cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Disable possibility that our employees get added as guests in other companies

%3CLINGO-SUB%20id%3D%22lingo-sub-1359613%22%20slang%3D%22en-US%22%3EDisable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359613%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20currently%20rolling%20out%20Teams%20to%20all%20employees%20but%20restrict%20the%20access%20to%20a%20lot%20of%20features.%20But%20unfortunately%20a%20colleague%20got%20invited%20from%20another%20tenant%20as%20a%20guest%20and%20would%20be%20able%20to%20switch%20to%20the%20other%20tenant%20and%20copy%20files%20from%20our%20environment%20to%20theirs...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOneDrive%20for%20Business%2C%20SharePoint%20Online%20is%20disabled%20for%20the%20users%20but%20I%20have%20not%20thought%20about%20this%20possibility.%20Is%20there%20a%20chance%20to%20restrict%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MicrosoftTeams-image%20(5).png%22%20style%3D%22width%3A%20288px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F188930i2BF2A08DCD997C9A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22MicrosoftTeams-image%20(5).png%22%20alt%3D%22MicrosoftTeams-image%20(5).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1359613%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etenant%20switch%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359689%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359689%22%20slang%3D%22en-US%22%3EMaybe%20good%20to%20filter%2Fblock%20emails%20when%20the%20have%20the%20following%20in%20the%20body%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%22You%20have%20been%20added%20to%20a%20team%20in%20Microsoft%20Teams%22%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359739%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359739%22%20slang%3D%22en-US%22%3EThere%20is%20a%20uservoice%20open%20for%20this%20here%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fmicrosoftteams.uservoice.com%2Fforums%2F555103-public%2Fsuggestions%2F36352375-prevent-users-from-joining-external-tenants-as-gue%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftteams.uservoice.com%2Fforums%2F555103-public%2Fsuggestions%2F36352375-prevent-users-from-joining-external-tenants-as-gue%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20you%20could%20try%20what%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F34256%22%20target%3D%22_blank%22%3E%40Mitchell%20Bakker%3C%2FA%3E%20suggests%20in%20terms%20of%20blocking%20the%20invites%20which%20stops%20the%20join%3CBR%20%2F%3E%3CBR%20%2F%3EHowever%2C%20what%20I%20would%20say%20here%20is%20that%20your%20problem%20is%20not%20prevent%20others%20from%20joining%20other%20tenants%2C%20but%20it%20is%20sharing%20information.%20Security%20by%20impossibility%20has%20been%20shown%20to%20not%20be%20that%20effective%2C%20and%20they%20could%20just%20-%20for%20example%20-%20do%20this%20on%20WhatsApp.%20You%20just%20want%20to%20stop%20them%20copying%20files%2C%20so%20you%20would%3CBR%20%2F%3E%3CBR%20%2F%3E1.)%20Move%20all%20the%20sensitive%20information%20into%20specified%20teams%3CBR%20%2F%3E2.)%20Restrict%20Sharing%20as%20you%20have%20done%20%3CBR%20%2F%3E3.)%20Apply%20sensitivity%20labels%20to%20the%20Teams%20you%20need%3CBR%20%2F%3E4.)%20Apply%20the%20correct%20permissions%20so%20that%20users%20can%20only%20see%20the%20documents%20in%20the%20Teams%20and%20not%20be%20able%20to%20download%20them%20(I.e.%20on%20the%20underlying%20SharePoint%20site)%3CBR%20%2F%3E5.)%20Use%20Azure%20Information%20Protection%20meaning%20if%20someone%20tries%20opening%20that%20file%20it%20is%20encrypted%2C%20it%20doesn't%20even%20matter%20if%20they%20copy%20it%20into%20another%20tenant%3CBR%20%2F%3E%3CBR%20%2F%3ETry%20to%20control%20the%20data%2C%20not%20the%20access%2C%20otherwise%20users%20will%20just%20circumvent%20this%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359772%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359772%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3BAmen%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359855%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359855%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20elaborate%20answer.