diff --git a/app/main/views/manage_users.py b/app/main/views/manage_users.py
index f624f3f10..c61b312d9 100644
--- a/app/main/views/manage_users.py
+++ b/app/main/views/manage_users.py
@@ -70,6 +70,10 @@ def invite_user(service_id, user_id=None):
                 'views/user-already-invited.html',
                 user_to_invite=user_to_invite,
             )
+        if not user_to_invite.default_organisation:
+            abort(403)
+        if user_to_invite.default_organisation.id != current_service.organisation_id:
+            abort(403)
         form.email_address.data = user_to_invite.email_address
     else:
         user_to_invite = None
diff --git a/tests/app/main/views/test_manage_users.py b/tests/app/main/views/test_manage_users.py
index f56b4b273..2b25ec340 100644
--- a/tests/app/main/views/test_manage_users.py
+++ b/tests/app/main/views/test_manage_users.py
@@ -7,6 +7,8 @@ from flask import url_for
 import app
 from app.utils import is_gov_user
 from tests.conftest import (
+    ORGANISATION_ID,
+    ORGANISATION_TWO_ID,
     SERVICE_ONE_ID,
     USER_ONE_ID,
     create_active_user_empty_permissions,
@@ -807,13 +809,16 @@ def test_should_show_page_for_inviting_user(
 
 
 def test_should_show_page_for_inviting_user_with_email_prefilled(
-    mocker,
     client_request,
+    mocker,
+    service_one,
     mock_get_template_folders,
     fake_uuid,
     active_user_with_permissions,
     active_user_with_permission_to_other_service,
+    mock_get_organisation_by_domain,
 ):
+    service_one['organisation'] = ORGANISATION_ID
     mocker.patch('app.models.user.user_api_client.get_user', side_effect=[
         # First call is to get the current user
         active_user_with_permissions,
@@ -876,6 +881,56 @@ def test_should_show_page_if_prefilled_user_is_already_a_team_member(
     assert not page.select("form")
 
 
+def test_should_403_if_trying_to_prefill_email_address_for_user_with_no_organisation(
+    mocker,
+    client_request,
+    service_one,
+    mock_get_template_folders,
+    fake_uuid,
+    active_user_with_permissions,
+    active_user_with_permission_to_other_service,
+    mock_get_no_organisation_by_domain,
+):
+    service_one['organisation'] = ORGANISATION_ID
+    mocker.patch('app.models.user.user_api_client.get_user', side_effect=[
+        # First call is to get the current user
+        active_user_with_permissions,
+        # Second call gets the user to invite
+        active_user_with_permission_to_other_service,
+    ])
+    client_request.get(
+        'main.invite_user',
+        service_id=SERVICE_ONE_ID,
+        user_id=fake_uuid,
+        _expected_status=403,
+    )
+
+
+def test_should_403_if_trying_to_prefill_email_address_for_user_from_other_organisation(
+    mocker,
+    client_request,
+    service_one,
+    mock_get_template_folders,
+    fake_uuid,
+    active_user_with_permissions,
+    active_user_with_permission_to_other_service,
+    mock_get_organisation_by_domain,
+):
+    service_one['organisation'] = ORGANISATION_TWO_ID
+    mocker.patch('app.models.user.user_api_client.get_user', side_effect=[
+        # First call is to get the current user
+        active_user_with_permissions,
+        # Second call gets the user to invite
+        active_user_with_permission_to_other_service,
+    ])
+    client_request.get(
+        'main.invite_user',
+        service_id=SERVICE_ONE_ID,
+        user_id=fake_uuid,
+        _expected_status=403,
+    )
+
+
 def test_should_show_folder_permission_form_if_service_has_folder_permissions_enabled(
     client_request,
     mocker,
@@ -949,13 +1004,16 @@ def test_invite_user(
 
 def test_invite_user_when_email_address_is_prefilled(
     client_request,
+    service_one,
     active_user_with_permissions,
     active_user_with_permission_to_other_service,
     fake_uuid,
     mocker,
     sample_invite,
     mock_get_template_folders,
+    mock_get_organisation_by_domain,
 ):
+    service_one['organisation'] = ORGANISATION_ID
     mocker.patch('app.models.user.user_api_client.get_user', side_effect=[
         # First call is to get the current user
         active_user_with_permissions,
diff --git a/tests/conftest.py b/tests/conftest.py
index a7339c876..0ce2ad7fc 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -3417,8 +3417,8 @@ def mock_get_organisation(mocker):
 
 @pytest.fixture(scope='function')
 def mock_get_organisation_by_domain(mocker):
-    def _get_organisation_by_domain(org_id):
-        return organisation_json(org_id)
+    def _get_organisation_by_domain(domain):
+        return organisation_json(ORGANISATION_ID)
 
     return mocker.patch(
         'app.organisations_client.get_organisation_by_domain',