High

Guests have full member access

External guest users are assigned the built-in "User" role granting full directory enumeration and member-level access.

Category: External Collaboration
Default severity: High
Rule key: CHECK_EXTERNAL_COLLABORATION
Last updated: April 17, 2026

How to fix it

Change the guestUserRoleId to the default "Guest" role, or for high-security tenants the "Restricted Guest" role.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Policy.Read.All

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →