5.1.6.1 Ensure that collaboration invitations are sent to allowed domains only

Information

B2B collaboration is a feature within Microsoft Entra External ID that allows for guest invitations to an organization.

Ensure users can only send invitations to specified domains.

NOTE: This list works independently from OneDrive for Business and SharePoint Online allow/block lists. To restrict individual file sharing in SharePoint Online, set up an allow or blocklist for OneDrive for Business and SharePoint Online. For instance, in SharePoint or OneDrive users can still share with external users from prohibited domains by using Anyone links if they haven't been disabled.

Rationale:

By specifying allowed domains for collaborations, external user's companies are explicitly identified. Also, this prevents internal users from inviting unknown external users such as personal accounts and granting them access to resources.

Impact:

This could make harder collaboration if the setting is not quickly updated when a new domain is identified as 'allowed'.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To restrict collaboration invitations only to the specified domains:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/.

Click to expand Identity > External Identities select External collaboration settings.

Under Collaboration restrictions, select Allow invitations only to the specified domains (most restrictive) is selected. Then specify the allowed domains under Target domains.

Default Value:

Allow invitations to be sent to any domain (most inclusive)

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-1, 800-53|AC-2, 800-53|IA-4, 800-53|IA-5, CSCv7|13.1

Plugin: microsoft_azure

Control ID: 86160576d688bd1e2bee77809402156d8196d333e884b59b9b237984eea1cbe6