If any user in your organization decides to start using azure he/she by default can log in at https://portal.azure.com and view the entire AAD catalog with object details. The user can also start to spin up resources and invite guest users.

First to hide the portal resources for your organization:

Now you can have hidden your org resources from all other users in the azure portal.

Next you may want to review the guest invitation permissions so users can not invite external users into your organization.

Review the settings here. Don’t be too strict.