Forum Discussion
Block users from becoming Guest in another Office 365 Tenant
Hi!
Is it possible to restrict our Azure/Office 365 users from using their account/email-addresses as Guests in another Azure/Office 365 Tenant. I know that we can block which domains that we can send Guest invitations to, but in this case it is the other way around.
This feature is in preview now.
Have a look at cross tenant access policies:
- I would like to revive the discussion above as there a new features with cross-tenant and ENTRA which seems to give more options. BUT: how do now prevent users from becoming guest in another M365 Tenant? How can you allow specific domains? How do you get the visibility of all Guest Accounts on foreign tenants, from which you want to have those disabled? etc.
Example: User left Company A and guest email company still on foreign tenant from Company B. Can ENTRA now show those? they have been created with the master AAD account from Company A, so I want to control or at least have the visibility on those....
Just wanted to confirm ,if I understood correctly.
All the users that exists in your tenant should not be able to accept the request from any other tenant.
Also, at the same time if anyone from your enterprise tries to add a guest user he/should be able to do so.??
- Hello, I have the same question. Did you find out how to solve it? Many thanks Regards Alex
Hi!
No, I haven't come any closer to a solution.
Regards, Henrik
Hi,
the only feature I know is the Tenant Restriction, see: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions
But that only works I your users are on the corporate network or need to leverage your onPrem infrastructure (via VPN or similar). I don't think there is a feature to block this when they are on a non-restricted internet connection.
/Peter
This is a tad mind blowing. Tenant restrictions works for networks which enforce proxy or VPN for all corporate devices. But what about mobile devices, which it's rare to see companies enforce mobile VPN.....well....if someone invites a user to their tenant and they accept it, they can connect via Teams on mobile and get around the corporate containerization by uploading OneDrive documents into the "B2B" team!??! Yes. This is an unfortunate hole in the security architecture. Also, not to mention this "collaboration" bypasses any retention policies setup by the account owner / tenant. So all in all, it's a bad idea to not give account owners the option to BLOCK third parties from adding their users as guests....
Hi,
there is no "corporate containerization" in a cloud world, like you have on-Premises.
You new security objects are Identity, Data, and Devices that you can protect, depending on what the use case is.
Taking you example of upload corporate documents to a Team in a partner organization, even if you could restrict your users not being invited to a foreign tenant, what if they get an "real" user account in that foreign tenant ? They could upload the data anyway.
If you want to protect that use case, then protect your data so it can not leave your company or can not be read by someone outside even it is stored outsside.
You can do that with Information Protection (RMS) and other features from Microsoft.
One of the advantages of cloud is collaboration with others.
In fact the users gets an new identity object in the other tenant which is only authenticated by your tenant.
Security in a cloud world involves a new thinking, so either protect your data if thats the use case or protect your identity. Disallow users to be invited to another tenant is not a protection of your identity.
/Peter
I agree with Peter that Microsoft Information Protection with Information Rights Management is a best practices layered security approach and important to protecting your "crown jewels" within your company.
We now also have the ability to block or allow domains. See https://docs.microsoft.com/en-us/microsoftteams/manage-external-access
Dean
HenrikAdolfsson
https://agatsoftware.com/microsoft-teams-ethical-wall/ :white_heavy_check_mark::white_heavy_check_mark::white_heavy_check_mark:
It can prevent users from joining external tenants as guests.
In addition, can set unlimited rules for communication
Also available in Microsoft Appsource
https://youtu.be/BKuGJK6Mtfc4 years later I have the same question. Has anyone figured out how to block this?
Please upvote this recommendation. This feature is still not available after all these years... Uservoice was taken away so it probably lost all its traction.
https://feedbackportal.microsoft.com/feedback/idea/784eb507-eef7-ec11-a81b-000d3a03dba2
This feature is in preview now.
Have a look at cross tenant access policies:
