| Microsoft Entra External ID | Guest directory permissions, who can invite, Guest Inviter assignments, self-service sign-up, external leave, privacy contact, and domain allow/block restrictions. | Teams or SharePoint owners can invite more broadly than governance expects, or domains differ across Entra and SharePoint. | Portal/Graph export, inviter tests, allowed/blocked domain tests, guest properties, redemption, and leave/removal path. |
| Cross-tenant access | Default and partner inbound/outbound B2B collaboration, direct connect, trust claims, synchronization, and tenant restrictions. | A partner-specific allowance or trusted device/MFA claim broadens access beyond the general guest policy. | Tenant IDs, user/group/app scope, allowed/blocked identities, claim results, sync logs, and default inheritance. |
| Microsoft 365 Groups | Whether owners can add guests, guest members can access group content, owner coverage, naming/classification, expiration, and restoration. | A guest in the group reaches Teams and SharePoint even when a service-only review appears restrictive. | Group/team/site mapping, members/owners, guest settings, sensitivity, activity, expiration, and removal. |
| Microsoft Teams | External access domains/users, guest access, meeting policies, shared channels, app permissions, messaging/calling capabilities, owners, and lifecycle. | External chat, guest membership, meeting access, anonymous participation, and shared channels are treated as one switch. | Policy assignments, test conversations/meetings, guest team, shared channel, app tab, recording, and channel-site access. |
| SharePoint and OneDrive | Organization sharing levels, security-group restrictions, default link type/permission, link expiration, guest expiration, site/OneDrive overrides, domains, sync, and unmanaged devices. | A permissive organization default or site exception enables links that bypass guest-centric controls and reviews. | Tenant/site/user exports, sharing reports, link inventory, direct permissions, site sensitivity, recipient tests, and revoke tests. |
| Conditional Access and Purview | Guest/external user policies, authentication strength, device claim trust, session/download restrictions, sensitivity labels, DLP, retention, and audit. | Identity access is allowed but sensitive content, unmanaged download, copy, retention, or legal-hold requirements are not enforced. | Sign-in/CA results, label/site settings, DLP incidents, unmanaged-device experience, downloads, sharing, retention, and eDiscovery impact. |