New guest expiry policy for SharePoint and OneDrive

Date: March 10, 2022
To:
SharePoint and OneDrive owners
From:
EASI Communications
Re: New guest expiry policy for SharePoint and OneDrive

 

To SharePoint and OneDrive owners,

Effective April 2, EASI will launch a new guest expiry policy that will improve security by:

  • Requiring that guests using sharing links re-authenticate with a new verification code every 90 days (this will happen automatically).
  • Prompting SharePoint site administrators and OneDrive owners to review and renew guest access after 180 days or else revoke access.

Who does this policy apply to? 

These policies will only apply to new guests invited after April 2. A guest is an external person (non-U of T email). The guest policy does not apply retroactively to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy was applied. The expiring access policy does not apply to guest accounts who access content through their membership of a Team.

What should I expect?

Once the policy is enabled, primary SharePoint site collection administrators/OneDrive for Business owners will receive e-mail notifications 2-3 weeks ahead of time informing them about any guests that are set to expire. In addition, a yellow banner will appear on the web versions of OneDrive or SharePoint. As owners/administrators you will be able to:

  • Let access expire automatically on the scheduled date
  • Forcibly remove access immediately
  • Extend access for another 180 days

These email notifications are not spam. Emails will be sent from “SharePoint Online” (no-reply@sharepointonline.com). If you ignore and do not extend access, the guest will lose access on the specified date and a new sharing invitation would need to be issued.

For more details on what to expect, see the following knowledge articles:

Managing Guest Expiry in SharePoint

Managing Guest Expiry in OneDrive for Business

Exceptions 

Exceptions to the policy may be requested only for SharePoint sites with external sharing enabled. Site administrators may request a custom guest expiry window of up to 365 days for their specific site. To request an exception for an existing SharePoint site, please submit a ticket at https://uoft.me/sharepoint-gethelp.

What do I need to do to prepare? 

Review the Enterprise Service Centre knowledge articles above so you know what to expect. If your SharePoint site has external sharing enabled, ensure the primary site admin details are always up to date so that the proper person receives the notifications.