ICYMI We introduced a new guest permission level in Azure AD that restricts what guests can view about other directory objects in your tenant.
When guest access is restricted, guests can view only their own user profile. Permission to view other users isn’t allowed even if the guest is searching by UserPrincipalName or objectId. Restricted access also restricts guest users from seeing the membership of groups they’re in
Here are some before/after experiences for Guests. This is from the My Groups page (accessed from https://aka.ms/myapps ). The guest goes from being able to see the names and email addresses of other guests in the group to the Groups view being disabled for them.
Similarly, guests with restricted access are also blocked from being able to see a list of groups they are members of.
Finally, PowerShell. By default, guests with limited access will be able to get a list of group members and even traverse up the org chart by looking up managers.
Restricted access blocks these commands from being run.
This doc has a neat table summarizing the different access levels. Default user permissions - Azure Active Directory
To learn more about the restricted permission, supported apps and config details see Restrict guest user access permissions - Azure Active Directory
If you want to learn how to restrict PowerShell access for guests while staying with ‘Limited access’, that’s a post for another day.
BTW In Teams
Limited Access = Guests can search any user in the tenant by UPN/email and chat with them.
Restricted Access = Guests can only search and chat with users that are in the team/group(s) they have been invited to. They cannot lookup & chat with other users in the tenant