SOLVED

Disable possibility that our employees get added as guests in other companies

%3CLINGO-SUB%20id%3D%22lingo-sub-1359613%22%20slang%3D%22en-US%22%3EDisable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359613%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20currently%20rolling%20out%20Teams%20to%20all%20employees%20but%20restrict%20the%20access%20to%20a%20lot%20of%20features.%20But%20unfortunately%20a%20colleague%20got%20invited%20from%20another%20tenant%20as%20a%20guest%20and%20would%20be%20able%20to%20switch%20to%20the%20other%20tenant%20and%20copy%20files%20from%20our%20environment%20to%20theirs...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOneDrive%20for%20Business%2C%20SharePoint%20Online%20is%20disabled%20for%20the%20users%20but%20I%20have%20not%20thought%20about%20this%20possibility.%20Is%20there%20a%20chance%20to%20restrict%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MicrosoftTeams-image%20(5).png%22%20style%3D%22width%3A%20288px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F188930i2BF2A08DCD997C9A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22MicrosoftTeams-image%20(5).png%22%20alt%3D%22MicrosoftTeams-image%20(5).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1359613%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etenant%20switch%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359689%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359689%22%20slang%3D%22en-US%22%3EMaybe%20good%20to%20filter%2Fblock%20emails%20when%20the%20have%20the%20following%20in%20the%20body%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%22You%20have%20been%20added%20to%20a%20team%20in%20Microsoft%20Teams%22%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359739%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359739%22%20slang%3D%22en-US%22%3EThere%20is%20a%20uservoice%20open%20for%20this%20here%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fmicrosoftteams.uservoice.com%2Fforums%2F555103-public%2Fsuggestions%2F36352375-prevent-users-from-joining-external-tenants-as-gue%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftteams.uservoice.com%2Fforums%2F555103-public%2Fsuggestions%2F36352375-prevent-users-from-joining-external-tenants-as-gue%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20you%20could%20try%20what%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F34256%22%20target%3D%22_blank%22%3E%40Mitchell%20Bakker%3C%2FA%3E%20suggests%20in%20terms%20of%20blocking%20the%20invites%20which%20stops%20the%20join%3CBR%20%2F%3E%3CBR%20%2F%3EHowever%2C%20what%20I%20would%20say%20here%20is%20that%20your%20problem%20is%20not%20prevent%20others%20from%20joining%20other%20tenants%2C%20but%20it%20is%20sharing%20information.%20Security%20by%20impossibility%20has%20been%20shown%20to%20not%20be%20that%20effective%2C%20and%20they%20could%20just%20-%20for%20example%20-%20do%20this%20on%20WhatsApp.%20You%20just%20want%20to%20stop%20them%20copying%20files%2C%20so%20you%20would%3CBR%20%2F%3E%3CBR%20%2F%3E1.)%20Move%20all%20the%20sensitive%20information%20into%20specified%20teams%3CBR%20%2F%3E2.)%20Restrict%20Sharing%20as%20you%20have%20done%20%3CBR%20%2F%3E3.)%20Apply%20sensitivity%20labels%20to%20the%20Teams%20you%20need%3CBR%20%2F%3E4.)%20Apply%20the%20correct%20permissions%20so%20that%20users%20can%20only%20see%20the%20documents%20in%20the%20Teams%20and%20not%20be%20able%20to%20download%20them%20(I.e.%20on%20the%20underlying%20SharePoint%20site)%3CBR%20%2F%3E5.)%20Use%20Azure%20Information%20Protection%20meaning%20if%20someone%20tries%20opening%20that%20file%20it%20is%20encrypted%2C%20it%20doesn't%20even%20matter%20if%20they%20copy%20it%20into%20another%20tenant%3CBR%20%2F%3E%3CBR%20%2F%3ETry%20to%20control%20the%20data%2C%20not%20the%20access%2C%20otherwise%20users%20will%20just%20circumvent%20this%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359772%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359772%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3BAmen%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359855%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359855%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20elaborate%20answer.%20That's%20definitely%20the%20end%20goal%20for%20our%20Teams%20usage.%20Unfortunately%20we%20are%20not%20that%20far%20and%20have%20to%20work%20with%26nbsp%3Bsome%20special%20requirements.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1388398%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388398%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20get%20an%20alert%20or%20any%20other%20kind%20of%20information%20via%20for%20example%20Graph%20API%20if%20a%20user%20works%20on%20another%20tenant%20and%20not%20ours%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1428775%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1428775%22%20slang%3D%22en-US%22%3EHmm%2C%20Graph%20or%20Sentinel%20may%20capture%20it.%20I%20am%20not%20aware%20of%20anything%20specifically%20that%20can%20report%20back%20on%20whether%20they%20have%20access%20to%20other%20tenants%3CBR%20%2F%3E%3CBR%20%2F%3EA%20way%20I%20have%20just%20thought%20of%20is%20that%20every%20client%20who%20gets%20guest%20access%20to%20another%20tenant%20gets%20an%20email%20to%20join%20the%20other%20tenant.%20You%20could%20always%20look%20to%20setup%20a%20rule%20in%20exchange%20online%20which%20captures%20those%20emails%20to%20be%20approved%20by%20the%20administrator.%20At%20least%20then%20you%20would%20have%20some%20oversight%20and%20map%20it%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1430433%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1430433%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3BAGAT%20software%20actually%20have%20a%20great%20solution%20for%20this.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fagatsoftware.com%2Fmicrosoft-teams-ethical-wall%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fagatsoftware.com%2Fmicrosoft-teams-ethical-wall%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1535735%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1535735%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F440189%22%20target%3D%22_blank%22%3E%40Reuvain%3C%2FA%3E%26nbsp%3Bactually%20their%20software%26nbsp%3Balso%20cannot%20prevent%20you%20from%20changing%20the%20tenant.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1535742%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1535742%22%20slang%3D%22en-US%22%3EBefore%20you%20get%20into%20the%20nitty%20gritty%20of%20what%20guests%20can%20and%20can't%20do%2C%20you%20need%20to%20think%20about%20how%20they'll%20be%20invited%20into%20your%20tenant%20in%20the%20first%20place.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20guest%20access%20experience%20in%20Teams%20is%20managed%20at%20the%20highest%20level%20through%20your%20Azure%20Active%20Directory.%3CBR%20%2F%3E%3CBR%20%2F%3EGlobal%20admins%20can%20configure%20settings%20for%20external%20users%20across%20your%20entire%20organization%20in%20the%20Organizational%20relationships%20settings%20(Azure%20Active%20Directory%20%26gt%3B%20Organizational%20relationships%20%26gt%3B%20Settings).%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1535997%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20possibility%20that%20our%20employees%20get%20added%20as%20guests%20in%20other%20companies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1535997%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3BI%20created%20a%20user%20voice%20item.%20It%20would%20be%20great%20if%20you%20guys%20could%20vote%20for%20it.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmicrosoftteams.uservoice.com%2Fforums%2F555103-public%2Fsuggestions%2F40957945-option-to-disable-the-possibility-to-switch-tenant%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftteams.uservoice.com%2Fforums%2F555103-public%2Fsuggestions%2F40957945-option-to-disable-the-possibility-to-switch-tenant%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20it's%20a%20pretty%20necessary%20feature%20that%20should%20be%20added%20to%20Teams.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

