Home     Microsoft       Microsoft 365 Guide To Zero Trust External Collaboration

Microsoft 365 Guide To Zero Trust External Collaboration

Microsoft 365 makes it easy to collaborate with external users without needing an extra subscription. However, the standard settings may not be enough to protect your organisation. See how you can enable Zero Trust external collaboration to enhance your data security and integrity. 

Productivity tools like Microsoft 365 enable organisations to improve efficiency by streamlining how they store, share and consume data while collaborating with external users. Since threat actors have enhanced their attacks, organisations must implement Zero Trust external collaboration to protect their cloud. 

Data integrity, security and availability are essential for maintaining a competitive edge and keeping up with regulations. Therefore, organisations must stop relying on standard security policies and start customising them to suit their business needs. Security features like Zero Trust external collaboration and MFA add an additional security layer that verifies users before granting access. 

If your organisation lacks the expertise, you can contact our Microsoft 365 consultants to set up Zero Trust to secure external collaboration. 

How to Have Safe External Collaboration? 

Organisations that use Microsoft 365 to increase productivity can easily collaborate with people outside their organisation without purchasing a separate subscription. Even when Microsoft does include standard security policies, you need to include Zero Trust external collaboration to keep your cloud safe. 

Guest users do not have the same access privileges to your organisation’s resources as regular users unless you allow them. Let’s see the two safe external collaboration options you can consider. 

External Sharing 

You can allow your guest users to share content with others that may or may not be a part of your organisation. The external sharing feature permits users to share individual files or complete libraries. However, you should consider external sharing when you’re working on a one-off project and don’t have the need to maintain further communications through chats. 

However, guest users can share content as anonymous guest links or a link requiring sign-on. Microsoft enables external sharing by default, but administrators can disable it from the admin centre under service settings. 

External Access

You can allow guest users to find, contact, and plan meetings with your regular users to work on different projects. However, external access is only feasible when you only want to communicate with them without granting access to your content or Microsoft 365 subscription. 

Microsoft also enables external access by default, but you can add or block domains from the admin centre. By allowing a specific external domain, you can block others or vice versa. Moreover, external access is not controlled at the individual level; you can restrict external access by allowing or blocking specific domains. 

Policy Considerations for External Collaboration in Microsoft 365 

Even when Microsoft offers extensive security services and allows organisations to add guest users to their Microsoft 365 subscription, they still need to design a stringent security policy to protect themselves. While many aspects need to be considered while designing a security policy, here are some of the most critical policy considerations. 

Who Should Be Invited as a Guest? 

You must determine your user’s work environment’s agility, regulatory, and sensitivity levels. Once you start working with your users daily, try to build a whitelist or blacklist of familiar collaborators. You can implement a “no one except” policy for users on the whitelist and an “everyone except” policy for users on the blacklist. 

Should the Guests have Access to the Organisational Directory? 

Ideally, guest users should not have access to the organisational directory as they can look up sensitive information without needing authorisation from the administrators. Therefore, limiting access to a particular team is the best option for ensuring data security and integrity. 

Who Should Have the Right to Add New Guests?

Organisations need to have a formal process of adding guests to a Microsoft 365 workspace. Zero Trust external collaboration ensures that only a team member who has native Microsoft 365 functionalities can add external users. However, the team member needs to be an IT admin or an owner of the team. 

Is It Essential to Implement MFA for Guest Users?

Multi-factor authentication adds an additional security layer to your organisation’s network as the guest user will need to use another authentication factor before they are allowed on the network. An MFA policy commonly includes a code that will be sent to the guest user’s email address or registered mobile number. 

How to Offboard Guest Users? 

After an organisation concludes their arrangement with the guest users, they need to offboard them immediately. The admin needs to remove them from Azure AD as they can induce vulnerabilities into your cloud infrastructure. However, you need to offboard guests manually, as Microsoft 365 does not allow users an automated method to offboard guests. 

What Is Zero Trust External Collaboration 

Zero Trust is a collection of guidelines that you can use to secure your IT infrastructure and cloud services. The infrastructure relies on three main principles: verifying explicitly, using least privilege access, and assuming breach. A Zero Trust external collaboration framework uses these principles to guide us towards a safer cloud experience. 

To deploy Zero Trust infrastructure, you need to: 

  • Define your organisation’s information protection features. 
  • Map these features into your project’s timeline. 
  • Review Microsoft’s product roadmap to align these features with your protection policies. 

Zero Trust external collaboration uses six pillars to create a secure service on Microsoft 365 solutions, which are: 

  1. Identity
    Microsoft uses identity to discover trustees, where every user or bot is authenticated towards their respective directories, and the system trusts them as a secure entity that can use the service. If you add users outside your organisation, you should enforce security policies like Multi-Factor Authentication.
    Even if the access request comes from within the organisation, you should explicitly verify the user and the device before granting access. You should leverage the least privilege access principle to limit access to other teams that are a part of the organisation. Try running access reviews to remove unnecessary people from teams.
  2. Device
    Identifying devices is essential to provide fully native client access to Microsoft 365. If the employee uses an unmanaged device, the system should not allow them to access the services to their full extent. Using device IDs to restrict user access reduces the risk of data leaks and allows better data management. 
  3. Applications
    Most applications that run Microsoft 365 services are native and browser-based. You need a managed device to use a native Microsoft client. However, you can easily use the browser-based client as it is as good as a native application. 
  4. Infrastructure
    Microsoft 365 services like Teams leverage Exchange Online, SharePoint, and Planner to build a centralised infrastructure. Therefore, you should consider every aspect of the infrastructure when hardening your security for Microsoft 365 services. 
  5. Networking
    Since most Microsoft 365 services are SaaS applications, you should verify all users and devices access the cloud through their home or office network. The always verified aspect of the Zero Trust infrastructure means that a compromised device can run on the network even if the office’s network is assumed to be safe.
  6. Data
    Another critical element that you should consider while increasing your Microsoft 365 security is data. If you classify the data according to its sensitivity, you can easily manage it during the scaling of operations. For example, you can organise Team workspaces while collaborating on Microsoft Teams.

Microsoft Sensitivity Labels and Zero Trust External Collaboration

Using Microsoft security labels and Zero Trust, you can easily protect your data and comply with regulatory agencies. You must start by creating a data protection strategy that restricts, classifies, labels, and encrypts data. Here are three core elements of an effective data protection strategy: 

  1. Knowing your data
    Adequately protecting data without in-depth knowledge is difficult. Therefore, you need to identify data across your organisation and classify it with a security label. 
  2. Protecting your data and preventing data loss
    You must implement data protection policies to label and encrypt sensitive data stored in the cloud. Policies ensure the cloud only grants access to authorised users, even if the link travels outside the organisation. 
  3. Monitoring and remediating threats
    Your IT team should monitor sensitive data usage to detect policy violations and unusual user behaviour. Early detection makes it easier to revoke access, block users, and improve protection policies. 

With proper understanding, labelling, and classification of sensitive data, organisations can improve their security posture by: 

  • Informing and enforcing policies to block emails, attachments, and documents. 
  • Encrypting files with a sensitivity label on every endpoint. 
  • Classifying content according to labels through policies and machine learning. 
  • Tracking and monitoring sensitive data using security policies and sensitivity labels as users share it with others. 

Tips for Safe Zero Trust External Collaboration 

Microsoft 365 services have numerous features with default settings to provide users with a minimum security posture. However, you can change these settings to personalise your cloud’s security. Here are some tips you can follow for safe Zero Trust external collaboration with your Microsoft cloud. 

Turning External Sharing ON

External sharing is turned off by default, but you can turn it on to allow your team members to share documents daily. Therefore, you can configure external sharing to suit your specific business needs while considering the possibility of shared resources with external guests. 

You can automatically turn on external sharing for your entire SharePoint instance and its integrated services. However, you should discuss the state of external sharing with your support team to improve security and decide how to utilise external sharing to the maximum. 

Turning Anonymous Sharing Off 

Anonymous users can cause damage to an organisation’s cloud. With anonymous sharing, anyone can gain access to sensitive documents. They can view, edit, and share files with people outside of the organisation with no way to trace the user.

If you turn off anonymous sharing, you can maintain the integrity of your data and track changes to your sensitive files. Without anonymous sharing, users will not be able to share files with people outside of your organisation. You can also direct your support team to allow access to authenticated external users by implementing Zero Trust external sharing. 

Educating Users Regarding Safe Sharing 

Training is an ongoing process that may frustrate the management, but it’s necessary to stay protected in today’s ever-evolving technology. Your team members should be forever learners in their professions because the organisation might need to constantly educate them on the latest external sharing practices. 

However, you can consider teaching things like how to share a document with specific users instead of using the Anyone with the link can access option. These small steps help reduce your organisation’s overall risk exposure as your team will avoid facilitating unauthorised access to sensitive data. 

Checking Every Authorised Permission Request

Global admins and site owners that are a part of SharePoint can share their sites with users outside of your organisation. Regardless of their intentions, their communications can be interrupted or forwarded incorrectly. If these situations occur, unauthorised individuals can access your sensitive data. 

Since it’s difficult to stand in front of every potential threat, you can simply start checking permissions before sharing any document with people inside or outside your organisation. Keeping a check on every permission request is essential for protecting data; you can task a member of your IT team to double-check permissions to ensure data security. 

Monitoring the Network for Suspicious Activity 

Zero Trust external collaboration makes it easier for support teams to monitor the users as they utilise cloud resources from the organisation’s network. A Zero Trust solution constantly runs in the background and authorises users as they send requests to access the network. 

Since a Zero Trust solution can easily detect abnormal behaviour and notify the administrators after containing the threat. Since Zero Trust external collaboration does not assume trust, it needs constant validation to allow access to the cloud resources. 


Organisations struggle with data security as they add numerous guest users to their Microsoft 365 subscription without the appropriate security policies. Zero Trust external collaboration makes adding and monitoring guest users easier as they use the cloud to communicate with regular users. You can continuously authenticate and authorise guest user requests before granting access to your sensitive data. 

Still not sure how to implement Zero Trust? Get in touch with our Microsoft 365 Business experts to get started.

Subscribe to our newsletter

Enter your email and stay in touch with the latest updates from A1.

Call us now