Existing Guest Accounts and the Azure B2B Collaboration Policy

What Takes Priority?

As you might know, the Azure B2B Collaboration policy for a tenant can hold a deny (block) or an allow list. The list is used to stop owners of Office 365 groups adding guest users from specific domains or to restrict them to adding guest users from specific domains. Tenants use these lists to make sure that group owners don’t add guests from competitors, consumer email domains, and other domains that deemed objectionable for one reason or another.

Steve Crowe sent me a note to say that he had run into a problem using the B2B collaboration policy with Teams. He had blocked some domains but group owners were still able to add users from those domains as guests.

As it turned out, the reason was that guest accounts for the users being added already existed in Azure Active Directory. Teams doesn’t apply restrictions on guest accounts that are already present in your directory because an assumption is made that an administrator added the guest account, so it’s OK and can be added to other groups.

Guests in Place

The offending guest account was added before the block list was enforced, so that’s why it exists in the directory and why Teams assumes it’s OK to add the account to other groups. Guest accounts are now added by multiple applications, including SharePoint, Planner, and Office 365 Groups, so it’s hard to know where the account might have originated. In this instance, the guest account was added when someone shared a document in a SharePoint library.

You can argue that respecting existing guest accounts is the right approach. Administrators can add guest accounts from any domain they choose through the Azure portal, and if they do, shouldn’t team owners be allowed include these guests in their teams? On the other hand, administrators might assume that when they impose a block, they want applications like Teams to respect that block.

The “gap” in the block proves that you should use the Azure B2B collaboration policy to control domains for guest users AND check the guest user membership of groups on a regular basis, just to be sure that unwanted guests don’t slip through.

Keep Your Secrets

And if you have very confidential teams, consider blocking guest user access for the underlying Office 365 Groups. That way you’ll know that your organization’s most confidential discussions will never be shared with guests.

All of this is explained in Chapters 13 and 14 of the Office 365 for IT Pros eBook. It’s the kind of practical straightforward advice we offer to readers…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.