Limit guest sharing to specific organizations

By default, users can invite people outside the organization as guests. This includes inviting them to teams in Microsoft Team, SharePoint sites, and sharing individual files and folders with them.

If you only want your users to invite guests from specific organizations, you can specify these organizations in the Azure Active Directory cross-tenant access settings for B2B collaboration.

Configure cross-tenant access settings

The first step in limiting guest sharing is to change the default settings in the Azure AD cross-tenant access settings to block inviting guests by default. Then you can allow guest invitations for specific organizations.

Note

Changes to cross-tenant access settings may take two hours to take effect.

Set the default B2B collaboration settings to block inviting guests

Because inviting guests is enabled by default, limiting guest invitations to certain organizations requires blocking inbound B2B collaboration by default.

To block inbound B2B collaboration by default

  1. Sign in to Azure Active Directory using a Global administrator or Security administrator account.
  2. Select External Identities, and then select Cross-tenant access settings (preview).
  3. Select the Default settings tab.
  4. Under Inbound access settings, select Edit inbound defaults.
  5. Select the B2B collaboration tab and the Users and groups tab.
  6. Under Access status, choose Block access.
  7. Select the External access tab.
  8. Under Access status, choose Block access.
  9. Select Save.
  10. Close the Default settings blade.

Add the organization where you want to allow guest invitations

Next, add the organizations where you want to allow your users to invite guests to the Azure AD cross-tenant access list.

To add an organization

  1. In Azure Active Directory, select External Identities, and then select Cross-tenant access settings (preview).
  2. Select Organizational settings.
  3. Select Add organization.
  4. On the Add organization pane, type the full domain name (or tenant ID) for the organization.
  5. Select the organization in the search results, and then select Add.
  6. The organization appears in the Organizational settings list.

At this point, all access settings for this organization are inherited from your default settings.

Configure inbound settings for the organization to allow all users

Once you have added the organization, you need to update the organization's inbound settings to allow B2B collaboration users to be invited as guests. Do this for each organization where you want to allow your users to be able to invite guests.

  1. In Azure Active Directory, select External Identities, and then select Cross-tenant access settings (preview).
  2. Select the inbound access link for the organization that you want to modify.
  3. On the B2B collaboration tab, choose Customize settings.
  4. Under Access status, choose Allow access.
  5. Under Target, choose to allow all users.
  6. Select Save and close the Outbound access settings blade.

Turn off one-time passcode authentication

Even after you've limited B2B collaboration to certain organizations, people can still share files and folders with people in other organizations - they just won't be given a guest account in your directory.

If you wish to prevent sharing entirely with other organizations, you have to disable the one-time passcode feature in Azure AD. This will prevent people outside your organization from being sent a one-time passcode for authentication to shared files or folders.

To disable the email one-time passcode feature

  1. Sign in to the Azure portal as an Azure AD global administrator.
  2. In the navigation pane, select Azure Active Directory.
  3. Select External Identities > All identity providers.
  4. Select Email one-time passcode, and then under Email one-time passcode for guests, select Disable email one-time passcode for guests (or No if the feature was previously enabled, disabled, or opted into during preview).
  5. Select Save.

B2B direct connect overview

Configure cross-tenant access settings for B2B direct connect

Limit who can be invited by an organization

Limit organizations where users can have guest accounts