Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Block users from becoming Guest in another Office 365 Tenant

Copper Contributor

Hi!
Is it possible to restrict our Azure/Office 365 users from using their account/email-addresses as Guests in another Azure/Office 365 Tenant. I know that we can block which domains that we can send Guest  invitations to, but in this case it is the other way around.

15 Replies

Just wanted to confirm ,if I understood correctly.

All the users that exists in your tenant should not be able to accept the request from any other tenant.

 

Also, at the same time if anyone from your enterprise tries to add a guest user he/should be able to do so.??

Hello, I have the same question. Did you find out how to solve it? Many thanks Regards Alex

Hi,

the only feature I know is the Tenant Restriction, see: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions

 

But that only works I your users are on the corporate network or need to leverage your onPrem infrastructure (via VPN or similar). I don't think there is a feature to block this when they are on a non-restricted internet connection.

 

/Peter

Hi!
No, I haven't come any closer to a solution.
Regards, Henrik

This is a tad mind blowing.  Tenant restrictions works for networks which enforce proxy or VPN for all corporate devices.  But what about mobile devices, which it's rare to see companies enforce mobile VPN.....well....if someone invites a user to their tenant and they accept it, they can connect via Teams on mobile and get around the corporate containerization by uploading OneDrive documents into the "B2B" team!??!  Yes.  This is an unfortunate hole in the security architecture.  Also, not to mention this "collaboration" bypasses any retention policies setup by the account owner / tenant.  So all in all, it's a bad idea to not give account owners the option to BLOCK third parties from adding their users as guests....

Hi,

there is no "corporate containerization" in a cloud world, like you have on-Premises.

You new security objects are Identity, Data, and Devices that you can protect, depending on what the use case is.

Taking you example of upload corporate documents to a Team in a partner organization, even if you could restrict your users not being invited to a foreign tenant, what if they get an "real" user account in that foreign tenant ? They could upload the data anyway.

 

If you want to protect that use case, then protect your data so it can not leave your company or can not be read by someone outside even it is stored outsside.

You can do that with Information Protection (RMS) and other features from Microsoft.

 

One of the advantages of cloud is collaboration with others.

In fact the users gets an new identity object in the other tenant which is only authenticated by your tenant.

 

Security in a cloud world involves a new thinking, so either protect your data if thats the use case or protect your identity. Disallow users to be invited to another tenant is not a protection of your identity.

 

/Peter

@Peter Stapf 

 

I agree with Peter that Microsoft Information Protection with Information Rights Management is a best practices layered security approach and important to protecting your "crown jewels" within your company.

 

We now also have the ability to block or allow domains. See https://docs.microsoft.com/en-us/microsoftteams/manage-external-access

 

Dean

@Henrik Adolfsson 

https://agatsoftware.com/microsoft-teams-ethical-wall/ :white_heavy_check_mark::white_heavy_check_mark::white_heavy_check_mark:
It can prevent users from joining external tenants as guests.
In addition, can set unlimited rules for communication
Also available in Microsoft Appsource
https://youtu.be/BKuGJK6Mtfc

4 years later I have the same question. Has anyone figured out how to block this? 

Please upvote this recommendation. This feature is still not available after all these years... Uservoice was taken away so it probably lost all its traction.

 

https://feedbackportal.microsoft.com/feedback/idea/784eb507-eef7-ec11-a81b-000d3a03dba2

best response confirmed by Henrik Adolfsson (Copper Contributor)

As @Peter Stapf points out, this is now trivial to do using Cross Tenant Access Policies.

Interesting, thanks for the info... Microsoft support told me this was not possible in any way just two days ago. Has anyone deployed this - will it even prevent the guest invitations from being sent in the first place? The issue we are having is that there is someone sending Teams guest invites to one of our users with malicious content, and the user is getting spammed with emails and Teams notifications every time one comes through.

I would like to revive the discussion above as there a new features with cross-tenant and ENTRA which seems to give more options. BUT: how do now prevent users from becoming guest in another M365 Tenant? How can you allow specific domains? How do you get the visibility of all Guest Accounts on foreign tenants, from which you want to have those disabled? etc.
Example: User left Company A and guest email company still on foreign tenant from Company B. Can ENTRA now show those? they have been created with the master AAD account from Company A, so I want to control or at least have the visibility on those....
1 best response

Accepted Solutions
best response confirmed by Henrik Adolfsson (Copper Contributor)