Default Authorization Settings - User can join the tenant by email validation

Controls whether users can join the tenant by email validation. To join, the user must have an email address in a domain which matches one of the verified domains in the tenant.

Name	allowEmailVerifiedUsersToJoinOrganization
Control	Default Authorization Settings
Description	Manages authorization settings in Azure AD
Severity	Medium

How to fix

Details of configuration item

Recommendation	Self-service sign up for email-verified users - Microsoft Entra ID - Microsoft Learn
Configuration	policies/authorizationPolicy
Setting	allowEmailVerifiedUsersToJoinOrganization
Recommended Value	'false'
Default Value	true
Graph API Docs	authorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph Explorer	Open in Graph Explorer

MITRE ATT&CK

Tactic	Technique	Mitigation
TA0001 - Initial Access - Initial Access