βοΈπͺπ§βπΌCP - Teams - Block other tenant sign-in
What this policy is about πβ
We love Microsoft Teams.
We donβt love when users suddenly log in with an account from some completely unrelated tenant βbecause it was convenient.β
This policy says:
βIf youβre not one of us, youβre not logging in.β
The result: no random tenants in your Teams client, no unexplained chats with unmanaged environments, and no βaccidentalβ data leaks.
Why? π€¨β
Cross-tenant logins might look harmless, but:
- You donβt know who manages that other tenant (if anyone)
- You canβt enforce compliance or logging
- You lose all visibility into where your data ends up
Unless youβre in the middle of a merger, acquisition, or cross-tenant migration, thereβs simply no reason to keep this door open.
π οΈ Configurationβ
Type: Settings Catalog
| Setting | State | Details |
|---|---|---|
| Microsoft Teams β Restrict sign in to Teams to accounts in specific tenants (User) | Enabled | Tenant IDs (User): ${SUPERVISION_TENANTID} |
Only our own tenant ID is allowed. Period.
π‘ SuperVision Tipβ
Never hardcode a tenant ID.
With ${SUPERVISION_TENANTID}, SuperVision will automatically inject the correct value for each customer environment.
That makes your blueprint instantly multi-tenant ready and prevents awkward βoops, wrong tenantβ moments.
π₯ Group Assignmentsβ
β Included:β
All Users
β Excluded:β
π Relatedβ
Need to temporarily allow someone to log into another tenant?
Use the βοΈπͺπ§βπΌπCP - Teams - Allow other tenant sign-in.
With approval. And a good reason. And probably a raised eyebrow.
Governance Check β β
Shadow IT is like mold: it grows in the dark, and when you notice it, itβs usually too late.
Document your exceptions, get them approved, and remove them when theyβre no longer needed.