Forum Discussion
Solved
Disable possibility that our employees get added as guests in other companies
We are currently rolling out Teams to all employees but restrict the access to a lot of features. But unfortunately a colleague got invited from another tenant as a guest and would be able to switch to the other tenant and copy files from our environment to theirs...
OneDrive for Business, SharePoint Online is disabled for the users but I have not thought about this possibility. Is there a chance to restrict this?
- There is a uservoice open for this here
https://microsoftteams.uservoice.com/forums/555103-public/suggestions/36352375-prevent-users-from-joining-external-tenants-as-gue
And you could try what Mitchell Bakker suggests in terms of blocking the invites which stops the join
However, what I would say here is that your problem is not prevent others from joining other tenants, but it is sharing information. Security by impossibility has been shown to not be that effective, and they could just - for example - do this on WhatsApp. You just want to stop them copying files, so you would
1.) Move all the sensitive information into specified teams
2.) Restrict Sharing as you have done
3.) Apply sensitivity labels to the Teams you need
4.) Apply the correct permissions so that users can only see the documents in the Teams and not be able to download them (I.e. on the underlying SharePoint site)
5.) Use Azure Information Protection meaning if someone tries opening that file it is encrypted, it doesn't even matter if they copy it into another tenant
Try to control the data, not the access, otherwise users will just circumvent this
Hope that answers your question
Best, Chris
10 Replies
- Before you get into the nitty gritty of what guests can and can't do, you need to think about how they'll be invited into your tenant in the first place.
The guest access experience in Teams is managed at the highest level through your Azure Active Directory.
Global admins can configure settings for external users across your entire organization in the Organizational relationships settings (Azure Active Directory > Organizational relationships > Settings). - There is a uservoice open for this here
https://microsoftteams.uservoice.com/forums/555103-public/suggestions/36352375-prevent-users-from-joining-external-tenants-as-gue
And you could try what Mitchell Bakker suggests in terms of blocking the invites which stops the join
However, what I would say here is that your problem is not prevent others from joining other tenants, but it is sharing information. Security by impossibility has been shown to not be that effective, and they could just - for example - do this on WhatsApp. You just want to stop them copying files, so you would
1.) Move all the sensitive information into specified teams
2.) Restrict Sharing as you have done
3.) Apply sensitivity labels to the Teams you need
4.) Apply the correct permissions so that users can only see the documents in the Teams and not be able to download them (I.e. on the underlying SharePoint site)
5.) Use Azure Information Protection meaning if someone tries opening that file it is encrypted, it doesn't even matter if they copy it into another tenant
Try to control the data, not the access, otherwise users will just circumvent this
Hope that answers your question
Best, ChrisChrisHoardMVP thanks for your elaborate answer. That's definitely the end goal for our Teams usage. Unfortunately we are not that far and have to work with some special requirements.
Is it possible to get an alert or any other kind of information via for example Graph API if a user works on another tenant and not ours?
- Maybe good to filter/block emails when the have the following in the body:
"You have been added to a team in Microsoft Teams"
