π‘οΈπ§βπΌππβοΈGroup - Multi tenant Teams Allowed users
What this group is for π―β
This is the exception group linked to:
- βοΈπͺπ§βπΌCP - Teams - Block other tenant sign-in
- βοΈπͺπ§βπΌπCP - Teams - Allow other tenant sign-in
Members of this group are explicitly allowed to sign into Microsoft Teams with accounts from other tenants.
When to use it (and when not to) π§β
Legitimate use cases include:
- Mergers & acquisitions β joint Teams collaboration before a full migration
- Cross-tenant migrations β staged moves where users need temporary access to both tenants
- Partner or supplier projects β close collaboration in a shared environment
π« Not a use case:
- βI just want to check my old work accountβ
- βI have a friend in another company and itβs easier this wayβ
- Anything that sounds like βjust for nowβ without a documented plan
Governance Notes πβ
This group should:
- Have written customer approval for each member
- Be reviewed regularly to remove stale access
- Be empty by default in most tenants
Think of it like a secure keycard β if youβre not actively walking through that door, you shouldnβt be holding one.
π‘ SuperVision Tipβ
SuperVision can:
- Keep this groupβs name consistent across all tenants
- Let you manage membership centrally without editing the Intune policy
- Automatically remove users when a project or migration ends
Final Thoughts πβ
Exception groups are like sharp tools β theyβre great in the right hands, but dangerous if left lying around.
Use them:
- With purpose
- With documentation
- And with a healthy dose of skepticism