How to restrict guest access permissions in Microsoft Entra ID (formerly Azure Active Directory)

For security reasons, administrators will want to restrict what guest users can see in their organization's Microsoft Entra ID. While the member users get a full set of user permissions, guest users are set to a limited permission level by default. You can also use the guest user permissions level in your Microsoft Entra's external collaboration settings for even more restricted access. Guest access user levels are:

Guests can only view their profile when the guest access is restricted. Even if the guest searches for other users using their User Principal Name or object ID, they still cannot view other users.

Steps to update guest user access permissions in Microsoft Entra ID:

1. Sign in to Microsoft Entra ID as at least Global Administrator.
2. Select Users > All Users > External Users. Now, select Manage external collaboration settings.
3. Select Guest user access is restricted to properties and memberships of their own directory objects options.
4. Select Save. The changes might take up to 15 minutes to take effect.

You can also use Microsoft Graph API to configure guest permissions. The below API calls will help you assign permission levels. The guestUserRoleId value shows the permission setting (refer table above).

To configure it for the first time:

POST https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
        {
          "guestUserRoleId": "2af84b1e-32c8-42b7-82bc-daa82404023b"
        }
        

To update the existing value:

PATCH https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
        {
          "guestUserRoleId": "2af84b1e-32c8-42b7-82bc-daa82404023b"
        }
        

To view the current value:

GET https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
        

You can also use PowerShell to configure the restricted permissions.

Get command: Get-MgPolicyAuthorizationPolicy

Get-MgPolicyAuthorizationPolicy | Format-List
        

Update command: Update-MgPolicyAuthorizationPolicy

Update-MgPolicyAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'

Microsoft 365 services that support guest restriction setting:

• Teams
• Outlook (OWA)
• SharePoint
• Planner in Teams
• Planner mobile app
• Planner web app
• Project for the web
• Project Operations

About M365 Manager Plus

ManageEngine M365 Manager Plus is a Microsoft 365 reporting, auditing, management and monitoring tool. With M365 Manager Plus, you can:

• Enhance your comprehension of Microsoft services using user-friendly reports, easily scheduled, exported, and emailed from a unified console.
• Track all user and admin activities within your Microsoft 365 environment through detailed audit reports.
• Efficiently manage tasks such as bulk user creation, deletion, and password resets, and automate them for time and labor savings.
• Empower technicians with delegated tasks without requiring elevated native privileges.
• Ensure constant monitoring of your organization's health and performance around the clock.
• Reduce the administrator workload by delegating custom roles to help desk technicians.