I'm managing a Microsoft 365 tenant with multiple domains, one of which is associated with a separate company that is loosely linked to ours. I need to find a way to restrict users from this specific domain so they can only access email and are prohibited from using any other Microsoft 365 resources, particularly our SharePoint intranet, which is currently accessible to everyone except external users. I tried using a Conditional Access policy, but it didn't work as intended. I'm also considering whether I should purchase a separate tenant just for these 10 users, but I'm uncertain if that's the necessary step.
5 Answers
Yes, it's definitely feasible to set up limited access for users on a specific domain within Microsoft 365. Many organizations implement strict access controls, so it shouldn't be too challenging. However, if this is more than just a casual request and might involve legal considerations, you might want to create separate tenants for those companies. Otherwise, planning around permissions can work well.
Exactly! Sometimes keeping them in the same tenant could lead to complications down the road. It's better to separate them out.
If you can justify it, splitting them off into their own tenant is the smartest way forward. If you really need to keep them on the same tenant for some reason, consider just assigning them Exchange Online licenses and removing other access rights, but honestly, separate tenants will make life easier in the long run.
Totally, if they're not all tightly linked to the business, better to separate. It reduces risk and keeps things simple.
I hear you, and it's likely way less hassle to manage them in different tenants if they don't need access to shared resources.
Honestly, the best solution might be to create a new subscription in Azure and move that domain there. Then just purchase the necessary Exchange Mailbox Plan for those users so they only have email access. It's the cleanest approach.
I'd suggest setting them up with only Exchange Online licenses and clearing any other offerings from their Apps list, like from Business Basic. This way, you ensure they have no access to anything outside of email.
For real, if you don't have a pressing need to keep those users in the same tenant, splitting them off really sounds like the best move. It keeps everything clean, and you can manage SharePoint access more easily that way.
I completely agree with separating them into different tenants if it's a serious issue. Managing permissions can get tricky; I've tried a Conditional Access policy but found it ineffective too.