Admins can today block the users ability to grant consent to applications. However, this will not block users from consenting to being invited into third party tenants as guests.

I suggest that Azure AD should get a “external access” feature where Azure AD admins can choose (per user/group) to either;
- Allow users to access all external tenants as guests
- Allow users to access selected external tenants as guests
- Allow users to access selected external tenants and require admin approval for all other external tenants
- Users are not alloed to access external tenants (but admins are allowed to manually allow users to access selected external tenants as guests)

As of now this can only be achieved with tenant restrictions, however, tenant restrictions require you to have network level man-in-the-middle with TLS decryption on all possible locations where the user might use his account. Considering that mitm w/TLS decryption can be a bit messy, and that all the information required should already be available to Azure AD at the point where a user consent to be invited as guest, it would be a much simpler option if this could be blocked by Azure AD.

This could possibly be implemented as part of Conditional Access.