Skip to Content

Guest Users: The Silent Lateral Movement Risk Most MSPs Miss

January 22, 2026 by
Jaspreet Singh


hands typing on a laptop keypad

Guest Users: The Overlooked Lateral Movement Risk for MSPs

Why This Matters for MSPs

Guest users are intended to facilitate collaboration.

For MSPs, guest users have become one of the most common and least detected lateral movement paths within Microsoft 365 tenants. (Eliminate identity lateral movement – Zero Trust, 2024)

In practice, attackers rarely begin with Global Admin accounts. Instead, they exploit trusted access that is often overlooked, making guest users a prime target. (Eliminate identity lateral movement (Secure Future Initiative), 2024)

If your security measures do not explicitly manage guest identities, your environment is already at risk.

The MSP Blind Spot

Most MSP security standards focus on:

  • MFA for employees
  • Privileged role protection
  • Secure admin workstations (Securing privileged access accounts, 2024)

However, guest users are often:

  • Excluded from Conditional Access
  • Exempt from MFA
  • Left with indefinite access
  • Trusted simply because “Microsoft invited them.”

From a liability perspective, guest users represent your client’s data and are your responsibility.

How Guest Users Become a Lateral Movement Path

Scenario MSPs See in the Real World

  1. A vendor’s Microsoft account is compromised
  2. That account already exists as a guest in your client’s tenant
  3. No MFA is enforced for guests

  4. The attacker accesses:

    • Teams conversations
    • SharePoint document libraries
    • Internal files and credentials
  5. The breach is discovered weeks later rather than within days (Shah et al., 2020)

There is no malware.

No admin role.

No alert.

Only trusted access is used.

Why This Bypasses Traditional MSP Controls

1. Conditional Access Gaps

Many MSP templates:

  • Use “All Users” policies
  • Exclude guests for business continuity reasons
  • Assume the home tenant enforces security (Bymsp4msps, 2024)

Result:

As a result, guests operate outside your established security baseline.

2. Cross-Tenant Trust Is Too Permissive by Default

By default:

  • External tenants are trusted
  • MFA claims are not enforced
  • Device security posture is not considered (Zero Trust identity and device access policies, n.d.)

This allows attackers to:

  • Authenticate in a weaker tenant
  • Access a stronger client tenant
  • Bypass your client’s MFA requirements

This is supply-chain risk, not user error.

3. Guest Access Grows Over Time

What MSPs often inherit:

  • Guest users added years ago
  • No expiry configured
  • Group memberships reused
  • Application access expanded silently

Guest access does not remain static; it gradually increases over time. (How small Microsoft 365 setup gaps create security risks, 2025)

The Business Risk for MSPs

From an MSP owner’s perspective, guest user abuse can result in:

  • Undetected data exposure
  • Contractual risk (security obligations not met)
  • Incident response costs
  • Loss of client trust
  • Challenges during contract renewals (Protecting Against Cyber Threats to Managed Service Providers and their Customers, 2022)

And Clients expect that you have appropriately secured Microsoft 365.

What MSPs Should Be Doing Instead

1. Treat Guest Users as High-Risk Identities

Guests are:

  • External
  • Unmanaged
  • Outside your control

Your security posture should account for these risks.

Minimum standard:

  • MFA required
  • Session limits enforced
  • Legacy auth blocked
  • No persistent browser sessions

2. Separate Guest Conditional Access Policies

Do not rely solely on 'All Users' policies.

Create guest-specific policies that:

  • Require MFA
  • Restrict locations
  • Limit session duration
  • Block unknown devices

Implementing these measures will address most lateral movement risks. (Critical Windows Server Update Services (WSUS) RCE Vulnerability (CVE-2025-59287) Under Active Exploitation, 2024)

3. Lock Down Cross-Tenant Access

For every client:

  • Remove default inbound trust
  • Require MFA claims
  • Block high-risk external tenants
  • Review trusted organizations quarterly

This approach prevents abuse from weaker tenants accessing stronger client environments.

4. Implement Guest Access Expiry

Every guest should:

  • Expire automatically
  • Require re-approval
  • Be reviewed regularly

If continued access is required, re-invite the guest user.

How This Becomes an MSP Service Offering

This is not only a security measure; it also creates an opportunity for recurring revenue.

Position it as:

  • “External Access Risk Review”
  • “Guest User Security Hardening”
  • “Cross-Tenant Trust Assessment”

Deliverables:

  • Guest access inventory
  • Risk findings
  • Conditional Access fixes
  • Documentation for compliance

These services are straightforward to standardize and scale.

Final MSP Takeaway

Guest users are no longer a collaboration feature.

They represent external identities within your client’s tenant.

If you don’t control them, attackers will — and your client will hold you accountable.


Jaspreet Singh — Author at MSPinsights.ca | Founder & CEO, Accelerate IT Services Inc.


References

(2024). Eliminate identity lateral movement – Zero Trust. Microsoft Learn. https://learn.microsoft.com/en-us/security/zero-trust/sfi/eliminate-identity-lateral-movement

(2024). Eliminate identity lateral movement (Secure Future Initiative). Microsoft Learn. https://learn.microsoft.com/en-us/security/zero-trust/sfi/eliminate-identity-lateral-movement

(2024). Securing privileged access accounts. Microsoft Learn. https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-accounts

Shah, N., Ho, G., Schweighauser, M., Afifi, M. H., Cidon, A. & Wagner, D. (2020). A Large-Scale Analysis of Attacker Activity in Compromised Enterprise Accounts. arXiv preprint arXiv:2007.14030. https://doi.org/10.48550/arXiv.2007.14030

Bymsp4msps. (2024). Data Protection with Guest Users in Microsoft 365. Tminus365.com. https://tminus365.com/data-protection-with-guest-users-in-microsoft-365-secure-device-access/

(n.d.). Zero Trust identity and device access policies. https://download.microsoft.com/download/e/d/0/ed03381c-16ce-453e-9c89-c13967819cea/zero-trust-identity-and-device-access-policies.pdf

(2025). How small Microsoft 365 setup gaps create security risks. Simple Business IT. https://simplebusinessit.com/small-microsoft-365-setup-gaps-security-risks/

(May 10, 2022). Protecting Against Cyber Threats to Managed Service Providers and their Customers. CISA. https://www.cisa.gov/news-events/alerts/2022/05/11/protecting-against-cyber-threats-managed-service-providers-and-their-customers

(October 17, 2024). Critical Windows Server Update Services (WSUS) RCE Vulnerability (CVE-2025-59287) Under Active Exploitation. Rankiteo. https://www.rankiteo.com/company/nuance-dragon-desktop-software

Jaspreet Singh January 22, 2026
Share this post
Tags
Archive
When Break-Glass Accounts Let MSPs Down the Most