π‘οΈπ§βπΌππβοΈGroup - Multi tenant OneDrive Allowed users
What this group does π§ͺβ
Being in this group means one thing:
βI'm trusted (or at least important enough) to sign into OneDrive using another tenant.β
Thatβs right. While the default policy
βοΈπͺπ§βπΌCP - OneDrive - Block other tenant signin says βnope, stick to your own tenantβ,
this group β combined with the
βοΈπͺπ§βπΌπCP - OneDrive - Allow other tenant signin policy β says:
π§ βOkay, fine. But only for you.β
π οΈ Group Configurationβ
| Setting | Value |
|---|---|
| Group name | π‘οΈπ§βπΌππGroup - Multi tenant OneDrive Allowed users |
| Group description | Users in this group are explicitly allowed to sync OneDrive accounts from other tenants. This overrides the block policy. Membership requires documented customer approval. |
| Group type | Security |
| Membership type | Assigned |
π‘ SuperVision Tipβ
This group is manually assigned β but that doesnβt mean it has to be a mess.
SuperVision supports user management across tenants, so you can assign this group consistently via:
- dynamic views
- rule-based grouping
- and automation across environments
All while using a recognizable naming standard (π‘οΈ, π, π) for clear intent.
βοΈ Still, make sure the customer signs off. Not just verbally β we mean actual documentation.
π― Purposeβ
Used as an exception mechanism for users in:
- Mergers & acquisitions (ππ)
- Multi-tenant collaboration environments (π)
- Situations where βjust block everythingβ doesn't quite work
This group is assigned to users who need access β not just want access.
β οΈ Governance mattersβ
If you add someone to this group:
- You should know why
- The customer should know why
- And you should have a signed piece of paper somewhere that proves it
If you canβt explain whoβs in this group during an audit... maybe donβt add them in the first place.
π Related Policiesβ
- βοΈπͺπ§βπΌCP - OneDrive - Block other tenant signin
- βοΈπͺπ§βπΌπCP - OneDrive - Allow other tenant signin
π·οΈ With great tenant access comes great compliance risk.