Forum Discussion
Block users from becoming Guest in another Office 365 Tenant
This feature is in preview now.
Have a look at cross tenant access policies:
This is a tad mind blowing. Tenant restrictions works for networks which enforce proxy or VPN for all corporate devices. But what about mobile devices, which it's rare to see companies enforce mobile VPN.....well....if someone invites a user to their tenant and they accept it, they can connect via Teams on mobile and get around the corporate containerization by uploading OneDrive documents into the "B2B" team!??! Yes. This is an unfortunate hole in the security architecture. Also, not to mention this "collaboration" bypasses any retention policies setup by the account owner / tenant. So all in all, it's a bad idea to not give account owners the option to BLOCK third parties from adding their users as guests....
Hi,
there is no "corporate containerization" in a cloud world, like you have on-Premises.
You new security objects are Identity, Data, and Devices that you can protect, depending on what the use case is.
Taking you example of upload corporate documents to a Team in a partner organization, even if you could restrict your users not being invited to a foreign tenant, what if they get an "real" user account in that foreign tenant ? They could upload the data anyway.
If you want to protect that use case, then protect your data so it can not leave your company or can not be read by someone outside even it is stored outsside.
You can do that with Information Protection (RMS) and other features from Microsoft.
One of the advantages of cloud is collaboration with others.
In fact the users gets an new identity object in the other tenant which is only authenticated by your tenant.
Security in a cloud world involves a new thinking, so either protect your data if thats the use case or protect your identity. Disallow users to be invited to another tenant is not a protection of your identity.
/Peter
I agree with Peter that Microsoft Information Protection with Information Rights Management is a best practices layered security approach and important to protecting your "crown jewels" within your company.
We now also have the ability to block or allow domains. See https://docs.microsoft.com/en-us/microsoftteams/manage-external-access
Dean
