CostDefender Blog
← All articles
Enterprise Spend 6 min read

The Guest User Problem: Shadow Spend in Microsoft Teams and SharePoint

Microsoft 365 guest users accumulate silently over time. Most organizations have no inventory of who their guests are, what they can access, or whether they should still be there. Here is the cost and security case for cleaning it up.

CostDefender Team ·

Listen to article

Narrated by CostDefender

Download

Every time someone invites an external contractor, partner, vendor, or client to a Microsoft Teams channel or SharePoint site, a guest account is created in your Azure Active Directory tenant. The invitation takes seconds. The cleanup rarely happens.

Three years into a Microsoft 365 deployment, most organizations have accumulated hundreds or thousands of guest accounts — former vendor contacts, ex-partners from completed projects, clients from closed deals, contractors from engagements that ended two years ago. These accounts have access to Teams channels, SharePoint sites, and shared documents. In many cases, nobody inside the organization knows they exist.

Guest users are often discussed as a security concern, which they are. But they are also a cost concern, a compliance concern, and an operational hygiene concern. Finance teams who understand the Microsoft licensing model will recognize that guest users are not always free — and even when they are free, the administrative and security overhead they generate has real dollar value.

Guest Account Accumulation Over TimeIllustration — no automated cleanup configured2,0001,5001,000500Year 1Year 2Year 3Year 4Total guest accountsStale / should be removed~1,900 total~800 stale
Without automated cleanup, guest account totals and stale guest populations grow together. The gap represents accounts with tenant access that belong to people no longer engaged with the organization.

The licensing reality for guest users

Microsoft’s licensing rules for guest users are frequently misunderstood. The short version: guests using basic Teams and SharePoint capabilities may qualify for the Microsoft 365 Guest User right — meaning no additional license is required from the host tenant. However, this exemption has specific boundaries that are regularly exceeded in practice.

What the guest right covers: Read and participate in Teams channels, contribute to SharePoint sites, and access shared documents — provided the guest’s home organization also has a qualifying Microsoft 365 subscription.

What the guest right does not cover: Guests who do not have a qualifying license from their home organization, guests accessing premium Microsoft 365 apps, guests using Power BI workspaces, guests in Microsoft Teams Rooms scenarios, and guests consuming Power Platform flows or apps.

For many enterprise deployments — particularly those that share Power Apps, Power BI reports, or premium Microsoft 365 features with external partners — some portion of the guest population is technically unlicensed and represents a compliance exposure, not just a hygiene issue.

The safest posture is to audit guest users against the guest right criteria specifically, rather than assuming all guests are covered.

What guest sprawl costs in practice

Even when guests fall within the licensing exemption, the accumulation of stale guest accounts creates costs in less visible forms.

IT admin time for access reviews. Microsoft Entra ID access reviews for guest accounts are a best practice and increasingly a compliance requirement under frameworks like SOC 2 and ISO 27001. Running quarterly access reviews across a population of 2,000 guests — verifying with sponsors whether each guest still needs access — is a significant administrative burden. Organizations that have let guest populations grow unchecked typically find that quarterly access reviews take 20+ hours of IT and manager time per cycle.

eDiscovery scope expansion. Every guest who has contributed to Teams channels or SharePoint sites has left a data footprint. In the event of litigation or regulatory inquiry, eDiscovery searches may need to cover guest contributions — which means managing data associated with external parties who may not be reachable for clarification. Stale guest accounts expand this surface area unnecessarily.

Security incident blast radius. If a guest user’s home tenant credentials are compromised, the attacker gains access to every Teams channel and SharePoint site that guest was invited to — including anything shared since the original invitation. A guest from a vendor engagement that ended two years ago may still have access to confidential project documents that were current at the time. That access should have been revoked when the engagement ended.

What to audit and how

The starting point for a guest user audit is the Azure Active Directory Users list filtered to userType eq 'Guest'. The Entra admin center makes this straightforward. The Graph API endpoint is /users?$filter=userType eq 'Guest'&$select=id,displayName,mail,signInActivity,createdDateTime.

Key data points to capture for each guest:

Last sign-in date. Available through the signInActivity property in Graph (requires Azure AD P1 or P2, included in E3 and above). Guests who have not signed in for 90+ days are strong candidates for removal.

Created date. Guests created more than 18 months ago who are not recent signers deserve scrutiny regardless of whether they have signed in. Long-tenured guests may have accumulated access across many sites since their original invitation.

Invited by. The invitedBy metadata links to the internal user who originally invited the guest. This is the sponsor — the person best positioned to determine if the guest relationship is still active.

Access scope. Using Graph, you can enumerate which Teams groups and SharePoint sites a guest account is a member of. Guests with access to many sensitive SharePoint sites who haven’t signed in recently are the highest priority for review.

A practical cleanup process

The most effective guest cleanup processes are not automated removals but sponsor-driven reviews:

  1. Pull the list of guest accounts inactive for 90+ days
  2. Group by inviting internal user (the sponsor)
  3. Send each sponsor a list of their inactive guests with a 14-day response window
  4. Any guest not confirmed as still-needed by the sponsor is removed
  5. Removed guests can be re-invited if needed — re-invitation is a minor operation

This places accountability on the internal relationship owner, not on IT to make access decisions about external relationships they may not understand.

For guests with no identifiable sponsor — common after employee departures — IT should default to removal after a brief holding period and internal circulation.

The combination of quarterly automated reviews (via Entra ID Access Reviews) and the one-time cleanup of the existing backlog will typically reduce a mature tenant’s guest population by 30 to 50 percent in the first cycle. For organizations approaching external audits or compliance certifications, the reduction in scope is often more valuable than the licensing cost savings.

CostDefender

Defend your cloud budget.

CostDefender gives finance teams read-only cloud cost visibility, verified savings tracking, and closed-loop accountability across AWS, Azure, and GCP.

Request Early Access →