Limit who can invite guests

You can limit who in your organization can invite guests. Guest accounts can be used for sharing teams, SharePoint sites, files, and folders with people outside your organization.

If your business processes require that you limit who can share with guests, or if you want users to complete training before they're able to share with guests, you can limit who can share by using the Guest inviter role in Azure Active Directory.

Create a security group for people allowed to invite guests

The first step is to create a security group for the users who will be allowed to invite guests. Be sure to configure this group to allow an Azure AD role, and then assign it the Guest inviter role.

To create a security group for guest inviters

  1. Sign in to Azure Active Directory using a Global administrator or Security administrator account.
  2. On the Active Directory page, select Groups and then select New group.
  3. Choose Security for the Group type.
  4. Type a Group name.
  5. Optionally, add a description for the group.
  6. For Azure AD roles can be assigned to the group, choose Yes.
  7. Add group owners and members.
  8. Under Roles, select No roles selected.
  9. Search for and select the Guest inviter role, and then choose Select.
  10. Select Create, and confirm that you want a group to which roles can be assigned. Your group is created and ready for you to add members.

Configure external collaboration settings

Once you've created the security group and added the users who you want to be able to invite guests, the next step is to configure the Azure AD external collaboration settings to only allow users with the Guest inviter role to invite guests.

Note that global administrators can always invite guests regardless of this setting.


Changes to cross-tenant access settings may take two hours to take effect.

To configure Azure AD to limit guest invites to the Guest inviter role

  1. In Azure Active Directory, select External identities.
  2. Select External collaboration settings.
  3. Under Guest invite settings, choose Only users assigned to specific admin roles can invite guests.
  4. Select Save.

Allow only users in specific security groups to share externally in SharePoint and OneDrive

Enable B2B external collaboration and manage who can invite guests