diff --git a/.openpublishing.redirection.solutions.json b/.openpublishing.redirection.solutions.json index 41a1762e86e..ae144e907cf 100644 --- a/.openpublishing.redirection.solutions.json +++ b/.openpublishing.redirection.solutions.json @@ -100,6 +100,11 @@ "redirect_url":"/microsoft-365/solutions/groups-teams-access-governance", "redirect_document_id":false }, + { + "source_path":"microsoft-365/solutions/limit-guest-sharing-to-specific-organization.md", + "redirect_url":"/microsoft-365/solutions/trusted-vendor-onboarding", + "redirect_document_id":false + }, { "source_path":"microsoft-365/solutions/information-protection-deploy-monitor-respond.md", "redirect_url":"/microsoft-365/solutions/data-privacy-protection", diff --git a/microsoft-365/media/cross-tenant-access-settings.png b/microsoft-365/media/cross-tenant-access-settings.png new file mode 100644 index 00000000000..e46984408a9 Binary files /dev/null and b/microsoft-365/media/cross-tenant-access-settings.png differ diff --git a/microsoft-365/media/cross-tenant-inbound-allow-application.png b/microsoft-365/media/cross-tenant-inbound-allow-application.png new file mode 100644 index 00000000000..39e1808c032 Binary files /dev/null and b/microsoft-365/media/cross-tenant-inbound-allow-application.png differ diff --git a/microsoft-365/media/cross-tenant-inbound-allow-group.png b/microsoft-365/media/cross-tenant-inbound-allow-group.png new file mode 100644 index 00000000000..d95dfd29640 Binary files /dev/null and b/microsoft-365/media/cross-tenant-inbound-allow-group.png differ diff --git a/microsoft-365/media/entra-guest-invite-settings-limited.png b/microsoft-365/media/entra-guest-invite-settings-limited.png new file mode 100644 index 00000000000..cc5e6c74f69 Binary files /dev/null and b/microsoft-365/media/entra-guest-invite-settings-limited.png differ diff --git a/microsoft-365/media/teams-external-access-allowed-domain.png b/microsoft-365/media/teams-external-access-allowed-domain.png new file mode 100644 index 00000000000..c5e9b7b1d5d Binary files /dev/null and b/microsoft-365/media/teams-external-access-allowed-domain.png differ diff --git a/microsoft-365/solutions/TOC.yml b/microsoft-365/solutions/TOC.yml index 5fb20c9e245..1b3e323a583 100644 --- a/microsoft-365/solutions/TOC.yml +++ b/microsoft-365/solutions/TOC.yml @@ -82,6 +82,8 @@ href: allow-direct-connect-with-all-organizations.md - name: Collaborate across clouds href: collaborate-guests-cross-cloud.md + - name: Onboard trusted vendors + href: trusted-vendor-onboarding.md - name: Create a B2B extranet href: b2b-extranet.md - name: Trust conditional access from other organizations @@ -92,8 +94,6 @@ href: limit-who-can-invite-guests.md - name: Limit who can be invited by an organization href: limit-invitations-from-specific-organization.md - - name: Limit guest sharing to specific organizations - href: limit-guest-sharing-to-specific-organization.md - name: Limit organizations where users can be guests href: limit-organizations-where-users-have-guest-accounts.md - name: Limit accidental exposure diff --git a/microsoft-365/solutions/limit-guest-sharing-to-specific-organization.md b/microsoft-365/solutions/limit-guest-sharing-to-specific-organization.md deleted file mode 100644 index 9f14ac2b001..00000000000 --- a/microsoft-365/solutions/limit-guest-sharing-to-specific-organization.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -title: "Limit guest sharing to specific organizations" -ms.author: mikeplum -author: MikePlumleyMSFT -manager: serdars -ms.date: 12/08/2021 -audience: ITPro -ms.topic: article -ms.service: o365-solutions -ms.collection: -- highpri -- Tier1 -- SPO_Content -- M365-collaboration -- m365solution-securecollab -- m365solution-scenario -- m365initiative-externalcollab -ms.localizationpriority: medium -f1.keywords: NOCSH -recommendations: false -description: Learn how to limit guest sharing to specific Azure AD or Microsoft 365 organizations. ---- - -# Limit guest sharing to specific organizations - -By default, users can invite people outside the organization as guests. This includes adding them to teams in Microsoft Team, SharePoint sites, and sharing individual files and folders with them. - -If you only want to allow guests from specific organizations, you can specify these organizations in the Azure Active Directory external collaboration settings and cross-tenant access settings for [B2B collaboration](/azure/active-directory/external-identities/what-is-b2b). - -> [!NOTE] -> This article assumes that you have [SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration) turned on. - -## Configure external collaboration settings - -With Azure AD external collaboration settings, you can specify the domains that you want to allow for external collaboration. Guest invitations to all other domains - including non-Azure AD domains - will be blocked. (Guests from blocked domains that are already in your directory will remain.) - -To allow guest invitations to a specific organization -1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **External collaboration settings**. -1. Under **Collaboration restrictions**, choose **Allow invitations only to the specified domains**. -1. Type the domains that you want to allow, and then select **Save**. - -## Cross-tenant access settings - -If your allowed domains are other Azure AD organizations, cross-tenant access settings also affect how guests access your organization. By default, all domains are allowed for B2B collaboration with guest accounts. If you've changed your default settings, check to make sure the domains that you want to collaborate with are allowed. For more information, see [Overview: Cross-tenant access with Azure AD External