%20That's%20definitely%20the%20end%20goal%20for%20our%20Teams%20usage.%20Unfortunately%20we%20are%20not%20that%20far%20and%20have%20to%20work%20with%26nbsp%3Bsome%20special%20requirements.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1388398%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388398%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20get%20an%20alert%20or%20any%20other%20kind%20of%20information%20via%20for%20example%20Graph%20API%20if%20a%20user%20works%20on%20another%20tenant%20and%20not%20ours%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1428775%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1428775%22%20slang%3D%22en-US%22%3EHmm%2C%20Graph%20or%20Sentinel%20may%20capture%20it.%20I%20am%20not%20aware%20of%20anything%20specifically%20that%20can%20report%20back%20on%20whether%20they%20have%20access%20to%20other%20tenants%3CBR%20%2F%3E%3CBR%20%2F%3EA%20way%20I%20have%20just%20thought%20of%20is%20that%20every%20client%20who%20gets%20guest%20access%20to%20another%20tenant%20gets%20an%20email%20to%20join%20the%20other%20tenant.%20You%20could%20always%20look%20to%20setup%20a%20rule%20in%20exchange%20online%20which%20captures%20those%20emails%20to%20be%20approved%20by%20the%20administrator.%20At%20least%20then%20you%20would%20have%20some%20oversight%20and%20map%20it%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1430433%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1430433%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3BAGAT%20software%20actually%20have%20a%20great%20solution%20for%20this.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fagatsoftware.com%2Fmicrosoft-teams-ethical-wall%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fagatsoftware.com%2Fmicrosoft-teams-ethical-wall%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1535735%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1535735%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F440189%22%20target%3D%22_blank%22%3E%40Reuvain%3C%2FA%3E%26nbsp%3Bactually%20their%20software%26nbsp%3Balso%20cannot%20prevent%20you%20from%20changing%20the%20tenant.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1535742%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1535742%22%20slang%3D%22en-US%22%3EBefore%20you%20get%20into%20the%20nitty%20gritty%20of%20what%20guests%20can%20and%20can't%20do%2C%20you%20need%20to%20think%20about%20how%20they'll%20be%20invited%20into%20your%20tenant%20in%20the%20first%20place.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20guest%20access%20experience%20in%20Teams%20is%20managed%20at%20the%20highest%20level%20through%20your%20Azure%20Active%20Directory.%3CBR%20%2F%3E%3CBR%20%2F%3EGlobal%20admins%20can%20configure%20settings%20for%20external%20users%20across%20your%20entire%20organization%20in%20the%20Organizational%20relationships%20settings%20(Azure%20Active%20Directory%20%26gt%3B%20Organizational%20relationships%20%26gt%3B%20Settings).%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1535997%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1535997%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3BI%20created%20a%20user%20voice%20item.%20It%20would%20be%20great%20if%20you%20guys%20could%20vote%20for%20it.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmicrosoftteams.uservoice.com%2Fforums%2F555103-public%2Fsuggestions%2F40957945-option-to-disable-the-possibility-to-switch-tenant%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftteams.uservoice.com%2Fforums%2F555103-public%2Fsuggestions%2F40957945-option-to-disable-the-possibility-to-switch-tenant%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20it's%20a%20pretty%20necessary%20feature%20that%20should%20be%20added%20to%20Teams.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Thomsch
Frequent Contributor

‎05-05-2020 03:07 AM

‎05-05-2020 03:07 AM

Disable possibility that our employees get added as guests in other companies

We are currently rolling out Teams to all employees but restrict the access to a lot of features. But unfortunately a colleague got invited from another tenant as a guest and would be able to switch to the other tenant and copy files from our environment to theirs...

 

OneDrive for Business, SharePoint Online is disabled for the users but I have not thought about this possibility. Is there a chance to restrict this?

 

MicrosoftTeams-image (5).png

Labels:
526 Views
2 Likes
10 Replies
Reply
10 Replies
Mitchell Bakker

‎05-05-2020 03:38 AM

‎05-05-2020 03:38 AM

Re: Disable possibility that our employees get added as guests in other companies

Maybe good to filter/block emails when the have the following in the body:

"You have been added to a team in Microsoft Teams"
2 Likes
Reply
Best Response confirmed by adam deltinger (MVP)
Christopher Hoard

‎05-05-2020 04:04 AM

‎05-05-2020 04:04 AM

Solution

Re: Disable possibility that our employees get added as guests in other companies

There is a uservoice open for this here

https://microsoftteams.uservoice.com/forums/555103-public/suggestions/36352375-prevent-users-from-jo...

And you could try what @Mitchell Bakker suggests in terms of blocking the invites which stops the join

However, what I would say here is that your problem is not prevent others from joining other tenants, but it is sharing information. Security by impossibility has been shown to not be that effective, and they could just - for example - do this on WhatsApp. You just want to stop them copying files, so you would

1.) Move all the sensitive information into specified teams
2.) Restrict Sharing as you have done
3.) Apply sensitivity labels to the Teams you need
4.) Apply the correct permissions so that users can only see the documents in the Teams and not be able to download them (I.e. on the underlying SharePoint site)
5.) Use Azure Information Protection meaning if someone tries opening that file it is encrypted, it doesn't even matter if they copy it into another tenant

Try to control the data, not the access, otherwise users will just circumvent this

Hope that answers your question

Best, Chris
6 Likes
Reply
Thomsch

‎05-05-2020 05:06 AM

‎05-05-2020 05:06 AM

Re: Disable possibility that our employees get added as guests in other companies

@Christopher Hoard thanks for your elaborate answer. That's definitely the end goal for our Teams usage. Unfortunately we are not that far and have to work with some special requirements.

2 Likes
Reply
Thomsch

‎05-13-2020 11:43 PM

‎05-13-2020 11:43 PM

Re: Disable possibility that our employees get added as guests in other companies

@Christopher Hoard 

Is it possible to get an alert or any other kind of information via for example Graph API if a user works on another tenant and not ours?

1 Like
Reply
Christopher Hoard

‎05-30-2020 09:48 AM

‎05-30-2020 09:48 AM

Re: Disable possibility that our employees get added as guests in other companies

Hmm, Graph or Sentinel may capture it. I am not aware of anything specifically that can report back on whether they have access to other tenants

A way I have just thought of is that every client who gets guest access to another tenant gets an email to join the other tenant. You could always look to setup a rule in exchange online which captures those emails to be approved by the administrator. At least then you would have some oversight and map it

Best, Chris
3 Likes
Reply
Reuvain

‎06-01-2020 12:10 AM

‎06-01-2020 12:10 AM

Re: Disable possibility that our employees get added as guests in other companies

@Christopher Hoard AGAT software actually have a great solution for this. 

https://agatsoftware.com/microsoft-teams-ethical-wall/

2 Likes
Reply
Thomsch

‎07-21-2020 06:50 AM

‎07-21-2020 06:50 AM

Re: Disable possibility that our employees get added as guests in other companies

@Reuvain actually their software also cannot prevent you from changing the tenant.

1 Like
Reply
Lewis-H

‎07-21-2020 06:52 AM

‎07-21-2020 06:52 AM

Re: Disable possibility that our employees get added as guests in other companies

Before you get into the nitty gritty of what guests can and can't do, you need to think about how they'll be invited into your tenant in the first place.

The guest access experience in Teams is managed at the highest level through your Azure Active Directory.

Global admins can configure settings for external users across your entire organization in the Organizational relationships settings (Azure Active Directory > Organizational relationships > Settings).

1 Like
Reply
Thomsch

‎07-21-2020 08:01 AM

‎07-21-2020 08:01 AM

Re: Disable possibility that our employees get added as guests in other companies

@Christopher Hoard I created a user voice item. It would be great if you guys could vote for it.

https://microsoftteams.uservoice.com/forums/555103-public/suggestions/40957945-option-to-disable-the...

 

I think it's a pretty necessary feature that should be added to Teams.

2 Likes
Reply