Azure External Identities: how to use Allow List with gmail.com but only allow certain gmails

Copper Contributor

In Microsoft 365 -> Azure -> External collaboration settings, for the Collaboration Restrictions setting I have it set to "Allow invitations only to the specified domains (most restrictive)".

 

I now need to add a specific gmail user, (let's say testuser@gmail.com), as a guest to the organization, but in order to do this I need to add "gmail.com" as a whitelisted domain. If I do this, it kind of defeats the purpose of using an allow list since there are millions of gmail.com accounts that exist.

 

I am wondering if there is a way to specify gmail.com in the allow list, and then create another restriction for all gmail.com emails where the email must be in a list that I specify? So basically I would have a policy that says for all gmail.com users, only allow testuser@gmail.com, otherwise block.

 

Is this possible via conditional access or other means?

 

Thanks

2 Replies

Hi, not with that setting... you need to add the domain.  But you could allow all domains and change the setting above so that only certain trusted users can invite people, then as an Admin invite that one gmail user as a guest.

 

Or, you could allow sharing with gmail.com domain, then create an 'Allowed Guest Users' group.  Then use a Conditional Access policy:

- apply it to Guest and External Users (not the group), then under Exclude add the 'Allowed Guest Users' group. 

- set action to Block

This should prevent any Guest user signing in if they have not been added to the group.

 

Or, you could create a Dynamic Group with rule:

 (user.mail -contains "gmail")

Then set up conditional access to block that group, excluding the 'Allowed group' with the one user in it.

This should block all gmail users while allowing gmail users you add to the allowed group.

 

Requires testing but you should be able to achieve the goal. 

Hi @MichaelT630 

 

A "quick and dirty" solution, could be to allow Gmail, generate the invitation and restrict Gmail again. The restriction applies only for the generation of the invitation.

 

Or you can restrict the possibility to invite external people to people who have the role "guest inviter":

- These people will be made aware

- A monitoring will allow to follow if guests are created for sensitive domains (like Gmail)