Edit

Limit organizations where users can have guest accounts

  • Article

By default, other Microsoft 365 and Azure Active Directory organizations can invite your users to participate in their organization as guests. This includes inviting them to teams in Microsoft Team, SharePoint sites, and sharing individual files and folders with them.

If you only want your users to participate as guests with specific organizations, you can specify these organizations in the Azure Active Directory cross-tenant access settings for B2B collaboration.

Note

Changes to cross-tenant access settings may take two hours to take effect.

Set the default B2B collaboration settings to block users from being guests

Because participating as guests is enabled by default, limiting guest participation to certain organizations requires blocking outbound B2B collaboration by default.

To block outbound B2B collaboration by default

  1. Sign in to Azure Active Directory using a Global administrator or Security administrator account.
  2. Select External Identities, and then select Cross-tenant access settings (preview).
  3. Select the Default settings tab.
  4. Under Outbound access settings, select Edit outbound defaults.
  5. Select the B2B collaboration tab and the Users and groups tab.
  6. Under Access status, choose Block access.
  7. Select the External access tab.
  8. Under Access status, choose Block access.
  9. Select Save.
  10. Close the Default settings blade.

Add an organization

Next, add the organizations where you want to allow your users to collaborate as guests to the Azure AD cross-tenant access list.

To add an organization

  1. In Azure Active Directory, select External Identities, and then select Cross-tenant access settings (preview).
  2. Select Organizational settings.
  3. Select Add organization.
  4. On the Add organization pane, type the full domain name (or tenant ID) for the organization.
  5. Select the organization in the search results, and then select Add.
  6. The organization appears in the Organizational settings list.

At this point, all access settings for this organization are inherited from your default settings.

Configure the organization's outbound setting to allow all users

Once you have added the organization, you need to update the organization's outbound settings to allow B2B collaboration users to be added as guests. Do this for each organization where you want to allow your users to be added as guests.

To allow users to B2B collaboration guests in an organization

  1. In Azure Active Directory, select External Identities, and then select Cross-tenant access settings (preview).
  2. Select the outbound access link for the organization that you want to modify.
  3. On the B2B collaboration tab, choose Customize settings.
  4. Under Access status, choose Allow access.
  5. Under Target, choose to allow all users.
  6. Select Save and close the Outbound access settings blade.

B2B direct connect overview

Configure cross-tenant access settings for B2B direct connect

Limit who can be invited by an organization

Limit guest sharing to specific organizations