Guest Users (B2B)

External collaboration settings

External collaboration settings (click here)

Guest user access

• Guest user access restrictions
• Minimum: Guest users have limited access to properties and memberships of directory objects
• Recommended: Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)

Guest invite settings

• Guest invite restrictions

• Minimum: Member users and users assigned to specific admin roles can invite guest users including guests with member permissions

• Recommended: No one in the organization can invite guest users including admins (most restrictive)

• Enable guest self-service sign up via user flows: No

Collaboration restrictions

• Minimal: Deny invitations to the specified domains
• Target domains: gmail.com, outlook.com, hotmail.com, msn.com, aol.com, ymail.com, yahoo.com, facebook.com
• Recommended: Allow invitations only to the specified domains (most restrictive)

External Identities | All identity providers

External Identities | All identity providers (Click Here)

Configured identity providers

• Email one-time passcode: Yes

External Identities | Cross-tenant access settings

No Guidance Yet

Guest Maintenance

• Should not be members of Azure Directory Roles
• Membership to Azure roles should be limited
• Unaccepted guest users should be deleted after 30 days
• Guest with no sign-ins after 90 days should be deleted.

Click here to review Guest Maintenance and Automation Task

Restrict access to Enterprise Applications

• All enterprise applications should require assignments. Use the following script to find applications not configured

Consider the following conditional access policies.

• Cross-tenant sign-in activity PowerShell script