Introduction
The management of guests in Microsoft Entra is an essential feature that enables secure collaboration with external users. However, allowing guests to invite other users themselves can introduce security risks and complicate access management.
In this article, you will learn how to adjust external collaboration settings to prevent this practice while strengthening control over your Azure AD environment.
Good to know
Changing external collaboration settings affects only future guests and not existing accounts in your tenant.
Why limit invitations by guests?
Enabling external invitation capability by default can lead to:
- Uncontrolled proliferation of guests: Rapid expansion of unverified external users in your system.
- Bypassing standard invitation workflows: This weakens your control and onboarding processes.
- Increased security risks: Encouraging unauthorized access to your internal resources.
By correctly configuring these settings, you establish clear boundaries and improve overall security through better identity management.
Steps to configure permissions
Here's how to adjust external collaboration settings in Microsoft Entra to block invitations by guests.
Access the Microsoft Entra portal
Sign in to the Microsoft Entra portal with global administrator or identity management privileges.
Navigate to external collaboration settings
In the main menu, select Settings > External collaboration.
Modify guest rights
Disable the option that allows guests to invite other users by modifying the Guest permissions field.
1{2 "guestUserPermissions": {3 "canInviteGuests": false4 }5}Save changes
Validate your changes by clicking Save and ensure the settings are applied to your tenant.
Caution
Be sure to inform affected users of these restrictions to avoid potential misunderstandings when using the system.
Comparison of default and restricted permissions
To help you better understand the impact of this change, here is a comparison table of default and restricted permissions for guests:
| Category | Default permissions | Restricted permissions |
|---|---|---|
| Users & Contacts | Read their own properties, change their password | Read their own properties, manage their mobile number only |
| Groups | Read properties of non-hidden groups, search for groups | Read object ID of joined groups only |
| Applications | Read properties of registered applications | Same as default permissions |
| Organization | Read organization display name and domains | Same as default permissions |
Additional recommendations
To maximize the effectiveness of restrictions:
- Perform regular audits of external access through identity reviews.
- Implement an onboarding process for guests that includes rigorous authentication controls.
- Use Azure AD reports to monitor guest activities.
Tip
Combine these settings with robust access governance to create a secure and well-managed collaborative environment.
Conclusion
Preventing guests from inviting other users in Microsoft Entra is a simple yet effective measure to strengthen your tenant's security. By applying these settings in conjunction with other identity management best practices, you ensure optimal control over external access and protect your internal resources.
Feel free to explore additional approaches to Azure governance for even greater security.
