EXT-03HighMaximum Security

Restrict Guest Access to Allowlisted Domains

Guest & External Access control for Microsoft 365 and Entra ID

Why This Control Matters

At Level 3, external collaboration is tightly controlled. Only pre-approved partner organizations can access your tenant. This prevents social engineering and limits data exposure to vetted third parties.

Expected State

When this control is compliant, your tenant should meet these criteria:

  • 1Guest invitations are restricted to an allowlist of trusted domains
  • 2Cross-tenant access policies block all other external tenants
  • 3External sharing in SharePoint/OneDrive is restricted to allowed domains

Enforcement

Default Mode
Strict

Zero-tolerance enforcement with immediate remediation

Auto-Remediation
Manual Only

Remediation is manual: no domain-allowlist action exists, so there is no safe auto-fix yet. TrueConfig provides a step-by-step script/guide to configure the guest domain allowlist and cross-tenant access policies.

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.