Prevent Users from Joining External Tenants as Guest
In Skype for Business we had the ability to block our users from communicating with external users. We would like the ability to block our users from joining external tenants as guest to prevent data leak.
Estudios Katz commented
It can prevent users from joining external tenants as guests.
In addition, can set unlimited rules for communication
Also available in Microsoft Appsource
This needs to be sorted out Please as students are using this to attempt data leak.
We've faced the same issue and the only option we found was to implement on our infra tenant restriction (proxy setting that prevents connections to non whitelisted tenants, very tricky setting as lots of collaboration settings are impacted), for mobile devices we disabled the sharing outside managed apps.
Currently, Mr Pedo can invite students from our tenant to an external Team.
He can then allow them to show video, upload voice, upload photos on his tenant, even though all these are disabled on our EDU tenant.
This is also a child safety matter - please investigate it urgently.
Like cclements states, from a corporate device, a user could easily switch to a different, unauthorized tenant and upload data that O365 DLP will not monitor.
The OneDrive app has a GPO that prevents syncing with unauthorized tenants, there should be similar controls available for Teams to an organization around the action of their users as guests on other tenants or to which tenants they can be guests of.
This is very important for our organization as well. Being unable to easily block guest invitations from other tenants will cause us to discontinue our Teams deployment. The main problem is that users can be able to upload files to the other tenant where they have guest access.
Igor Matic commented
if the user is added as a guest in another teams organization and even he did not accepted the invitation he still can see the additional account in Teams App from the organization in which he was invited.
Please fix this, we need to have a option to simply decline the invitation from other teams organizations/external tenants.
Just wondering if there could be a virtual IP assigned to a tenant connection, that way the restriction can be set on the customer instead of having Microsoft to setup/change something on their systems.