Description:

This setting controls what guest users can see in Microsoft Entra ID. When it is set to “Guest user access is restricted to properties and memberships of their own directory objects,” guest users can only see their own information and the groups they belong to. They cannot see other users or any other directory details. This helps protect internal data by limiting what external users can view.

Rationale:

Restricting guest user access helps protect internal information by preventing external users from seeing details about other users or directory objects. This reduces the chance of data exposure and supports the principle of giving users only the access they need. It improves security by limiting what guest users can view inside the directory.

Impact:

This setting increases security by making sure guest users can only see their own information. It prevents them from viewing other users or directory data. While it limits what guests can access, it keeps internal information safe and protected.

Default Value:

By default, Microsoft Entra ID allows guest users to see more directory information. The most restrictive option is not enabled automatically, so an administrator must change the setting to limit what guests can view.

Pre-requisites:

  • You must sign in with either a Global Administrator or Privileged Role Administrator account.

  •  Guest user accounts must already exist in the directory.

Test Plan:

  1. Sign in to the Azure portal at https://portal.azure.com 

  2. In the portal, search for Microsoft Entra ID.

  3. Under Manage, select External Identities.

  4. Open External collaboration settings.

  5. Find the option called Guest user access restrictions.

  6. Verify that it is set to “Guest user access is restricted to properties and memberships of their own directory objects(most restrictive).”

  7. If not set to this value, follow the implementation Steps.

Implementation Steps:

  1. Sign in to the Azure portal at https://portal.azure.com 

  2. In the portal, search for Microsoft Entra ID.

  3. Under Manage, select External Identities.

                                 

  1. Click External collaboration settings.

  2. Find the Guest user access section.

  3. Change the setting to “Guest user access is restricted to properties and memberships of their own directory objects(most restrictive).”

  1. Click Save to apply the changes.

Backout Plan:

  1. Sign in to the Azure portal at https://portal.azure.com 

  2. In the portal, search for Microsoft Entra ID.

  3. Under Manage, select External Identities.

  4. Click External collaboration settings.

  5. Find the Guest user access section.

  6. Change the setting back to a less restrictive option, such as “Guest users have limited access to properties and memberships of directory objects.”

  7. Click Save to apply the change.

Reference: