EXT-03: Restrict Guest Access to Allowlisted Domains

Overview

At Level 3, external collaboration is tightly controlled. Only pre-approved partner organizations can access your tenant. This prevents social engineering and limits data exposure to vetted third parties.

This control requires that guest invitations are restricted to an explicit allowlist of trusted domains, that cross-tenant access policies block B2B collaboration from all non-allowlisted tenants, and that SharePoint and OneDrive external sharing is restricted to the same allowed domains.

TrueConfig can apply the blocking baseline (block-by-default cross-tenant access) with one click. Adding specific partner domains to the allowlist requires manual configuration, as partner relationships are organization-specific.

Severity: High | Minimum Level: 3 | Mode: Strict (one-click enable, auto-remediation allowed) | License Required: Entra ID P1

Prerequisites

Required Roles

  • Global Administrator - Required to configure cross-tenant access defaults and External Identities settings
  • SharePoint Administrator - Required to restrict SharePoint and OneDrive sharing by domain

Required Licenses

  • Microsoft Entra ID P1 (or a bundle that includes it, such as Microsoft 365 E3/E5 or Business Premium) is required for cross-tenant access policy configuration

Time Estimate

  • Configure cross-tenant block defaults: 20 minutes
  • Add partner allowlist entries: 15 minutes per partner
  • Configure SharePoint domain restriction: 15 minutes
  • Testing and validation: 30 minutes

Step-by-Step Instructions

Step 1: Configure Cross-Tenant Access to Block All by Default

The first step is to set a deny-all default for inbound B2B collaboration. This blocks guests from any tenant that is not explicitly allowlisted.

  1. Navigate to Microsoft Entra admin center (https://entra.microsoft.com)
  2. Go to External IdentitiesCross-tenant access settings
  3. Open the Default settings tab
  4. Click Edit inbound defaults
  5. Under B2B collaborationExternal users and groups, select Block access
  6. Under B2B direct connectExternal users and groups, select Block access
  7. Click Save

TrueConfig performs steps 1-7 automatically when you click "Enable" on EXT-03.

PowerShell

Connect-MgGraph -Scopes "Policy.ReadWrite.CrossTenantAccess"

# Set default inbound to block all B2B collaboration and direct connect
$params = @{
    b2bCollaborationInbound = @{
        usersAndGroups = @{
            accessType = "blocked"
            targets = @(
                @{
                    target = "AllUsers"
                    targetType = "user"
                }
            )
        }
        applications = @{
            accessType = "blocked"
            targets = @(
                @{
                    target = "AllApplications"
                    targetType = "application"
                }
            )
        }
    }
    b2bDirectConnectInbound = @{
        usersAndGroups = @{
            accessType = "blocked"
            targets = @(
                @{
                    target = "AllUsers"
                    targetType = "user"
                }
            )
        }
        applications = @{
            accessType = "blocked"
            targets = @(
                @{
                    target = "AllApplications"
                    targetType = "application"
                }
            )
        }
    }
}

Update-MgPolicyCrossTenantAccessPolicyDefault -BodyParameter $params

Step 2: Restrict Guest Invitations to Allowed Domains

Configure the External Identities invitation settings to allow invitations only to specific domains.

  1. Navigate to External IdentitiesExternal collaboration settings
  2. Under Guest invite settings, set Guest invite restrictions to Admins and users in the guest inviter role can invite (or more restrictive)
  3. Under Collaboration restrictions, select Allow invitations only to the specified domains (most restrictive)
  4. Enter each approved partner domain, one per line (for example, partner.com)
  5. Click Save

PowerShell

Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"

$params = @{
    allowInvitesFrom = "adminsAndGuestInviters"
    allowedToInviteExternalUsers = $true
    guestUserRoleId = "10dae51f-b6af-4016-8d66-8c2a99b929b7" # Guest User role
    allowedExternalDomains = @{
        allowedDomains = @(
            @{ domainName = "partner.com" }
            @{ domainName = "vetted-supplier.org" }
        )
    }
}

# Update authorization policy (invitation restrictions)
Update-MgPolicyAuthorizationPolicy -BodyParameter $params

Step 3: Add Approved Partners to the Cross-Tenant Allowlist

For each approved partner organization, create a cross-tenant access policy entry that explicitly allows inbound B2B collaboration.

  1. In Cross-tenant access settings, open the Organizational settings tab
  2. Click + Add organization
  3. Enter the partner's Tenant ID or primary domain name
  4. Click Add
  5. Click on the new partner entry to configure it
  6. Click Edit under Inbound access
  7. Under B2B collaboration, select Customize settings
  8. Under External users and groups, select Allow accessAll external users and groups (or specific groups if known)
  9. Under Applications, select Allow accessAll applications (or scope to specific apps)
  10. Click Save

Repeat for each approved partner organization.

Note: You must know the partner's Entra tenant ID or domain name before adding them. To look up a tenant ID from a domain, fetch the OpenID configuration endpoint: https://login.microsoftonline.com/<domain>/.well-known/openid-configuration and read the issuer field.

