Guest User Access Shall be restricted

Description

Ensure that only users with specific privileges can invite guest users to the tenant and that invites can only be sent to specific external domains. Ensure that guest users have limited access to Azure AD directory objects and that they are required to use MFA.

Policy

  • Only users with the Guest Inviter role should be able to invite guest users.

  • Guest invites should only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.

  • Guest users should have limited access to Azure AD directory objects

  • Guest users shall use MFA

  • Guest User Access is periodically reviewed

Licensing Considerations

All License models support the guest settings. Azure AD P1 is required to enforce MFA for Guest users via Conditional Access Can be purchased standalone or part of the following bundles:

  • Microsoft 365 Business Premium

  • EMS+ E3 or EMS + E5

  • Microsoft 365 E3

  • Microsoft 365 E5

Set Up Instructions

  1. Configure guest settings in the portal: Enable B2B external collaboration settings - Azure AD - Microsoft Entra | Microsoft Learn

  2. Under Guest user access, select Guest users have limited access to properties and memberships of directory objects

  3. Under Guest invite settings, select Only users assigned to specific admin roles can invite guest users

  4. Under Collaboration restrictions, select Allow invitations only to the specified domains (most restrictive). Select Target domains and enter the names of the external domains that have been authorized by the agency for guest user access.

  5. Create a Conditional Access Policy with the Templates available

  6. Chose the “Require Multi-Factor authentication for guest access” setting

  7. Leverage the sign-in logs to review guest user access

End-User Impact

Level: Medium

Users will not be able to invite guest users to the organization without the Guest Inviter role. A formal process should be put into place to request guest access for certain organizations or users.

Tips

Use the collaboration settings for external users who are not using Azure AD.

Use cross-tenant access settings for external users in another Azure AD environment.

PowerShell Scripts

Assign User as Guest Inviter: Enable B2B external collaboration settings - Azure AD - Microsoft Entra | Microsoft Learn

Allow or Block Domains: Allow or block invites to specific organizations - Azure AD - Microsoft Entra | Microsoft Learn

Videos

PreviousManaged Devices shall be required for authenticationNextThe number of users with highly privileged roles shall be limited

Last updated