1.1.13 Ensure that collaboration invitations are sent to allowed domains only

Information

Users should be able to send collaboration invitations to allowed domains only.

Rationale:

By specifying allowed domains for collaborations, external users companies are explicitly identified. Also, this prevents internal users from inviting unknown external users such as personal accounts and give them access to resources.

Impact:

This could make harder collaboration if the setting is not quickly updated when a new domain is identified as 'allowed'.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the Azure portal:

Go to Azure Active Directory

Go to Users

Go to User settings

Under External users, click on Manage external collaboration settings

Under Collaboration restrictions, select Allow invitations only to the specified domains (most restrictive), check the Target domains setting, and specify the domains allowed to collaborate.

Default Value:

Default value is Allow invitations to be sent to any domain (most inclusive) and thus no domain is specified.

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|AU-11, 800-53|MP-2, 800-53|SI-12, CSCv7|13.1

Plugin: microsoft_azure

Control ID: fb682bf265a77ea9734c2605e56e4b48a70cfc94b3da5d04e4965d816890c9ca