Skip to main content

Default Authorization Settings - User can join the tenant by email validation

Controls whether users can join the tenant by email validation. To join, the user must have an email address in a domain which matches one of the verified domains in the tenant.


Name	allowEmailVerifiedUsersToJoinOrganization
Control	Default Authorization Settings
Description	Manages authorization settings in Entra ID (Azure AD)
Severity	Medium

How to fix

Details of configuration item


Recommendation	Self-service sign up for email-verified users - Microsoft Entra ID - Microsoft Learn
Configuration	policies/authorizationPolicy
Setting	`allowEmailVerifiedUsersToJoinOrganization`
Recommended Value	'false'
Default Value	true
Graph API Docs	authorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph Explorer	Open in Graph Explorer

MITRE ATT&CK

Tactic	Technique	Mitigation
TA0001 - Initial Access - Initial Access

How to fix
- Details of configuration item
MITRE ATT&CK