π‘οΈπ§βπΌππβοΈGroup - Multi tenant Teams Allowed users
What this group is for π―β
This is the exception group linked to:
- βοΈπͺπ§βπΌCP - Teams - Block other tenant signin
- βοΈπͺπ§βπΌπCP - Teams - Allow other tenant signin
Members of this group are explicitly allowed to sign into Microsoft Teams with accounts from other tenants.
When to use it (and when not to) π§β
Legitimate use cases include:
- Mergers & acquisitions β joint Teams collaboration before a full migration
- Cross-tenant migrations β staged moves where users need temporary access to both tenants
- Partner or supplier projects β close collaboration in a shared environment
π« Not a use case:
- βI just want to check my old work accountβ
- βI have a friend in another company and itβs easier this wayβ
- Anything that sounds like βjust for nowβ without a documented plan
Governance Notes πβ
This group should:
- Have written customer approval for each member
- Be reviewed regularly to remove stale access
- Be empty by default in most tenants
Think of it like a secure keycard β if youβre not actively walking through that door, you shouldnβt be holding one.
π‘ SuperVision Tipβ
SuperVision can:
- Keep this groupβs name consistent across all tenants
- Let you manage membership centrally without editing the Intune policy
- Automatically remove users when a project or migration ends
Final Thoughts πβ
Exception groups are like sharp tools β theyβre great in the right hands, but dangerous if left lying around.
Use them:
- With purpose
- With documentation
- And with a healthy dose of skepticism