Limit who can invite guests
You can limit who in your organization can invite guests. Guest accounts can be used for sharing teams, SharePoint sites, files, and folders with people outside your organization.
If your business processes require that you limit who can invite guests, or if you want users to complete training before they're able to invite guests, you can limit who can invite guests to your organization by using the Guest inviter role in Microsoft Entra ID.
The first step is to create a security group for the users who will be allowed to invite guests. Be sure to configure this group to allow a Microsoft Entra role, and then assign it the Guest inviter role.
To create a security group for guest inviters
Sign in to the Microsoft Entra admin center using a Security Administrator account.
Expand Groups and then select All groups.
Select New group.
Choose Security for the Group type.
Type a Group name.
Optionally, add a description for the group.
For Microsoft Entra roles can be assigned to the group, choose Yes.
Add group owners and members.
Under Roles, select No roles selected.
Search for and select the Guest inviter role, and then choose Select.
Select Create, and confirm that you want a group to which roles can be assigned. Your group is created and ready for you to add members.
Once you've created the security group and added the users who you want to be able to invite guests, the next step is to configure the Microsoft Entra external collaboration settings to only allow users with the Guest inviter role to invite guests.
Note that Global Administrators can always invite guests regardless of this setting.
Note
Changes to cross-tenant access settings may take two hours to take effect.
To configure Microsoft Entra ID to limit guest invites to the Guest inviter role
- In the Microsoft Entra admin center, expand External identities, and then select External collaboration settings.
- Under Guest invite settings, choose Only users assigned to specific admin roles can invite guests.
- Select Save.
Allow only users in specific security groups to share externally in SharePoint and OneDrive