Restrict Guest User Invitations in Microsoft Entra 

On Day 3 of the Cybersecurity awareness month, learn to disable guest user invitations in Entra ID to strengthen your Microsoft 365 security while also facilitating external collaboration. Stay tuned for more security insights, tips, and tricks in the M365 Cybersecurity blog series. 

In the realm of corporate enterprises, the need for external collaboration is a constant reality. Embracing guest users as part of this collaboration is not just essential but also an inevitable requirement. Thus, Microsoft offers a variety of options for organizations to facilitate the inclusion of guest users. However, what adds a layer of complexity is that by default, Microsoft Entra ID allows anyone to invite guest users into your organization. But this open door can swiftly transform into a chilling nightmare. 

The weakest link in the security chain is the human element.

– Kevin Mitnick 

Imagine unauthorized users slipping through this digital crack, gaining access to your most sensitive data and prized resources, all without your knowledge or consent. This isn’t just a hypothetical scenario; it’s a real threat lurking in the shadows of the cyber realm. Guest user invitations can be exploited by malicious actors for phishing and social engineering attacks. They may utilize these invitations to impersonate genuine users, attempting to infiltrate your organization’s valuable resources. 

But fear not, this blog will guide you through the steps to restrict guest user invitations in Microsoft Entra, helping you stay proactive against potential cyber threats.   

External Collaboration Settings in Entra ID 

To begin managing guest user access restrictions in Microsoft Entra, it’s crucial to establish a solid foundational grasp of external collaboration settings.  

Within Entra ID, administrators can utilize external collaboration settings to define guest user permissions and control guest invitations. Furthermore, they can add self-service sign-up via user flows and allow or block invitations from specific domains within this area. These Entra ID settings are pivotal in overseeing and governing the external collaboration activities within your organization. 

Permissions Required to Restrict Guest User Invitations in Microsoft Entra 

To configure guest invite settings in Microsoft Entra, you need the global administrator role, and there is no need for any additional special licenses. 

How to Restrict Guest User Invitations in Microsoft Entra? 

Microsoft Entra offers a range of features, including Conditional Access policy templates, to help organizations find the right balance between security and collaboration with external users. Therefore, it is crucial to thoroughly evaluate your organization’s requirements before configuring guest user permissions in Microsoft Entra. 

However, for heightened security measures, it is advisable to consider restricting guest user invitations in Microsoft Entra. To achieve this, let’s explore how to disable guest user invitations in Entra ID. 

1. Navigate through the path below to restrict guest user invitations in Microsoft Entra. 

Microsoft Entra admin center 🡢 Identity 🡢 External Identities 🡢 External collaboration settings 

2. Assign the “Guest invite settings” for your organization from the following options.
    
   • Anyone in the organization can invite guest users including guests and non-admins:
     By default this permission is enabled in Microsoft Entra. This permission allows anyone in the organization, including guest users, to invite other guests who aren’t members of the organization. 
     
     
   • Member users and users assigned to specific admin roles can invite guest users including guests with member permissions:
     With this option enabled, both member users and users assigned to specific admin roles, including those with guest permissions, can invite guest users, into your Microsoft 365 environment. 
     
     
   • Only users assigned to specific admin roles can invite guest users:
     Choose this alternative to limit guest invitations in Entra ID exclusively to users with administrator roles. That includes Global Administrator, User Administrator, and Guest Inviter. 
     
     
   • No one in the organization can invite guest users including admins:
     This represents the most restricted level of permission. It prohibits anyone within the organization, including those with administrator roles, from inviting guest users. Therefore, exercise caution when applying this restriction. 
     

POINT TO REMEMBER: To prevent guest users, including non-admins, from inviting other guests into your Microsoft 365 environment, make sure you haven’t chosen the option that allows “Anyone in the organization can invite guest users including guests and non-admins”  

3. Hit the “Save” once after configuring guest invite settings for your Microsoft 365.  
Guest accounts serve as a means to share teams, sites, files, and folders with external parties. By restricting guest invitations, you enhance the security of the sensitive data stored within these collaborative platforms. 

Restrict Guest User Invitations Using MS Graph PowerShell 

You can also restrict guest user invitations in Microsoft Entra using MS Graph PowerShell with ease. Make sure you connect to Microsoft Graph PowerShell module and install Microsoft Graph Beta before running the cmdlets.  

Install Microsoft Graph Beta Module 

Run the following cmdlets to install the Microsoft Graph Beta Module for restricting guest user invitations in Entra ID via PowerShell.  

Install-Module Microsoft.Graph.Beta -Scope CurrentUser 

Pre-requisites 

To restrict guest user invitations using Microsoft Graph PowerShell, you’ll need to assign specific permissions. Execute the following command to set up these necessary permissions. 

Connect-MgGraph -Scopes Policy.ReadWrite.Authorization 

Now, execute the “Update-MgBetaPolicyAuthorizationPolicy” cmdlet to disable the guest user invitations in Microsoft Entra (Azure AD). The example below limits the ability to invite guest users only to admins and guest inviters. 

Update-MgBetaPolicyAuthorizationPolicy -AuthorizationPolicyId <AuthorizationPolicyName> -AllowInvitesFrom adminsAndGuestInviters   

The following are the acceptable values for the –AllowInvitesFrom parameter. Thus, you can specify the values based on your organizational requirements.  

• None 
• adminsAndGuestInviters 
• adminsGuestInvitersAndAllMembers 
• everyone 

The default guest user invite settings in Microsoft Entra is set to everyone. Ensure you replace it with other alternatives depending upon your organizational setup to restrict guest user invitations in Microsoft Entra.  

Effect on Users After Guest User Restrictions in Microsoft Entra 

After implementing guest invite restrictions in your organization, users with insufficient privileges to invite others will encounter a message stating, “Guest invitations not allowed for your company. Contact your company administrator for more details.”  

Closing Thoughts 

In a nutshell, prioritizing security in your Microsoft Entra environment is paramount to safeguarding against social engineering and phishing attacks. Disabling guest user invitations in Azure AD is a crucial step in fortifying your defenses. However, it’s essential not to stop there. To ensure elevated security in your organization, explore and enable the array of other security features in Microsoft Entra and use the pre-built script to generate guest user report for monitoring your guest user accounts. 

Remember, security is an ongoing commitment, and keeping all your “doors” locked properly is imperative in today’s digital landscape. We hope this blog has provided you with valuable insights into the process of restricting guest user invites in Azure AD. Please feel free to share your thoughts and experiences in the comments below. Together, we can contribute to a safer online environment.  

Don’t let yourself be a weak link by opening the doors to uninvited guests – hackers!