Identities](/azure/active-directory/external-identities/cross-tenant-access-overview). - -You can use cross-tenant access settings to limit which of your users can be invited to another Azure AD organization. See [Limit who can be invited by an organization](limit-invitations-from-specific-organization.md) for more information. - -You can also limit which organizations where your users can have a guest account. See [Limit organizations where users can have guest accounts](limit-organizations-where-users-have-guest-accounts.md) for more information. - -> [!NOTE] -> Changes to cross-tenant access settings may take two hours to take effect. - -## Related topics - -[B2B direct connect overview](/azure/active-directory/external-identities/b2b-direct-connect-overview) - -[Configure cross-tenant access settings for B2B direct connect](/azure/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect) - -[Limit who can be invited by an organization](limit-invitations-from-specific-organization.md) - -[Limit organizations where users can have guest accounts](limit-organizations-where-users-have-guest-accounts.md) diff --git a/microsoft-365/solutions/trusted-vendor-onboarding.md b/microsoft-365/solutions/trusted-vendor-onboarding.md new file mode 100644 index 00000000000..18eacd9e677 --- /dev/null +++ b/microsoft-365/solutions/trusted-vendor-onboarding.md @@ -0,0 +1,147 @@ +--- +title: Onboard trusted vendors to collaborate in Microsoft 365 +ms.author: mikeplum +author: MikePlumleyMSFT +manager: serdars +ms.date: 08/14/2023 +audience: ITPro +ms.topic: article +ms.service: o365-solutions +ms.collection: +- highpri +- Tier1 +- SPO_Content +- M365-collaboration +- m365solution-3tiersprotection +- m365solution-securecollab +- m365initiative-externalcollab +ms.custom: +localization_priority: medium +f1.keywords: NOCSH +recommendations: false +description: Learn how to onboard trusted vendors to collaborate in Microsoft 365. +--- + +# Onboard trusted vendors to collaborate in Microsoft 365 + +If your organization has an approval process for external vendors or other organizations, you can use features in Azure Active Directory and Teams to block access from people in unapproved organizations and add new organizations as they're approved. + +By using domain allowlists, you can block the domains of organizations that haven't been approved through your internal processes. This can help ensure that users in your organization to only collaborate with approved vendors. + +This article describes the features you can use as part of your approval process for onboarding new vendors. + +If you haven't configured guest sharing for your organization, see [Collaborate with guests in a site](collaborate-in-site.md) or [Collaborate with guests in a team (IT Admins)](collaborate-as-team.md). + +#### SharePoint and OneDrive integration with Azure AD B2B + +The procedures in this article assume that you've enabled [SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration). If you haven't enabled Azure AD B2B integration for SharePoint and OneDrive, Azure AD B2B domain allowlists and blocklists don't affect file and folder sharing. In this case, use [Restrict sharing of SharePoint and OneDrive content by domain](/sharepoint/restricted-domains-sharing). + +## Allow the vendor's domain in Azure AD external collaboration settings + +With Azure AD external collaboration settings, you can allow or block invites to certain domains. By creating an allowlist, you allow guest invitations only to those domains and all others are blocked. You can use this to allow guest invitations to vendors that you've approved while blocking those to vendors you haven't. + +To allow sharing invitations only from specified domains +1. In Azure Active Directory, under **Identity**, expand **External identities**, and then choose **External collaboration settings**. +1. Under **Collaboration restrictions**, select **Allow invitations only to the specified domains**, and then type the domains that you want to allow. +1. Select **Save**. + + ![Screenshot of collaboration restrictions settings in Azure Active Directory.](../media/azure-ad-allow-only-specified-domains.png) + +For more information about using allowlists or blocklists in Azure AD, see [Allow or block invitations to B2B users from specific organizations](/azure/active-dir.ectory/external-identities/allow-deny-list) + +## Allow domains for other Microsoft 365 organizations + +If your approved vendor also uses Microsoft 365, there are additional settings in Azure AD and Teams that you can configure to manage these domains and create a more integrated experience for your users. + +By adding the vendor organization to Azure AD cross-tenant access settings, you can specify: + +- Which users in the vendor organization can be invited to your organization +- Which users in the vendor organization can participate in shared channels in Microsoft Teams +- Which applications those users have access to in your organization +- Whether your conditional access policies will accept claims from other Azure AD organizations when users from the other organization access your resources. + +By adding the vendor organization to the allowlist for Teams external access: + +- Users in your organization and the vendor organization can chat and meet without the vendor having to log in as a guest. + +#### Allow the vendor's domain in Azure AD cross-tenant access settings + +To specify settings such as who can be invited from the vendor organization and what applications they can use, first add the organization in Azure AD cross-tenant access settings. + +To add an organization +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as a Global administrator. +1. Expand **Identity**, and then expand **External Identities**. +1. Select **Cross-tenant access settings**. +1. Select **Organizational settings**. +1. Select **Add organization**. +1. On the **Add organization** pane, type the full domain name (or tenant ID) for the organization. +1. Select the organization in the search results, and then select **Add**. + + ![Screenshot of cross-tenant access settings in Azure AD with two external organizations configured.](../media/cross-tenant-access-settings.png) + +To specify who your users can invite as guests from the vendor organization: +1. On the **Organizational settings** tab, select the **Inbound access** link for the organization you want to configure. +1. On the **B2B collaboration** tab, select **Customize settings** +1. On the **External users and groups** tab, choose **Select \ users and groups**, and then select **Add external users and groups**. +1. Add the IDs of the users and groups that you want to include, and then select **Submit**. +1. Select **Save**. + + ![Screenshot of an allowed group in the inbound cross-tenant access settings for an external organization.](../media/cross-tenant-inbound-allow-group.png) + +To specify which applications guests from the vendor organization can use: +1. On the **Organizational settings** tab, select the **Inbound access** link for the organization you want to configure. +1. On the **B2B collaboration** tab, select **Customize settings** +1. On the **Applications** tab, choose **Select applications**, and then select **Add Microsoft applications** or **Add other applications**. +1. Select the applications that you want to allow, and then choose **Select**. +1. Select **Save**. + + ![Screenshot of an allowed application in the inbound cross-tenant access settings for an external organization.](../media/cross-tenant-inbound-allow-application.png) + +For more information about the options available in cross-tenant access settings, including accepting conditional access claims from other organizations, see [Configure cross-tenant access settings for B2B collaboration](/azure/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration). + +If you plan to use Teams shared channels with the vendor organization, both organizations must set up cross-tenant access settings for Azure AD B2B direct connect. For details, see [Collaborate with external participants in a shared channel](/microsoft-365/solutions/collaborate-teams-direct-connect). + +#### Allow the vendor's domain in Teams external access + +To allow users in your organization and the vendor organization to chat and meet without the vendor having to log in as a guest, allow the domain in Teams external access. + +To allow an organization in Teams external access +1. In the Teams admin center, expand **Users**, and then select **External access**. +1. Under **Choose which domains your users have access to**, choose **Allow only specific external domains**. +1. Select **Allow domains**. +1. In the **Domain** box, type the domain that you want to allow and then select **Done**. +1. If you want to allow another domain, select **Add a domain**. +1. Select **Save**. + + ![Screenshot of Teams external access settings for Teams and Skype for Business users in external organizations with one allowed domain.](../media/teams-external-access-allowed-domain.png) + +The external access settings page in the Teams admin center includes settings for Teams accounts not managed by an organization and Skype users. You can turn these off if these accounts don't meet your organization's requirements for approved vendors. + +For more information about Teams external access options, see [Manage external meetings and chat with people and organizations using Microsoft identities](/microsoftteams/trusted-organizations-external-meetings-chat). + +## Limit who can invite guests + +You can restrict which users in your organization can invite guests from your trusted vendors. This can be useful if guest invites require approval or if you want your users to do a training course before being allowed to invite guests. For information on how to do this, see [Limit who can invite guests](limit-who-can-invite-guests.md). + +## Prevent unauthenticated access + +There are two features that allow someone from outside your organization to access resources in your organization without signing in: + +- Anonymous meeting join +- Unauthenticated file and folder sharing + +If your requirements for trusted vendors require everyone to sign in before accessing your organization's resources, you can turn these options off. + +To prevent people from joining meetings as anonymous participants, you can turn off **Anonymous users can join a meeting** in Teams meeting policies. For more information, see [Manage anonymous participant access to Teams meetings (IT admins)](/microsoftteams/anonymous-users-in-meetings). + +To prevent unauthenticated file and folder sharing, you must prevent the use of *Anyone* sharing links. You can do this for your entire organization or for specific SharePoint sites. For more information, see [Manage sharing settings for SharePoint and OneDrive in Microsoft 365](/sharepoint/turn-external-sharing-on-or-off) and [Change the sharing settings for a site](/sharepoint/change-external-sharing-site). + +## Related topics + +[Microsoft Entra External ID documentation](/azure/active-directory/external-identities/) + +[Use guest access and external access to collaborate with people outside your organization](/microsoftteams/communicate-with-users-from-other-organizations) + +[Azure Active Directory terms of use](/azure/active-directory/conditional-access/terms-of-use) + +[Allow only members in specific security groups to share SharePoint and OneDrive files and folders externally](/sharepoint/manage-security-groups)