EXT-03HighMaximum Security

Restrict Guest Access to Allowlisted Domains

Guest & External Access control for Microsoft 365 and Entra ID

Why This Control Matters

At Level 3, external collaboration is tightly controlled. Only pre-approved partner organizations can access your tenant. This prevents social engineering and limits data exposure to vetted third parties.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Guest invitations are restricted to an allowlist of trusted domains
2Cross-tenant access policies block all other external tenants
3External sharing in SharePoint/OneDrive is restricted to allowed domains

Enforcement

Default Mode

Strict

Zero-tolerance enforcement with immediate remediation

Auto-Remediation

Available

Configures cross-tenant access policy to block B2B direct connect by default. Partner allowlisting requires manual configuration.

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.