EXT-01: Restrict Guest Invitation Permissions

Overview

Controlling who can invite guests into your Microsoft 365 tenant is a foundational governance control. Unrestricted guest invitations allow any user to bring external identities into your tenant. This creates uncontrolled access paths and potential data exposure. Limiting invitations to authorized personnel ensures oversight.

The expected state for this control is:

  • Only admins and users explicitly assigned to the Guest Inviter role can invite guests.
  • Member users cannot invite guests.
  • Guests cannot invite other guests.

TrueConfig can configure External collaboration settings to enforce these restrictions with one click. No additional license beyond any Entra ID tier is required.

Prerequisites

Required Roles

  • Global Administrator - Full access to all settings
  • External Identity Provider Administrator - Can manage external collaboration settings

Required Licenses

  • None -- any Entra ID tier (including Free) supports the Guest invite settings described in this guide.

Time Estimate

  • Configuration: 5-10 minutes

Step-by-Step Instructions

Step 1: Review Current Guest Invite Settings

  1. Navigate to Microsoft Entra admin center (https://entra.microsoft.com).
  2. Go to Identity > External Identities > External collaboration settings.
  3. Under Guest invite settings, note the current selection.

The four available options are:

SettingWho can inviteSecurity level
No one in the organization can invite guestsNo oneHighest
Only users assigned to specific admin roles can invite guest users including admins with guest inviter roleAdmins and Guest Inviter roleRecommended
Member users and users assigned to specific admin roles can invite guest usersMembers and adminsLower
Anyone in the organization can invite guest users including guests and non-adminsAnyone, including guestsNot recommended

Step 2: Set the Recommended Configuration

Select Only users assigned to specific admin roles can invite guest users including admins with guest inviter role.

This single setting satisfies all three expected states:

  • Only admins and users in the Guest Inviter role can invite.
  • Member users cannot invite guests.
  • Guests cannot invite other guests.

Click Save.

TrueConfig one-click enforcement: TrueConfig detects when this setting deviates from the expected state and can configure it to the recommended value with a single click from the control detail page.

Step 3: Review Guest Inviter Role Assignments

With the invite setting restricted, the Guest Inviter role becomes the primary delegation path. Verify it is assigned only to personnel with a legitimate business need:

  1. Navigate to Identity > Roles and administrators.
  2. Search for and open Guest Inviter.
  3. Review current assignees and remove any that no longer require invitation rights.

Check via PowerShell

Connect-MgGraph -Scopes "RoleManagement.Read.Directory"

# Get the Guest Inviter role
$role = Get-MgDirectoryRole | Where-Object { $_.DisplayName -eq "Guest Inviter" }

# List current members
Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id |
    Select-Object -ExpandProperty AdditionalProperties

Step 4: Verify Guest User Access Restrictions

While invite permissions are the primary scope of this control, confirm that guests already in your tenant cannot enumerate the directory:

  1. In External collaboration settings, under Guest user access, select Guest user access is restricted to properties and memberships of their own directory objects.
  2. Click Save.

This prevents existing guest accounts from viewing all users or group memberships in your tenant.


Verification Checklist

After applying these restrictions:

  • Guest invite settings are set to admins and Guest Inviter role only.
  • Member users cannot invite guests (confirmed in portal or via a test member account).
  • Guest Inviter role membership is reviewed and limited to necessary personnel.
  • Guest user access is restricted to their own directory objects.

Troubleshooting

Issue: Legitimate partner cannot be invited

Cause: The responsible person does not hold the Guest Inviter role or an admin role.

Solution:

  1. Assign the Guest Inviter role to the designated contact in your organization.
  2. Document the business justification for the assignment.
  3. Do not loosen the tenant-wide invite setting; use role assignment instead.

Issue: Guest can see all users in the directory

Cause: Guest user access is not restricted (a separate setting from invite permissions).

Solution:

  1. Navigate to External collaboration settings.
  2. Set Guest user access to the most restrictive option.
  3. Note: Changes may take up to 24 hours to fully propagate.

Issue: Guest cannot access shared resources after being invited

Cause: Conditional Access policies, group membership, or resource-level permissions may be blocking access.

Solution:

  1. Check Conditional Access sign-in logs for the guest account.
  2. Verify the guest is a member of the appropriate groups or has been granted direct permissions.
  3. Confirm the guest account is enabled in Identity > Users > All users.

Related Resources


Last updated: January 2025