GOV-11: Disable Self-Service Sign-Up
Frequently asked questions about implementing and managing the GOV-11 security control in Microsoft 365 and Entra ID.
Free baseline scan · No credit card · 5 minute setup
QWhat is GOV-11 (Disable Self-Service Sign-Up)?▼
GOV-11 is a security control that self-service sign-up lets external users join the tenant on their own, creating ungoverned external identities without admin oversight. disabling it ensures every external identity enters through a controlled, reviewable path. It requires that external users cannot join the organization via self-service sign-up and authorizationpolicy.allowemailverifieduserstojoinorganization is false, authorizationpolicy.allowedtosignupemailbasedsubscriptions is false.
QWhy is Disable Self-Service Sign-Up important for Microsoft 365 security?▼
Self-service sign-up lets external users join the tenant on their own, creating ungoverned external identities without admin oversight. Disabling it ensures every external identity enters through a controlled, reviewable path.
QHow do I implement GOV-11 in my tenant?▼
GOV-11 requires manual implementation. Detect-only. Disable self-service sign-up in Entra admin center > User settings unless explicitly required.
QWhat license do I need for GOV-11?▼
This control can be implemented with any Microsoft 365 subscription, including free Azure AD.
QWhich security baseline includes GOV-11?▼
GOV-11 is included in the TrueConfig Recommended Secure baseline (Level 1). This is the foundation level suitable for most organizations.
5
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial