Azure B2B collaboration makes it remarkably easy to invite an external partner, contractor or client into your tenant with a few clicks, granting them access to specific resources without the overhead of creating a full internal account. That ease of use is exactly why guest accounts accumulate quietly over time, often long after the original reason for the invitation has expired, and long after anyone has thought to check what that account can still see or touch.
Convenient to grant, easy to forget
A guest account gets created for a three-month contractor engagement, a joint project with a partner organisation, or a consultant brought in for a single piece of work. The project ends, the contractor moves on, and the guest account remains active in the tenant indefinitely, because removing it was never anyone’s specific responsibility and nothing in most organisations’ processes forces a review. Multiply that across years of partnerships and contractor relationships, and many tenants end up with dozens of guest accounts nobody can confidently account for or explain.
A thorough Azure pen testing examines exactly this accumulation, mapping every guest account against what it can actually access and asking whether that access still has a legitimate business justification. It is a common finding that guest accounts retain access to SharePoint sites, Teams channels and shared resources well beyond anything the original engagement required, sometimes years after the fact.

Guest accounts, same risk as any other identity
An external guest account is subject to the security practices of whatever organisation or personal setup that individual is using, which your own security team has no visibility into and no control over. If that guest’s own account gets compromised through a phishing attack entirely unrelated to your business, the attacker inherits whatever access your tenant granted them, potentially including internal documents, communication channels and resources well beyond the original scope of collaboration, all through a route your own defences never anticipated.
William Fieldhouse treats guest account review as one of the more revealing parts of an Azure assessment.
“We reviewed a client’s guest account list and found forty-one active external accounts, and the client themselves could confidently explain the current business need for around a dozen of them. The rest were relationships that had ended a year or more earlier. One of those dormant guest accounts still had edit access to a SharePoint site containing unreleased financial results.”
— William Fieldhouse, Director of Aardwolf Security Ltd
An unreleased financial results document sitting reachable by a forgotten guest account from an expired partnership is exactly the kind of exposure that never shows up in a casual review, because nothing about the tenant looks obviously broken. Access controls were technically applied correctly at the point they were granted; the failure was simply that nobody ever revisited the decision once circumstances changed, which is precisely how this sort of exposure survives so long undetected.
Review guest access as a recurring discipline, not a one-off
Treat every guest account as an ongoing trust decision that needs periodic renewal, not a one-time grant that persists by default. Set a recurring review cycle, tie guest accounts to specific expiry dates tied to contract length wherever possible, and pair that internal process with external network pen testing to catch what the internal review missed. Contact Aardwolf Security to have your Azure guest access reviewed properly.
