Enabling external access through guest accounts to your environment is something that should be carefully considered, if you do decide to allow it, you should also consider which security controls you want to enforce while still ensuring the staff can be productive.
In this tutorial, I will show you how to restrict a guest user’s ability to invite further guest users to your tenant.
The default guest user invite settings in Microsoft Entra
By default in Microsoft Entra, anyone can invite guest users to your tenant, registering them as a user in Microsoft Entra ID. However, this permission extends past just regular users, by applying to guest users too! This means that if you invite an external user to your tenant as a guest, maybe to collaborate with you on a project, they can then invite further external users without your input.
By default, this level of trust in your guest users is too high. Access to your tenant, and hence the sensitive data it contains, should be carefully controlled, reviewed and approved before being given out.
A further risk of leaving this option enabled is that it makes it easier for your staff to be manipulated into granting a user access to more information than they should be allowed, as they have already been invited to the organisation by someone ‘trusted’. This is a form of social engineering, where by a legitimate feature of Microsoft Entra has been abused.
Continue on with this post to restrict guest user invite settings and prevent abuse of this feature while it is in its default state.
How to restrict guest user invites in Microsoft Entra
To prevent guest users from inviting further guest users in Microsoft Entra, follow the below steps.
2. Expand Identity > External Identities then select External collaboration settings.
3. Under Guest invite settings ensure the option Anyone in the organization can invite guest users including guests and non-admins (most inclusive) is not selected.
Restrict guest user invites with Using Microsoft Graph PowerShell
The same result can also be achieved using Microsoft Graph PowerShell and the beta endpoint. For this, you need to ensure you have the latest Microsoft Graph PowerShell module installed, check out my guide on how to install the module here.
Start by connecting to Microsoft Graph with the Policy.ReadWrite.Authorization permission. This will ensure you are able to modify the settings relating to external identities in Microsoft Entra.
Connect-MgGraph -Scopes Policy.ReadWrite.Authorization
You can then use the Update-MgBetaPolicyAuthorizationPolicy cmdlet to modify your settings.
Update-MgBetaPolicyAuthorizationPolicy -authorizationPolicyId authorizationPolicy `
-AllowInvitesFrom adminsAndGuestInviters
The available values for the -AllowInvitesFrom parameter include:
- none
- adminsAndGuestInviters,
- adminsGuestInvitersAndAllMembers
- everyone
The default setting is everyone.
If you are looking to use Microsoft Graph without being dependent on the PowerShell modules, you can make the following HTTP request for the same result.
- URL: https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
- Method: PATCH
- Payload: {
“guestUserRoleId”: “10dae51f-b6af-4016-8d66-8c2a99b929b3”,
“allowInvitesFrom”: “adminsAndGuestInviters”
}
User impact of restricting guest users invites
Once the guest invite settings have been modified in Microsoft Entra and restricted, if a current guest user attempts to invite further guest users into your organisation, they will receive the error: User Invitation Failed.