Account/Authentication - Azure Active Directory - Ensure that Collaboration Invitations are Sent to Allowed Domains Only
Summary
Users should be able to send collaboration invitations to allowed domains only.
Reason
If the allowed domains for collaborations are specified, external companies can be explicitly identified. Additionally, this prevents internal users from inviting unknown external users like personal accounts and give them access to resources.
What If?
This could make harder collaboration if the setting is not quickly updated when a new domain is identified as "allowed".
How to?
From the Azure portal:
- Go to Azure Active Directory.
- Go to Users.
- Go to User Settings.
- Under External users, click on Manage external collaboration settings.
- Under Collaboration restrictions, choose allow invitations only to the specified domains (most restrictive), check the Target domains setting, and specify the domains allowed to collaborate.
Default Value: It is Allow invitations to be sent to any domain (most inclusive) and thus no domain is specified.
Monitor:
From the Azure portal:
- Go to Azure Active Directory.
- Go to Users.
- Go to User Settings.
- Under External users, click on Manage external collaboration settings.
- Under Collaboration restrictions, make sure that Allow invitations only to the specified domains (most restrictive) is selected. After this, ensure that Target domains is checked and that allowed domains are specified.
Comments
Post a Comment