Consider this scenario:
We allocate subcontractors an Office 365 Enterprise E3 license with only Exchange Online enabled. Subcontractors are granted access to content on an an-needed basis and are not considered employees. Subcontractors Azure AD identities are assigned the "Guest" UserType.
The subcontractor successfully authenticates to Office 365 by visiting https://portal.office.com and then visits https://web.microsoftstream.com by typing the URL into the browser's address bar. A Stream Trial License is then automatically assigned outside of Enterprise E3 license and the service is provisioned to give access to the subcontractor. After a few minutes, the subcontractor is able to see all internal video content that is not meant for a "Guest" UserType. This circumvents guest controls which to my understanding is currently not possible (https://techcommunity.microsoft.com/t5/Office-365/Microsoft-stream-external-sharing/td-p/143411).
We have been using Stream with the understanding that Guest Users are not able to get access and that the appropriate controls to limit access will be introduced when anonymous/guest access is made available.
Can you comment on this? How do you limit "Even though as an admin you might have removed Microsoft Stream license from a user, they have the option to sign-up via a free trial and get access to your organization's stream portal." to UserType "Members" and not "UserType "Guests"?
https://docs.microsoft.com/en-us/stream/disable-user-organization