Limit who can be invited by an organization

If you collaborate with another organization and want to limit who can be invited to that organization as a guest or a shared channel member in Teams, you can specify who can be invited in the cross-tenant access settings in Azure Active Directory.

Note

Changes to cross-tenant access settings may take six hours to take effect.

Create a security group

The easiest way to specify who can be invited to another organization is to use a security group. You can use a security group with a defined membership or a dynamic security group. You can use an existing security group or create a new one for this purpose.

To create a security group

  1. Sign in to Azure Active Directory using a Global administrator or Security administrator account.
  2. On the Active Directory page, select Groups and then select New group.
  3. Choose Security for the Group type.
  4. Type a Group name.
  5. Optionally, add a description for the group.
  6. For Azure AD roles can be assigned to the group, choose No.
  7. Select a pre-defined Membership type (required).
  8. Add group owners and members or a dynamic query if you're using dynamic user membership.
  9. Select Create. Your group is created and ready for you to add members.

Add an organization

To define collaboration rules with another organization, you have to add that organization to the Azure AD cross-tenant access settings. If you haven't already added the organization, follow this procedure to add it.

To add an organization

  1. In Azure Active Directory, select External Identities, and then select Cross-tenant access settings (preview).1. Select Organizational settings.
  2. Select Add organization.
  3. On the Add organization pane, type the full domain name (or tenant ID) for the organization.
  4. Select the organization in the search results, and then select Add.
  5. The organization appears in the Organizational settings list. At this point, all access settings for this organization are inherited from your default settings.

Choose who can be invited by an organization

There are two options for limiting who can be invited to an organization:

  • Limit who can be invited as a guest. This prevents users from being added to the other organization's Azure AD as a guest. It prevents sharing of files, folders, sites, teams, and Microsoft 365 groups with people who aren't in the security group.
  • Limit who can be added to an external shared channel. This prevents people who aren't in the security group from being added to shared channels in the other organization.

In Azure Active Directory, select External Identities, and then select Cross-tenant access settings (preview).

To limit who can be invited as a guest

  1. Select the outbound access link for the organization that you want to modify.
  2. On the B2B collaboration tab, choose Customize settings.
  3. Under Access status, choose Allow access.
  4. Under Target, choose Select external users and groups.
  5. Select the link to add users and groups.
  6. Search for and select the security group that you want to use.
  7. Choose Select.
  8. Select Save and close the Outbound access settings blade.

To limit who can be invited as a shared channel participant

  1. Select the outbound access link for the organization that you want to modify.
  2. On the B2B direct connect tab, choose Customize settings.
  3. Under Access status, choose Allow access.
  4. Under Target, choose Select external users and groups.
  5. Select the link to add users and groups.
  6. Search for and select the security group that you want to use.
  7. Choose Select.
  8. Select Save and close the Outbound access settings blade.

B2B direct connect overview

Configure cross-tenant access settings for B2B direct connect

Limit organizations where users can have guest accounts

Limit guest sharing to specific organizations