Let me ask you something.
If you invited a guest into your office, would you let them browse your employee directory, peek into your filing cabinet, and read your internal memos?
No?
Well, guess what—if you’re using Microsoft 365 with default settings, that’s exactly what’s happening.
🧩 The Problem with “Default”
Microsoft 365 is built for collaboration. That’s a good thing—until it’s not.
When you spin up a new tenant (that’s your company’s Microsoft 365 environment), Microsoft assumes you want to share everything. With everyone. Including guests.
And unless someone goes in and changes those settings, your business is operating with collaboration-first defaults—not security-first.
🕵️♂️ Real-World Scenario: The Guest Who Saw Too Much
Imagine, we are invited to help a company review their Microsoft 365 setup. It is found that they had invited a contractor to collaborate on a project in Teams.
Totally normal, right?
But here’s what they likely didn’t realize:
That contractor—just by being added as a guest—could see:
- The full employee directory
- Internal group memberships
- Descriptions of roles and departments
- Conditional access policies
- And in some cases… sensitive SharePoint sites
All because Microsoft’s default guest permissions are way too generous.
🔍 What’s Actually Happening?
When you invite a guest into Microsoft 365, they’re added to your Azure Active Directory (now called Entra ID). By default, guests can:
- View all users in the directory
- See group memberships
- Access shared Teams and SharePoint content
- Sometimes even enumerate your environment using tools like GraphRunner
It’s like giving someone a visitor badge and accidentally letting them go anywhere they want and access your filing cabinets and drawers. Gives you the chills, doesn’t it?
🛡️ What You Can Do (Without Being a Tech Expert)
You don’t need to be an IT admin to fix this. You just need to ask the right questions.
Start here:
“Can guests see our employee directory or internal settings?”
If your IT team says “yes” or “I’m not sure,” it’s time to take action.
✅ Quick Fixes You Can Ask For:
- Restrict guest access to the directory
- Disable “Guests can view all users” in Entra ID settings.
- Limit external sharing in Teams and SharePoint
- Set sharing policies to “Only people in your organization” or “Specific people.”
- Review guest access regularly
- Audit who’s been invited and what they can see.
- Use Conditional Access to control guest sessions
- Require MFA and compliant devices—even for guests.
🧠 Analogy Time: Default Settings = Open Office Cabinets
Think of your Microsoft 365 environment like an office.
Default settings are like leaving every cabinet unlocked, every drawer open, and every document visible to anyone who walks in.
It’s not malicious—it’s just careless.
And in today’s threat landscape, carelessness is costly.
🚀 Coming Up Next…
In the next post, we’ll tackle the MFA myth—why having multi-factor authentication isn’t enough unless it’s configured correctly. (Spoiler: SMS codes aren’t cutting it anymore.)
👣 Your Action Step Today
✅ Ask your IT team:
“Have we reviewed our guest access settings in Microsoft 365?”
If they haven’t, don’t worry. You’re ahead of the curve just by asking.
Want help reviewing your Microsoft 365 defaults?
We’ll walk through it with you—no jargon, no judgment, just clarity.
