AvePoint Learn
Request an article
Contact support
Request an article
Contact support
English

Home > Policies > Tenant Level Policies > Detailed Rule Settings

Download this article

Detailed Rule Settings

Rule settings vary by specific rule. Currently, we provide detailed information on the 20 most frequently used rules, covering both service-level and tenant-level policies. Documentation for additional rules will be added in future updates.

Ghost Guest User Detection

Use this rule to detect guest users who do not have permissions to any SharePoint site and are not members of any Microsoft 365 Group, Team, security group, or distribution list.

Refer to the following information for the detailed rule settings:

  1. Select the rule settings that you want to use:

    • Monitor user permissions for sites and site content – When this setting is selected, guest users who lack effective permissions on SharePoint sites will be identified as ghost guest users. Effective permissions include those directly assigned to the guest user or inherited through a SharePoint group; permissions inherited through Entra ID security groups are not considered. Note that a guest user will be identified as ghost guest user even if they are a member of a SharePoint group that has no permissions granted.

    • Skip any user access granted by membership in security groups – When this setting is selected, guest users will be identified as ghost guest users when they are not members of any Microsoft 365 Group, Team, or distribution list, ignoring permissions inherited from security group membership.

    • Skip guest users who have never logged in – When this setting is selected, guest users who have never logged in will not be monitored by this rule.

    • Do not monitor the following users – This setting allows you to define the users to be excluded from monitoring. If selected, the specified users will be excluded from ghost guest user detection.

    • Do not monitor users/groups in the following Defined Group – This setting allows you to exclude all users of a specified Defined Group from monitoring.

    • Only monitor the following users – This setting allows you to restrict the detection only to the specified users. If selected, only the specified users will be monitored for ghost guest user detection.

    • Select a Defined Group – This setting allows you to restrict detection to only the members of a specified Defined Group.

  2. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

    • Manage guest users in Microsoft Entra ID – Select this checkbox and then define how to manage guest users once they are identified as ghost guest users, either Delete guest users from Microsoft Entra ID or Block guest users from signing in.

  3. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email templates.

  4. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

    For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

    • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

    • Scan start time – When the scan interval is set to DaysWeeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

      • For daily scans, you need to set a specific time. The job will start daily at the defined time.

      • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

      • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.

Remove Inactive Guest Users

Use this rule to remove guest users who do not have any activities in SharePoint sites, Groups, and Teams for a defined period of time.

Prerequisite: To use this rule, ensure you have a Microsoft Entra ID P1 or P2 license.

Refer to the following information for the detailed rule settings:

  1. Configure rule settings:

    • Remove guest users that do not have any activities for _ days – Enter a number. Guest users with no activities for the specified number of days will be identified as inactive guest users.

      In addition, choose whether to Send a warning notification after _ days of inactivity.

    • Remove guest users that do not accept the invitation for _ days – Enter a number. Guest users who do not accept their invitations for the specified number of days will be identified as inactive guest users.

      In addition, choose whether to Send a warning notification if the invitation is not accepted after _ days.

    • Skip guest users who have never logged in – When this setting is selected, guest users who have never logged in will not be monitored by this rule.

    • Do not monitor the following users – This setting allows you to define the users to be excluded from monitoring.

    • Do not monitor users/groups in the following Defined Group – This setting allows you to exclude all users of a specified Defined Group from monitoring.

  2. If violations are identified, take the following action to automatically fix the violations – Auto-fix violations is supported by this rule, enabling automatic correction of out-of-policy settings when violations are identified.

    • Manage guest users in Microsoft Entra ID – Select this checkbox and then define how to manage guest users once they are identified as inactive guest users, either Delete guest users from Microsoft Entra ID or Block guest users from signing in.

  3. Send email notifications of the violations to the following users – Choose whether to send email notifications to admins/end users when violations are identified. After enabling the setting, you need to designate recipients and select the appropriate email templates.

  4. Independent scan interval – Independent scan interval is supported for this rule, allowing you to set an independent scan interval for the Enforce policy job. When enabled, this rule-specific scan interval takes precedence over the general schedule set at the policy level.

    For policies containing this rule, the Enforce policy job may require considerable time to complete, particularly in larger Microsoft 365 environments. To help optimize performance, we recommend that you set a lower frequency for this rule.

    • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs to scan your Microsoft 365 environment according to the configured interval.

    • Scan start time – When the scan interval is set to DaysWeeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

      • For daily scans, you need to set a specific time. The job will start daily at the defined time.

      • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

      • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.