1.1.17 Ensure that collaboration invitations are sent to allowed domains only

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Azure Active Directory (Azure AD) B2B collaboration is a feature within External Identities allows for guest invitations to an organization.

Ensure users can only send invitations to specified domains.

NOTE: This list works independently from OneDrive for Business and SharePoint Online allow/block lists. To restrict individual file sharing in SharePoint Online, set up an allow or blocklist for OneDrive for Business and SharePoint Online. For instance, in SharePoint or OneDrive users can still share with external users from prohibited domains by using Anyone links if they haven't been disabled.


By specifying allowed domains for collaborations, external users companies are explicitly identified. Also, this prevents internal users from inviting unknown external users such as personal accounts and give them access to resources.


This could make harder collaboration if the setting is not quickly updated when a new domain is identified as 'allowed'.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To restrict collaboration invitations only to the specified domains:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/.

Click to expand Azure Active Directory > Users select User settings.

Under External users, click on Manage external collaboration settings.

Under Collaboration restrictions, select Allow invitations only to the specified domains (most restrictive), check the Target domains setting, and specify the domains allowed to collaborate.

Default Value:

Default value is Allow invitations to be sent to any domain (most inclusive)

See Also