Detailed Rule Settings

Rule settings vary by rule. The following sections currently provide detailed information for approximately 20 of the most commonly used rules, covering both service-level and tenant-level policies. Documentation for additional rules will be added in future updates.

Ghost Guest User Detection

Use this rule to detect guest users who do not have permissions to any SharePoint site and are not members of any Microsoft 365 Group, Team, security group, or distribution list.

Refer to the following information for detailed rule settings:

  1. Select the rule settings that you want to use:

    • Monitor user permissions for sites and site content – When this setting is selected, guest users who lack effective permissions on SharePoint sites will be identified as ghost guest users. Effective permissions include those directly assigned to the guest user or inherited through a SharePoint group; permissions inherited through Entra ID security groups are not considered. Note that a guest user will be identified as ghost guest user even if they are a member of a SharePoint group that has no permissions granted.

    • Skip any user access granted by membership in security groups – When this setting is selected, guest users will be identified as ghost guest users when they are not members of any Microsoft 365 Group, Team, or distribution list, ignoring permissions inherited from security group membership.

    • Skip guest users who have never logged in – When this setting is selected, guest users who have never logged in will not be monitored by this rule.

    • Do not monitor the following users – This setting allows you to define the users to be excluded from monitoring. If selected, the specified users will be excluded from ghost guest user detection.

    • Do not monitor users/groups in the following Defined Group – This setting allows you to exclude all users of a specified Defined Group from monitoring.

    • Only monitor the following users – This setting allows you to restrict the detection only to the specified users. If selected, only the specified users will be monitored for ghost guest user detection.

    • Only monitor users in the following Defined Group – This setting allows you to restrict detection to only the members of a specified Defined Group.

    Note that if a user exists both in the excluded users fields and the target users fields, the excluded users fields will take precedence, so that the user will not be monitored.

  2. If violations are identified, take the following action to automatically fix the violations – This rule supports auto-fix, which enables automatic correction of out-of-policy settings when violations are identified.

    • Manage guest users in Microsoft Entra ID – Enable this option to automatically manage guest users once they are identified as ghost guest users. Then choose how these guest users should be managed:

      • Delete guest users from Microsoft Entra ID

      • Block guest users from signing in

  3. Send email notifications of the violations to the following users – Specify whether to send email notifications to admins or end users when violations are identified. After enabling this setting, designate the recipients and select the appropriate email templates. For detailed instructions on email templates, refer to Email Templates.

  4. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

    For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

    • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

    • Scan start time – When the scan interval is set to DaysWeeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

      • For daily scans, you need to set a specific time. The job will start daily at the defined time.

      • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

      • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.

Inactive Guest User Detection

Use this rule to detect guest users who do not have any activities in SharePoint sites, Groups, and Teams for a defined period of time.

Prerequisite: To use this rule, ensure you have a Microsoft Entra ID P1 or P2 license.

Refer to the following information for detailed rule settings:

  1. Configure the rule settings:

    • Detect guest users who do not have any activities for _ days – Enter a number. Guest users with no activities for the specified number of days will be identified as inactive guest users.

      In addition, choose whether to Send a warning notification after _ days of inactivity.

    • Detect guest users who do not accept the invitation for _ days – Enter a number. Guest users who do not accept their invitations for the specified number of days will be identified as inactive guest users.

      In addition, choose whether to Send a warning notification if the invitation is not accepted after _ days.

    • Skip guest users who have never logged in – When this setting is selected, guest users who have never logged in will not be monitored by this rule.

    • Do not monitor the following users – This setting allows you to define the users to be excluded from monitoring.

    • Do not monitor users/groups in the following Defined Group – This setting allows you to exclude all users of a specified Defined Group from monitoring.

  2. If violations are identified, take the following action to automatically fix the violations – This rule supports auto-fix, which enables automatic correction of out-of-policy settings when violations are identified.

    • Manage guest users in Microsoft Entra ID – Enable this option to automatically manage guest users once they are identified as inactive guest users. Then choose how these guest users should be managed:

      • Delete guest users from Microsoft Entra ID

      • Block guest users from signing in

  3. Send email notifications of the violations to the following users – Specify whether to send email notifications to admins or end users when violations are identified. After enabling this setting, designate the recipients and select the appropriate email templates. For detailed instructions on email templates, refer to Email Templates.

  4. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

    For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

    • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

    • Scan start time – When the scan interval is set to DaysWeeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

      • For daily scans, you need to set a specific time. The job will start daily at the defined time.

      • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

      • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.