GOV-11LowRecommended Secure
Disable Self-Service Sign-Up
Governance & Hygiene control for Microsoft 365 and Entra ID
Why This Control Matters
Self-service sign-up lets external users join the tenant on their own, creating ungoverned external identities without admin oversight. Disabling it ensures every external identity enters through a controlled, reviewable path.
Expected State
When this control is compliant, your tenant should meet these criteria:
- 1External users cannot join the organization via self-service sign-up
- 2authorizationPolicy.allowEmailVerifiedUsersToJoinOrganization is false
- 3authorizationPolicy.allowedToSignUpEmailBasedSubscriptions is false
Enforcement
Default Mode
Advisory
Alerts on deviations but does not make changes
Auto-Remediation
Manual Only
Detect-only. Disable self-service sign-up in Entra admin center > User settings unless explicitly required.
Ready to implement this control?
TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.