Free tool · 5 minutes · Microsoft Teams
Score your Microsoft Teams external sharing posture across guest invitation, sharing links, lifecycle and sensitivity controls. Aligned to Microsoft's secure-collaboration guidance, the CIS M365 Benchmark and ASD's Information Security Manual.
9 questions · 4 domains
Score your Microsoft Teams external sharing posture across guest invitation, sharing links, lifecycle and sensitivity controls. Pick the option closest to your tenant's current configuration.
Domain 1
Who in the organisation can invite guests, what they can invite them to, and how that is gated.
Who in your organisation can invite guests to Microsoft 365 and Teams?
Source: Microsoft Learn: Configure guest invite settings; Entra ID external collaboration settings.
Which apps can guests be invited into?
Source: Microsoft Learn: External identities Conditional Access; Entitlement management.
Domain 2
Anonymous sharing links, link defaults, expiry on links, and the external sharing setting per SharePoint site.
Is anonymous (Anyone) sharing enabled tenant-wide?
Source: Microsoft Learn: SharePoint and OneDrive external sharing; CIS Microsoft 365 Foundations Benchmark.
Is external sharing controlled per SharePoint site?
Source: Microsoft Learn: SharePoint Advanced Management; Site-level sharing controls.
Domain 3
Access reviews on guest users, time-limited access via entitlement management, and monitoring of guest activity.
Are guest user access reviews configured?
Source: Microsoft Learn: Entra ID access reviews for guests.
Is guest access time-limited via entitlement management?
Source: Microsoft Learn: Entra ID entitlement management; Access packages.
Is guest activity monitored?
Source: Microsoft Learn: Defender for Cloud Apps activity policies; Microsoft Sentinel.
Domain 4
Sensitivity labels on Teams and sites, DLP policies on external sharing, and cross-tenant access settings.
Are sensitivity labels applied to Teams and the underlying SharePoint sites?
Source: Microsoft Learn: Sensitivity labels for Microsoft 365 Groups, Teams and SharePoint sites.
Are cross-tenant access settings configured for inbound and outbound collaboration?
Source: Microsoft Learn: Cross-tenant access settings overview.
Indicative self-assessment only. For verified results Frontrow Technology runs an in-tenant Teams external sharing audit against the customer's configuration.
What the check covers
Domain 1
Microsoft's default lets any user invite a guest. ASD's ISM and Microsoft's secure-collaboration guidance both recommend gating invitation to a defined population, requiring approval workflows, and restricting which apps and Teams a guest can be invited into.
Domain 2
Anonymous (Anyone) links bypass identity checks and frequently end up indexed or forwarded. The recommended baseline restricts sharing to specific people by default, sets link expiry, and uses site-level external sharing controls to block sharing where it isn't needed.
Domain 3
Most tenants Frontrow audits have guests who joined years ago and never had access reviewed. Entra ID access reviews and entitlement management provide the lifecycle controls. Without them the guest population grows monotonically and becomes a soft attack surface.
Domain 4
Sensitivity labels can restrict the highest-classified Teams and sites from being shared externally at all. DLP policies can prevent specific data types from being shared. Cross-tenant access settings control how Microsoft Entra ID treats sign-ins from partner tenants. Together these are the second-layer controls when invitation and link controls are not enough.
Frequently asked questions
A guest user is an external identity (often someone from a partner organisation, contractor, or customer) who has been invited into the tenant via Entra ID B2B collaboration. Guest users have a presence in the tenant directory but authenticate against their home identity provider. Guests can be added to Teams, SharePoint sites, Microsoft 365 Groups and individual files.
Three reasons. First, guests accumulate over time without lifecycle review. Frontrow audits routinely surface guest accounts that joined years ago and are still active. Second, guests can be invited by any member user under default settings, which means access to confidential content can be granted without the data owner's knowledge. Third, guests are often outside the organisation's own MFA and Conditional Access controls unless those policies are explicitly scoped to include them.
An anonymous link gives access to a file or folder to anyone who has the URL, with no identity check. They are convenient for one-off sharing but bypass identity controls and frequently end up forwarded, indexed or saved beyond the original recipient. The CIS Microsoft 365 Foundations Benchmark and Microsoft's secure-by-default guidance both recommend disabling anonymous links tenant-wide and using specific-people links instead.
Cross-tenant access settings in Microsoft Entra ID control how the tenant treats sign-ins from external Entra ID tenants (B2B collaboration). Defaults allow any tenant. Tightening this to an allow-list of partner tenants reduces the risk of unintended external collaboration and can also configure trust for MFA and compliant device claims from partner tenants.
Entitlement management lets an organisation define access packages — bundles of resources (Teams, sites, apps, groups) that internal or external users can request, with approval workflows, expiry, and access reviews built in. For guest collaboration it provides the lifecycle that ad-hoc invitation does not.
ASD's Information Security Manual (information sharing controls) requires that information sharing arrangements are documented, reviewed and aligned to the sensitivity of the data. Microsoft's tools (sensitivity labels, site-level external sharing, entitlement management) provide the technical controls. The gap is usually configuration, not capability.
Every scoring threshold cites a primary source: Microsoft Learn for Teams external access, SharePoint sharing, cross-tenant settings and entitlement management; CIS Microsoft 365 Foundations Benchmark; ASD Information Security Manual. Methodology authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant).
A direct review of guest users, sharing links, cross-tenant settings and sensitivity labels via Microsoft Graph (rather than self-reported answers), inventory of high-risk external collaborations, and a remediation plan covering invitation policy, link defaults, lifecycle workflows and sensitivity labelling. Indicative pricing on request.