PowerShell

Connect-MgGraph -Scopes "Policy.ReadWrite.CrossTenantAccess"

$partnerTenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"  # Replace with actual tenant ID

$params = @{
    tenantId = $partnerTenantId
    b2bCollaborationInbound = @{
        usersAndGroups = @{
            accessType = "allowed"
            targets = @(
                @{
                    target = "AllUsers"
                    targetType = "user"
                }
            )
        }
        applications = @{
            accessType = "allowed"
            targets = @(
                @{
                    target = "AllApplications"
                    targetType = "application"
                }
            )
        }
    }
}

New-MgPolicyCrossTenantAccessPolicyPartner -BodyParameter $params

Step 4: Restrict SharePoint and OneDrive External Sharing to Allowed Domains

The allowlist must also apply to SharePoint and OneDrive to prevent file sharing with non-approved domains.

  1. Navigate to the SharePoint admin center (https://admin.microsoft.com/sharepoint)
  2. Go to PoliciesSharing
  3. Under External sharing, set SharePoint to New and existing guests or Existing guests (do not use "Anyone")
  4. Under More external sharing settings, enable Limit external sharing by domain
  5. Select Add domains that are allowed
  6. Enter the same approved partner domains
  7. Click Save

PowerShell

Connect-SPOService -Url "https://yourtenant-admin.sharepoint.com"

# Restrict sharing to specific domains
Set-SPOTenant `
    -SharingCapability ExternalUserSharingOnly `
    -SharingDomainRestrictionMode AllowList `
    -SharingAllowedDomainList "partner.com vetted-supplier.org"

Replace partner.com vetted-supplier.org with a space-separated list of your approved domains.

Step 5: Audit the Current State

Before and after applying changes, audit what is currently allowed.

Connect-MgGraph -Scopes "Policy.Read.All"

# Check default inbound settings
$default = Get-MgPolicyCrossTenantAccessPolicyDefault
Write-Host "Default B2B inbound access type:"
$default.B2BCollaborationInbound.UsersAndGroups.AccessType

# List all organizational (partner) entries
$partners = Get-MgPolicyCrossTenantAccessPolicyPartner
Write-Host "`nAllowlisted partner tenants:"
$partners | Select-Object TenantId | Format-Table

# Verify SharePoint domain restrictions
Connect-SPOService -Url "https://yourtenant-admin.sharepoint.com"
$tenant = Get-SPOTenant
Write-Host "`nSPO sharing domain restriction mode: $($tenant.SharingDomainRestrictionMode)"
Write-Host "Allowed domains: $($tenant.SharingAllowedDomainList)"

Verification Checklist

After configuring EXT-03:

  • Cross-tenant access default settings block inbound B2B collaboration from all tenants
  • Cross-tenant access default settings block inbound B2B direct connect from all tenants
  • Each approved partner organization has an explicit allowlist entry in Organizational settings
  • External Identities invitation settings restrict invitations to allowed domains only
  • SharePoint external sharing is set to "New and existing guests" or more restrictive (not "Anyone")
  • SharePoint domain restriction is set to "Allow list" with the approved domains listed
  • OneDrive sharing is equal or more restrictive than SharePoint
  • A test with a non-allowlisted external user confirms they are blocked
  • A test with an allowlisted partner confirms they can be invited and can access resources

Troubleshooting

Issue: Approved partner cannot be invited

Cause: The partner domain is not in the invitation allowlist, or the cross-tenant access policy entry is missing.

Solution:

  1. Confirm the partner domain appears under External collaboration settingsCollaboration restrictions allowlist
  2. Confirm a partner entry exists in Cross-tenant access settingsOrganizational settings with inbound B2B collaboration set to Allow
  3. Verify the partner's tenant ID or domain is correct

Issue: Non-allowlisted user receives an invitation

Cause: The invitation restriction may not be set to the most restrictive option, or an admin sent the invitation directly.

Solution:

  1. Review External collaboration settingsGuest invite restrictions: confirm it is set to "Admins and users in the guest inviter role" (not "Anyone")
  2. Confirm the domain restriction mode is "Allow list", not "Block list"
  3. Check audit logs in Entra IDAudit logs for "Invite external user" operations to identify who sent the invitation

Issue: SharePoint sharing with approved partners fails after domain restriction

Cause: The domain entered in SharePoint may not match the partner's email domain exactly, or the policy has not propagated.

Solution:

  1. Verify the partner's email domain (not tenant domain) is listed in the SharePoint allowed domain list
  2. Policy changes in SharePoint can take up to 24 hours to propagate
  3. Confirm the restriction mode is "Allow list" (AllowList) not "Block list"

Issue: B2B direct connect (Teams shared channels) is blocked for an approved partner

Cause: The default settings block B2B direct connect, and no partner-specific override has been added.

Solution:

  1. In the partner's organizational settings, click Edit under Inbound access
  2. Open the B2B direct connect tab and set it to Allow for the appropriate users and applications
  3. Both your tenant and the partner tenant must allow B2B direct connect for it to work

Issue: Cannot find the partner's tenant ID

Cause: Tenant ID is not always publicly visible.

Solution:

  1. Request the tenant ID directly from the partner's IT team
  2. Alternatively, fetch the OpenID configuration: https://login.microsoftonline.com/<partner-domain>/.well-known/openid-configuration and read the tid or issuer value

Issue: Cross-tenant policy changes take too long

Cause: Entra ID policy changes can take 1 to 4 hours to propagate globally.

Solution:

  1. Wait for propagation before concluding the policy is not working
  2. Have users sign out and sign in again to force a fresh token
  3. Use incognito or private browsing to avoid cached credentials

Related Resources


Last updated: January 2025