Why would SharePoint guest users be locked out daily, temporarily, for indeterminate periods?

Chad Woodward 0 Reputation points
2025-08-12T16:22:50.12+00:00

Every day our guest users get locked out of SharePoint, receiving an access denied error message. After a while, minutes or hours, the problem goes away and they can access normally again. Some weeks it happens at 9am every day, and some it increments by an hour daily (9am, 10am, 11am…) which indicates some kind of scheduled event on the backend. We did find a workaround after the first couple weeks; sending an invite to any existing guest users, with or without email notification, jiggles something loose and restores everyone’s access.

This has been ongoing for weeks, with open MS support tickets sent but no solutions found. Support doesn’t know, the engineers think everything is fine, and I can’t find relevant incidents online. Anyone have any ideas?

Microsoft 365 and Office | SharePoint | For business | Windows
{count} votes

1 answer

Sort by: Most helpful
  1. Ryan-N 3,015 Reputation points Microsoft External Staff Moderator
    2025-08-12T17:14:05.9133333+00:00

    Hi @Chad Woodward,

    Thank you for sharing the details regarding the issue of guest users being locked out of SharePoint on a daily basis. Based on the symptoms and patterns observed, we would like to propose the following steps to help identify the root cause and resolve the issue effectively:

    Potential Causes

    • Azure AD Identity Protection: Guest accounts may be flagged as “high risk” on a scheduled basis, resulting in temporary access blocks.
    • Conditional Access Policies: Some policies may require conditions that guest users cannot meet (e.g., compliant devices, trusted IPs, or re-authentication every 24 hours).
    • Idle Session Sign-Out: SharePoint may be configured to sign users out at a specific time each day.
    • Automated Scripts or Cleanup Jobs: There may be scripts unintentionally modifying guest access on a schedule.
    • Microsoft Service Issues: There could be an undocumented issue in Microsoft’s guest authentication system.

    Recommended Troubleshooting Steps

    Step 1: Collect Diagnostic Logs

    • Review Azure AD sign-in logs at the time of the lockout.
    • Capture error codes (e.g., 530032) and the SharePoint Correlation ID from the access denied page for deeper analysis.

    Step 2: Adjust Azure AD Identity Protection Policies

    • Create a dynamic group for all guest users using the rule (user.userType -eq "Guest").
    • Exclude this group from the “User Risk Policy” and “Sign-in Risk Policy”.

    Step 3: Review Conditional Access Policies

    • Check for policies targeting “All Users” or “All Guests”.
    • Exclude guest users from restrictive policies or temporarily disable them for testing.

    Step 4: Verify SharePoint Configuration

    • Ensure external sharing is set to “New and existing guests”.
    • Temporarily disable “Idle session sign-out” to rule out session timeout issues.

    Step 5: Use the Temporary Workaround

    • Re-invite one guest user approximately 5 minutes before the usual lockout time (e.g., 8:55 AM) to “refresh” access for all guests.

    Step 6: Communicate with Guest Users

    • Inform guests that the issue is being investigated.
    • If they have internal IT support, ask whether they’ve received any security alerts from Microsoft (e.g., account verification prompts).

    Step 7: Consider Alternative Sharing Options

    • For non-sensitive content, use anonymous sharing links (“Anyone with the link”) to ensure uninterrupted access during troubleshooting.

    After implementing the above adjustments, please monitor the system during the usual lockout window to verify whether the issue persists.

    If the issue continues, I will assist you in escalating the case to Microsoft’s advanced technical support team for deeper investigation. As a moderator, I currently lack the tools to access backend logs or perform in-depth diagnostics within Azure AD.

    Once you raise a support ticket, a Microsoft live agent will contact you and initiate a remote session to examine your tenant and policy configurations in detail. This step is essential to pinpoint the root cause if configuration changes alone do not resolve the issue.

    Please let me know if you need help with any of the steps above or if you’d like assistance opening a support ticket with Microsoft.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

    User's image


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.