BCSEC3004: Monitoring Guest Accounts


Through BetterCloud, automating onboarding for full-time, part-time, or contracted employees is made easy. However, when it comes to guest access, things can get trickier, and shadow IT begins to creep in. Generally, IT keeps all employees under lock and key; but with the rise of SaaS collaboration apps, it has become easy for employees to add external users without anyone's knowledge. Thankfully, through BetterCloud, there are ways to monitor these additions, even putting in place an approval processes for guest lifecycle management.

By the end of this video, you'll be able to:

  • Create Alerts that will help you identify guests in your SaaS apps
  • Set up an approval process for granting guests access to your organization

Creating Alerts and Building Workflows for Guest Access

Removing Guests from G Suite and 365

The above video goes into detail on how organizations can ensure guest users are properly being added to the organization. However, there are also ways to ensure guests are properly removed from the organization. Leveraging the Last Login workflow for G Suite and 365, you have the ability to create a workflow that could potentially be useful in reminding IT, Security, or Project Managers to remove a guest's access. They could be built as follows:

  • Step One: Create a Last Login Alert
    • There will need to be an AND condition, where Email CONTAINS the guest organization's email extension


  • Step Two: Add the Alerts to a Workflow so that...
    • WHEN Guest User Hasn't Logged in for XX days (this is the Alert from Step 1)

      THEN: (1) Wait for Approval, asking Security, IT, or a specific PM if you'd like to disable and delete the account (2) Disable the Account and (3) Delete the Account.

      NOTE - If you'd like to have the Wait for Approval go to a specific PM, you may want to build individual workflows based on the project and domain of the guests.

This Wait for Approval will ensure there is oversight into guest access, and guests cannot be forgotten within the organization. Optionally, this same process can be done after 60/90 days as well, giving a decision maker the ability to decline the first approval email, but approve the second.

What's Next?

Taking a deeper look at security issues, what happens if someone were to share an asset from a specific path that is for internal use only? Or if sensitive data is found in a location it doesn't belong? Our next module, titled Using Path Conditions, will walk you through how to ensure users aren't improperly sharing contents from specific paths. To view this module, please click here.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request