Users should be able to send collaboration invitations to allowed domains only. Rationale: By specifying allowed domains for collaborations, external users companies are explicitly identified. Also, this prevents internal users from inviting unknown external users such as personal accounts and give them access to resources. Impact: This could make harder collaboration if the setting is not quickly updated when a new domain is identified as 'allowed'. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
From the Azure portal: Go to Azure Active Directory Go to Users Go to User settings Under External users, click on Manage external collaboration settings Under Collaboration restrictions, select Allow invitations only to the specified domains (most restrictive), check the Target domains setting, and specify the domains allowed to collaborate. Default Value: Default value is Allow invitations to be sent to any domain (most inclusive) and thus no domain is specified.