We are currently rolling out Teams to all employees but restrict the access to a lot of features. But unfortunately a colleague got invited from another tenant as a guest and would be able to switch to the other tenant and copy files from our environment to theirs...

 

OneDrive for Business, SharePoint Online is disabled for the users but I have not thought about this possibility. Is there a chance to restrict this?

 

MicrosoftTeams-image (5).png

10 Replies
Highlighted
Maybe good to filter/block emails when the have the following in the body:

"You have been added to a team in Microsoft Teams"
Highlighted
Best Response confirmed by adam deltinger (MVP)
Solution
There is a uservoice open for this here

https://microsoftteams.uservoice.com/forums/555103-public/suggestions/36352375-prevent-users-from-jo...

And you could try what @Mitchell Bakker suggests in terms of blocking the invites which stops the join

However, what I would say here is that your problem is not prevent others from joining other tenants, but it is sharing information. Security by impossibility has been shown to not be that effective, and they could just - for example - do this on WhatsApp. You just want to stop them copying files, so you would

1.) Move all the sensitive information into specified teams
2.) Restrict Sharing as you have done
3.) Apply sensitivity labels to the Teams you need
4.) Apply the correct permissions so that users can only see the documents in the Teams and not be able to download them (I.e. on the underlying SharePoint site)
5.) Use Azure Information Protection meaning if someone tries opening that file it is encrypted, it doesn't even matter if they copy it into another tenant

Try to control the data, not the access, otherwise users will just circumvent this

Hope that answers your question

Best, Chris
Highlighted
Highlighted

@Christopher Hoard thanks for your elaborate answer. That's definitely the end goal for our Teams usage. Unfortunately we are not that far and have to work with some special requirements.

Highlighted

@Christopher Hoard 

Is it possible to get an alert or any other kind of information via for example Graph API if a user works on another tenant and not ours?

Highlighted
Hmm, Graph or Sentinel may capture it. I am not aware of anything specifically that can report back on whether they have access to other tenants

A way I have just thought of is that every client who gets guest access to another tenant gets an email to join the other tenant. You could always look to setup a rule in exchange online which captures those emails to be approved by the administrator. At least then you would have some oversight and map it

Best, Chris
Highlighted
Highlighted

@Reuvain actually their software also cannot prevent you from changing the tenant.

Highlighted
Before you get into the nitty gritty of what guests can and can't do, you need to think about how they'll be invited into your tenant in the first place.

The guest access experience in Teams is managed at the highest level through your Azure Active Directory.

Global admins can configure settings for external users across your entire organization in the Organizational relationships settings (Azure Active Directory > Organizational relationships > Settings).

Highlighted

@Christopher Hoard I created a user voice item. It would be great if you guys could vote for it.

https://microsoftteams.uservoice.com/forums/555103-public/suggestions/40957945-option-to-disable-the...

 

I think it's a pretty necessary feature that should be added to Teams.