Securing and controlling guest access can be a bit confusing. First you have your organization-wide settings where you control guest access at the tenant level. From there there are more controls within Microsoft Teams SharePoint and other apps that determine access at the workspace level. By default these settings are enabled. Due to this it might seem like it makes sense to restrict this ability to IT for consistent and controlled management but that too has its downsides.
Similar to issues discussed in our delegated administration post having only IT admins add new guest users can create a bottleneck. IT is also generally not as close to the business needs; this makes managing the lifecycle of a Latest Mailing Database guest—when they need to be onboarded and offboarded and if they still need access to the information they have been granted—challenging at best. Another issue: Maintaining default controls gives Team owners the ability to invite guest users to their team.
This leaves the decision of who can have access to what information completely in their hands which could lead to inconsistent privileges and oversharing. We find ourselves with a double-edged sword: we to have control over who can access and collaborate in their workspace since they know it best but we need to ensure that there’s a consistent application of rules and policies around guest access to protect our data. As our ZTA standards say: never trust always verify zero trust standards.