Control what external guests can do inside our organization

Copper Contributor


I want to do some security improvements in our teams organization and I want to control what external guests may or may not do.

I've already made some improves, but I need help in 4 of that.

First I want to add some reliable domains;
Second, if it's possible, I want to block all of external guests to search for people in teams search box and open a message chat with someone from our organization;

Third I want to allow file sharing only from a reliable domain and only in a groups that they are members.

Fourth, I want to prevent file sharing in a internal user <-> external user chat conversation but as a administrator, I could aprove that external user can share files with a specific internal user.

Is that possible?

3 Replies



1. Allow specific domains - Allow or block invites to specific organizations - Azure AD - Microsoft Entra | Microsoft Learn


2. By default Guests can only find members of the teams where they are guests, however you can change this setting - Restrict guest user access permissions - Azure Active Directory - Microsoft Entra | Microsoft Learn


3. I'm not sure I understand this, if you have done 1. then your members will only be from allowed domains.


4. I'm not quite sure I understand the direction you are referring to. Remember Teams does not have any ability to share a file, all it's doing is presenting links to file stored in OneDrive or SharePoint. There is a difference between a guest (from your allow list in 1.) and a chat with an external person. SharePoint and OneDrive sharing permissions are defined as per Manage sharing settings - SharePoint in Microsoft 365 | Microsoft Learn

Hello @Steven Collier, thanks in advance for your help, I olny have time today to check the post.

I already added the specific domains and change guest access permissons, thats work good.

On third point, I want to block guest users to send files in "private" conversations with members of organization but allow in groups that they are members.

On fourth point, I want to block file sharing from all internal users to all external users in "private" conversations but in some cases I need to allow a specific internal user to share with a specific external user.



3. Teams doesn't share files, for internal chats it allows your staff to share a link to a file stored in your organisations OneDrive. As guest accounts don't have a OneDrive in your tenant there is no option for them to send a file as you describe, the attach file button doesn't even show. Try it :)


4. This would be controlled by the Sharing Policy in SharePoint, move the sliders to the bottom


but I would suggest that what you are asking for is rather odd. What's to stop your company data being copy/pasted into a message if file sharing is banned? You should be controlling whether guest are allowed rather than specifically controlling file sharing. Use modern capabilities like DLP and Sensitivity labels to protect sensitive data, they apply just as well to Teams/OneDrive as they do to email, and I suspect you don't ban email attachments.