External users/guests validation by group owners
Include a periodical check if guests are still needed
There is a need to also check the guests periodically (every 30, 60, 90, or 180 Days).
There an owner should decide for every guest if access is still needed or access should be removed automatically.
We are adding a guest review experience for the owners that will go along the external sharing links review.
Jury Baragatti commented
To meet compliance and audit requirements, we should ask the “member validation by group owners” every 6 months. I hope that the function provided for guests could be extended to all members.
Ben Seo commented
Dear SG, For financial sector, this is a "requirement" being asked from compliance team for fulfilling audit requirements for SEC regulation for tracking sensitive communications. Please advise.
in my opinion this is more important than reviewing external sharing links.... I wish it could be prioritised.
guests have access to ALL of the group's content and should be reviewed
It would be helpful to be able to quickly identify Teams that have external guests listed as members - not just Teams that have had a link shared externally. Additionally, extend the emailing capabilities so that we can send the Owners of these teams an email to review/verify this security is still needed. If a Team is stale and hasn't gotten deleted, owners may be more willing to clean up Guest access before the deletion.
This is something we thought it did. Checking external sharing is useful but bringing it up a level to just a simple 'dear owner do you know your Team/Group has guests' is what our Infogov colleagues want. To meet compliance we are required to ask every 3 months about access to systems from guest or sponsored users. Perhaps if it had a check box next to each guest so an owner could tick the ones they are ok with and the remainder would get emailed to IT for action to purge or v.v