If you are a SharePoint site admin, you may need to manage expiring access for the guests that have access to content on your site. If your administrator has set an expiration time for guest access, each guest that you invite to the site or with whom you share individual files and folders will be given access for a certain number of days. If you want them to continue to have access, you must extend their access on a regularly.
As guests approach their expiration date, a banner on the site will notify you. Site collection administrators will receive an e-mail notification once per week informing you about all guests that will expire in the next 2 to 3 weeks.
Notes:
-
This feature is currently available to all tenants.
-
Site collection administrators will receive an e-mail notification once per week informing you about all guests that will expire in the next 2 to 3 weeks.
-
The banner will appear 2 to 3 weeks before the guest expiration date and will only display on the web app. The banner does not display in the mobile app.
How guest expiration policies work
Guest membership applies at the Microsoft 365 group level, therefore guests who have permission to view a SharePoint site or use a sharing link may have also access to a Microsoft Teams team or security group. Therefore, when SharePoint site or sharing link access expires, some guest users may still have access to a Team or security group elsewhere.
The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied.
Guest user expiration policy applies to guest users only. Standard user expiration can be set manually on any user in a site collection, and any user with an expiration value will be removed when the expiration passes unless they are site admins, in which case the expiration will be deferred until they are no longer site admins, or expiration value is cleared for them.
Extend access for a guest
When a guest is nearing expiration, you can renew their access. Their access will be extended for the number of days that your administrator has configured.
-
On the site, click Settings, and then select Site permissions.
-
Under Guest Expiration, select Manage.
-
On the Access Expiration page, select the user that you want to extend and select Extend.
-
On the confirmation dialog box, select Yes, extend.
Notes:
-
If the site admin has turned off guest expiration after expiration dates were set, you will see an option to clear the expiration date from your guests, allowing them to have access to the site indefinitely.
-
Extending a guest's access applies to all of their access on a site. If you want a guest to only have access to a subset of the site's resources, you need to remove their access from those items manually before or after extension.
Remove access for a guest
You can remove access from a guest before their access expires.
-
On the site, select Settings, and then select Site permissions.
-
Under Guest Expiration, select Manage.
-
On the Access Expiration page, select the user whose access you want to remove, and then select Remove access.
-
On the confirmation dialog box, select Yes, remove.
Guest expiration FAQs
Q: What happens to sharing links when guest access expires?
A: Guest access is managed on a user level rather than a document or sharing link level. For this reason, sharing links do not ever deactivate, and instead a guest user loses access once their guest credentials expire. To prevent a guest from losing access to a document link previously shared with them, an administrator needs to extend individual guest access.
Q: Is the Azure Active Directory (AAD) altered in any way that requires Multi-Factor Authentication (MFA) setting to be reapplied when guest access expires for a SharePoint site?
A: No, expiring guest access for a SharePoint site does not alter a guests' account in AAD.
Q: What happens when a guest user account gets deleted from Active Directory (AD)?
A: Guest expiration is different from disabling or removing an account in AD. When an account is disabled, a user can no longer sign-in and when its removed the account no longer exists.
Q: Can I share a link with a pre-determined expiration date instead of relying on guest expiration?
A: Please see this article.
Q: Do the guest expiration policies that were updated in July 2021 apply to guest accounts created before July 2021?
A: Expiration is only applied to guest users who are added to the site collection AFTER the admin has turned the policy on (whenever that might have been).
Q: How long will the guest expiration notification banner display on sites?
A: The banner will appear for 2 to 3 weeks prior to the guest access expiration date.