Teams Real Simple with Pictures: You want to block your own users being guests in other tenants? Well, now, you can with Cross Tenant Access Settings

This series on Teams has been running for a while now - about two and half years. And during that time I've returned periodically to the subject of guests. Enabling/Disabling Guest Access in the TAC, purging from Azure AD, Self Service Removal, Sensitivity Labels, Entitlement Management. In the last few months I have covered Terms of Use, B2B Management Policy to block guest invitations and regulating guests with PIM and RBAC. But the perennial question - the elephant in the room as it were - has always been this "I have the tools now to control adding guests to my tenant but how can I - as an administrator - prevent my own users from joining other tenants as guests" How can I control that? Block that? Up until this point we would typically say one of two things. One - it's the responsibility of the destination to control guest invitations even though typically we know from our own field experience that many orgs are always very active when it comes to guest management. Number two. It's by design - and if we simply turn off Guest access lock stock then we shoot ourselves in the foot collaboratively. But reaching for that security and compliance hat as I have so often done of late, there is legitimate reasons that we may want to stop our own users being guests in other tenants. What if a competitor invites one of our users into their tenant to collaborate on something they aren't supposed to? What is our users were spending most of their time as a guest in tenants that have nothing to do with our business? What if I as an admin want to limit certain users who are prone to accidental data leakage, or what if we just wanted to limit overall sprawl? So it should please administrators that we now have Cross Tenant Access Settings (CTAS) in preview which can do what we need. CTAS is defined as giving granular control over how external Azure AD organizations collaborate with you (inbound access) and how your users collaborate with external Azure AD organizations (outbound access). We'll focus on outbound access in this one. To note right off the bat, this is designed to work with other Azure AD organizations - if for example you are working with other organisations who are non-AAD or have personal domains you'll need to use Azure B2B Management. You'll need Global Admin or Security Admin roles to configure - and AAD P1 licencing if you want to go granular with users or groups.