B enabled, guest created in Entra)

External recipient signing in with their own identity
Guest account created in Entra through the B2B sign-in flow

Once the sign-in flow completes, the user exists in your directory and can be granted access to additional resources. It is the same type of identity that a direct Teams invitation would have created, just minted by a file share.

The questions that matter more than the settings

None of this argues for killing guest collaboration. External collaboration is essential for modern businesses. It argues for being able to answer three questions:

  1. Who is allowed to create guest users?
  2. Which Microsoft 365 services can create them automatically?
  3. Are guest accounts reviewed and removed when they are no longer needed?

When a security incident involves a guest account, the question is rarely whether external sharing was enabled. It is why that person still had access years later. Regular access reviews and guest lifecycle management are what keep external collaboration secure.

Frequently asked questions

Should we disable guest access entirely?

No. External collaboration is essential for modern businesses. The goal is knowing who can create guests, which services create them automatically, and whether stale guests get reviewed and removed.

What is the difference between the code flow and the sign-in flow for external sharing?

With SharePoint B2B integration set to False, external recipients use a one-time verification code and no guest identity is created in Entra. Set to True, SharePoint creates a real guest user in the directory as part of the sharing experience.

Why are dormant guest accounts dangerous?

By default a guest can enumerate every user in the tenant. Attackers who compromise a guest account have used tools like GraphRunner to do exactly that, mapping the directory for lateral movement.

Find every guest you never invited

CloudCapsule automatically discovers, monitors, and reports on guest users and guest settings across every tenant you manage. One 60-second assessment shows you the accounts, the settings that created them, and the drift since last quarter.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading