EXT-01: Restrict Guest Invitation Permissions
Overview
Controlling who can invite guests into your Microsoft 365 tenant is a foundational governance control. Unrestricted guest invitations allow any user to bring external identities into your tenant. This creates uncontrolled access paths and potential data exposure. Limiting invitations to authorized personnel ensures oversight.
The expected state for this control is:
- Only admins and users explicitly assigned to the Guest Inviter role can invite guests.
- Member users cannot invite guests.
- Guests cannot invite other guests.
TrueConfig can configure External collaboration settings to enforce these restrictions with one click. No additional license beyond any Entra ID tier is required.
Prerequisites
Required Roles
- Global Administrator - Full access to all settings
- External Identity Provider Administrator - Can manage external collaboration settings
Required Licenses
- None -- any Entra ID tier (including Free) supports the Guest invite settings described in this guide.
Time Estimate
- Configuration: 5-10 minutes
Step-by-Step Instructions
Step 1: Review Current Guest Invite Settings
- Navigate to Microsoft Entra admin center (https://entra.microsoft.com).
- Go to Identity > External Identities > External collaboration settings.
- Under Guest invite settings, note the current selection.
The four available options are:
| Setting | Who can invite | Security level |
|---|---|---|
| No one in the organization can invite guests | No one | Highest |
| Only users assigned to specific admin roles can invite guest users including admins with guest inviter role | Admins and Guest Inviter role | Recommended |
| Member users and users assigned to specific admin roles can invite guest users | Members and admins | Lower |
| Anyone in the organization can invite guest users including guests and non-admins | Anyone, including guests | Not recommended |
Step 2: Set the Recommended Configuration
Select Only users assigned to specific admin roles can invite guest users including admins with guest inviter role.
This single setting satisfies all three expected states:
- Only admins and users in the Guest Inviter role can invite.
- Member users cannot invite guests.
- Guests cannot invite other guests.
Click Save.
TrueConfig one-click enforcement: TrueConfig detects when this setting deviates from the expected state and can configure it to the recommended value with a single click from the control detail page.
Step 3: Review Guest Inviter Role Assignments
With the invite setting restricted, the Guest Inviter role becomes the primary delegation path. Verify it is assigned only to personnel with a legitimate business need:
- Navigate to Identity > Roles and administrators.
- Search for and open Guest Inviter.
- Review current assignees and remove any that no longer require invitation rights.
Check via PowerShell
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
# Get the Guest Inviter role
$role = Get-MgDirectoryRole | Where-Object { $_.DisplayName -eq "Guest Inviter" }
# List current members
Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id |
Select-Object -ExpandProperty AdditionalProperties
Step 4: Verify Guest User Access Restrictions
While invite permissions are the primary scope of this control, confirm that guests already in your tenant cannot enumerate the directory:
- In External collaboration settings, under Guest user access, select Guest user access is restricted to properties and memberships of their own directory objects.
- Click Save.
This prevents existing guest accounts from viewing all users or group memberships in your tenant.
Verification Checklist
After applying these restrictions:
- Guest invite settings are set to admins and Guest Inviter role only.
- Member users cannot invite guests (confirmed in portal or via a test member account).
- Guest Inviter role membership is reviewed and limited to necessary personnel.
- Guest user access is restricted to their own directory objects.
Troubleshooting
Issue: Legitimate partner cannot be invited
Cause: The responsible person does not hold the Guest Inviter role or an admin role.
Solution:
- Assign the Guest Inviter role to the designated contact in your organization.
- Document the business justification for the assignment.
- Do not loosen the tenant-wide invite setting; use role assignment instead.
Issue: Guest can see all users in the directory
Cause: Guest user access is not restricted (a separate setting from invite permissions).
Solution:
- Navigate to External collaboration settings.
- Set Guest user access to the most restrictive option.
- Note: Changes may take up to 24 hours to fully propagate.
Issue: Guest cannot access shared resources after being invited
Cause: Conditional Access policies, group membership, or resource-level permissions may be blocking access.
Solution:
- Check Conditional Access sign-in logs for the guest account.
- Verify the guest is a member of the appropriate groups or has been granted direct permissions.
- Confirm the guest account is enabled in Identity > Users > All users.
Related Resources
Last updated: January 2025