Assign sponsors to existing guests
Implementation Effort: Medium – IT administrators must audit existing guest accounts, identify appropriate internal sponsors, and update guest user profiles accordingly.
User Impact: Low – This administrative task does not require direct involvement from guest users unless subsequent access changes are implemented.
Overview
Assigning sponsors to existing guest accounts in Microsoft Entra ID enhances accountability and governance over external user access. A sponsor, typically an internal user, is responsible for overseeing the guest's access and ensuring it aligns with organizational policies. While new guest invitations often automatically assign the inviter as the sponsor, many existing guest accounts may lack this association, especially if they were created before this feature was implemented.
To address this, administrators should audit current guest accounts to identify those without assigned sponsors. Utilizing tools like the Microsoft Graph, administrators can retrieve and update the 'sponsors' property for these accounts . Assigning sponsors facilitates better management of guest accounts, particularly during access reviews or when evaluating the necessity of continued access.
This practice aligns with the Zero Trust principle of "Verify explicitly" by ensuring that each guest account has a designated internal point of contact responsible for validating and managing access. It also supports "Assume breach" by maintaining oversight of external accounts, thereby reducing potential security risks associated with unmanaged guest access.