How to restrict the ability for internal users to invite guests to SharePoint

Microsoft provides the ability for practices to specify which users or user groups are able to invite guest users. If your practice wishes to restrict the ability for users to invite guests please refer to the guidance below.

These instructions refer to the method where a Security Group is used to assign users in SharePoint. If using Assigned Roles via Microsoft External Collaboration Settings, refer to How to restrict the ability for internal users to invite guests to SharePoint (Assigned Roles method).

Note: Changes made to these settings may impact the ability for users to invite guest users to other Microsoft collaboration elements not used by FYI. If you are unsure of how to perform any of these steps please speak to your IT Professional before making any changes.

Microsoft SharePoint has the ability to define its sharing settings to restrict the ability to invite and add guest users to SharePoint sites. Users must be added to a security group, and each user must either be a Microsoft Administrator or assigned the Guest Inviter role.

Assign the Guest Inviter Role to Users

  1. Go to https://entra.microsoft.com/ to open the Microsoft Entra Admin Centre.

  2. Log in using your Microsoft Global Admin Account.
    Note: We recommend creating an independent Microsoft 365 account specifically for the OneDrive Admin User account. If linking to an individual account, additional steps would be required to update permissions if that individual left the practice. Refer to Link your OneDrive Admin Account for New Collaborate.

  3. From the menu on the left, select Users and All users.

  4. Search for and select the user you wish to give Guest Inviter access to. You can do this by clicking on the user name hyperlink.
    3023_Search_for_guest_user_inviter_role.gif

  5. In the Manage section click Assigned Roles and then select Add Assignments.
    3024_Select_guest_user_assigned_role.gif
    The Guest Inviter is a role within Azure that allows the user to create a guest account via the Collaborate invitation. This role needs to be enabled to create the Guest Account. The OneDrive Admin Account will always be used to create guest account invitations when using New Collaborate in FYI.

  6. Tick the role "Guest Inviter".

    Note: The admin roles Global Administrator and User Administrator also have permission to create guest user accounts. For more information refer to the Microsoft help article Configure external collaboration settings.

    Note: If Privileged Identity Management (PIM) is used in Azure, the Assignment Type must be set as "Active". By default, it is set as "Eligible" which will not apply the required role permissions.

  7. Click Add.

Add the Guest Inviter Users to a Microsoft Security Group

FYI Recommends creating a new security group for Guest Inviters to be used with Collaborate.

  1. Go to admin.microsoft.com and login using your Microsoft Global Admin Account.

  2. Select the Teams & Groups from the left-hand menu and select Active teams & groups.

  3. Select the Security Groups tab.
    3024_Active_teams_security_groups_tab.gif

  4. Click Add security group.

  5. Set a Name and Description for the group to make the purpose of the group clear.
    3025_Add_security_group_microsoft.gif

  6. Click Next.

  7. Review the details entered and click Create group.

  8. Your new group will display in the list of Security groups.

  9. Click on the group Name to display the details.

    3026_Display_security_group.gif
  10. Select the Members tab and click View all and manage members.

  11. Click Add members and search for and select the users you wish to add to the group. You can add multiple users to the group. 
    Note: To remove a user, select the user and click the 3 dots... and click the bin icon.

Update SharePoint Sharing Settings to use the Microsoft Security Group to send Guest Invites

  1. Go to admin.microsoft.com and login as the Microsoft or SharePoint Administrator.

  2. Locate SharePoint from the left-hand menu. If it doesn't display, select ... Show all.

  3. From the Policies dropdown select Sharing.

  4. Expand the More external sharing settings section and tick Allow only users in specific security groups to share externally.
     

  5. Click on Manage security groups button to open the the drawer.

  6. Search for and select the security group that contains the users you wish to grant permission to invite guest users.

  7. Click Save.
    3027_Manage_security_groups_select_group.gif

    Refer to the Microsoft article for more information Allow only members in specific security groups to share SharePoint and OneDrive files and folders externally - SharePoint in Microsoft 365 | Microsoft Learn.

Was this article helpful?
0 out of 0 found this helpful