Configuring External Collaboration Settings in Microsoft Entra ID for Guest Access
Overview
External collaboration settings in Microsoft Entra ID (formerly Azure AD) control how users outside your organization can access your resources. These settings help IT admins define the balance between secure access and productivity by managing guest invitations, permissions, and collaboration experiences across Microsoft 365 apps like Teams, SharePoint, and OneDrive.
1. Accessing External Collaboration Settings
Path:
- Go to Microsoft Entra admin center → https://entra.microsoft.com
- Navigate to Identity → External Identities → External collaboration settings
Here, you’ll configure global settings that define how guests are invited, managed, and authenticated.
2. Key Configuration Sections
a. Guest Invite Settings
Control who can invite external users.
| Setting | Description |
|---|---|
| Anyone in the organization can invite guests | All users can invite external users. |
| Member users and users assigned to specific admin roles can invite guests | Restricts invitations to internal members and admins. |
| Only users assigned to specific admin roles can invite guests | Limits invitations to Global Admins and selected roles. |
| No one in the organization can invite guests | Disables all guest invitations. |
Recommendation:
For security, select “Member users and users assigned to specific admin roles can invite guests.”
This ensures invitations are controlled but still practical for collaboration.
b. Guest User Access Restrictions
This controls what guests can do after joining your directory.
| Option | Access Level |
|---|---|
| Most restrictive | Guests can only access their own profile. |
| Restrict access to properties and memberships of directory objects | Guests have limited directory visibility (recommended). |
| Guest users have the same access as members | Guests can see directory data similar to employees. |
Recommendation:
Choose “Restrict access to properties and memberships of directory objects.”
This minimizes data exposure while keeping collaboration functional.
c. Guest Invite Notifications
You can enable notification emails to be sent to admins when a guest user is invited.
This improves visibility and helps monitor guest access activity.
d. Collaboration Restrictions
You can block or allow specific external domains for guest access.
Path:
External Identities → Cross-tenant access settings → Inbound/Outbound access settings
Here you can:
- Allow all domains
- Block all external domains
- Allow or block only specific domains (recommended for regulated industries)
3. Configuring Cross-Tenant Access Settings (Optional)
If you collaborate with partner organizations that also use Microsoft Entra ID, use Cross-tenant access settings for more granular control.
Features include:
- Inbound access – Controls how guests from other tenants access your resources.
- Outbound access – Controls how your users access resources in partner tenants.
- B2B Direct Connect – Enables Teams shared channels or external apps without full guest accounts.
Tip:
Use default settings for most organizations, and create organization-specific settings for trusted partners.
4. Testing and Verifying Guest Access
After configuration:
- Invite a test guest (external email address).
- Accept the invitation and sign in via the guest link.
- Verify access to Teams, SharePoint, or specific apps.
- Check Audit Logs under Monitoring & health → Audit logs for guest invitation events.
5. Best Practices
✅ Limit who can invite guests.
✅ Restrict guest directory visibility.
✅ Monitor guest activity using audit logs and access reviews.
✅ Review cross-tenant settings regularly.
✅ Use Conditional Access for MFA and device compliance checks.
Related Topics
- Configuring Teams shared channels for external access
- Using Sensitivity Labels to control guest sharing
- Reviewing Access Reviews for external users
