May 23 2018
12:17 AM
- last edited on
Jan 14 2022
04:47 PM
by
TechCommunityAP
May 23 2018
12:17 AM
- last edited on
Jan 14 2022
04:47 PM
by
TechCommunityAP
Hi!
Is it possible to restrict our Azure/Office 365 users from using their account/email-addresses as Guests in another Azure/Office 365 Tenant. I know that we can block which domains that we can send Guest invitations to, but in this case it is the other way around.
May 29 2018 02:02 PM
Just wanted to confirm ,if I understood correctly.
All the users that exists in your tenant should not be able to accept the request from any other tenant.
Also, at the same time if anyone from your enterprise tries to add a guest user he/should be able to do so.??
Sep 18 2018 01:57 AM
Sep 19 2018 01:49 AM
Hi,
the only feature I know is the Tenant Restriction, see: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions
But that only works I your users are on the corporate network or need to leverage your onPrem infrastructure (via VPN or similar). I don't think there is a feature to block this when they are on a non-restricted internet connection.
/Peter
Oct 05 2018 06:35 AM
Hi!
No, I haven't come any closer to a solution.
Regards, Henrik
Nov 28 2018 10:34 PM
This is a tad mind blowing. Tenant restrictions works for networks which enforce proxy or VPN for all corporate devices. But what about mobile devices, which it's rare to see companies enforce mobile VPN.....well....if someone invites a user to their tenant and they accept it, they can connect via Teams on mobile and get around the corporate containerization by uploading OneDrive documents into the "B2B" team!??! Yes. This is an unfortunate hole in the security architecture. Also, not to mention this "collaboration" bypasses any retention policies setup by the account owner / tenant. So all in all, it's a bad idea to not give account owners the option to BLOCK third parties from adding their users as guests....
Nov 29 2018 12:35 AM
Hi,
there is no "corporate containerization" in a cloud world, like you have on-Premises.
You new security objects are Identity, Data, and Devices that you can protect, depending on what the use case is.
Taking you example of upload corporate documents to a Team in a partner organization, even if you could restrict your users not being invited to a foreign tenant, what if they get an "real" user account in that foreign tenant ? They could upload the data anyway.
If you want to protect that use case, then protect your data so it can not leave your company or can not be read by someone outside even it is stored outsside.
You can do that with Information Protection (RMS) and other features from Microsoft.
One of the advantages of cloud is collaboration with others.
In fact the users gets an new identity object in the other tenant which is only authenticated by your tenant.
Security in a cloud world involves a new thinking, so either protect your data if thats the use case or protect your identity. Disallow users to be invited to another tenant is not a protection of your identity.
/Peter
Jun 28 2020 10:18 PM
I agree with Peter that Microsoft Information Protection with Information Rights Management is a best practices layered security approach and important to protecting your "crown jewels" within your company.
We now also have the ability to block or allow domains. See https://docs.microsoft.com/en-us/microsoftteams/manage-external-access
Dean
Apr 20 2021 06:00 AM
@Henrik Adolfsson
https://agatsoftware.com/microsoft-teams-ethical-wall/ :white_heavy_check_mark::white_heavy_check_mark::white_heavy_check_mark:
It can prevent users from joining external tenants as guests.
In addition, can set unlimited rules for communication
Also available in Microsoft Appsource
https://youtu.be/BKuGJK6Mtfc
Jan 28 2022 03:38 PM
4 years later I have the same question. Has anyone figured out how to block this?
Jun 29 2022 02:00 PM
Please upvote this recommendation. This feature is still not available after all these years... Uservoice was taken away so it probably lost all its traction.
https://feedbackportal.microsoft.com/feedback/idea/784eb507-eef7-ec11-a81b-000d3a03dba2
Jun 30 2022 03:49 AM
SolutionThis feature is in preview now.
Have a look at cross tenant access policies:
Jun 30 2022 06:49 AM
As @Peter Stapf points out, this is now trivial to do using Cross Tenant Access Policies.
Jun 30 2022 06:52 AM - edited Jun 30 2022 06:53 AM
Interesting, thanks for the info... Microsoft support told me this was not possible in any way just two days ago. Has anyone deployed this - will it even prevent the guest invitations from being sent in the first place? The issue we are having is that there is someone sending Teams guest invites to one of our users with malicious content, and the user is getting spammed with emails and Teams notifications every time one comes through.
Sep 29 2022 07:56 AM
Jun 30 2022 03:49 AM
SolutionThis feature is in preview now.
Have a look at cross tenant access policies: