Tom Talks Microsoft Teams and Microsoft 365 news and opinions

Controlling Microsoft Teams Guest Access on a per team basis

Microsoft Teams allows people external to the tenant, “guests” to be added to the team. This is called “guest access”.

Guest access is different from “external access” (previously called federation), where a user on tenant A can have a 1:1 chat, voice or video call to a user in tenant B.

By default, guest access is turned off on Office 365 tenants.

Enabling Guest Access in Microsoft Teams and dependency services

An Office 365 admin must turn on guest access for Teams before the admin or team owners can add guests to teams.

Microsoft Teams teams are actually Microsoft 365 groups (previously called Office 365 groups).

The guest access experience depends on guest access being enabled across multiple services.

  • Azure Active Directory: Guest access in Microsoft Teams relies on the Azure AD business-to-business (B2B) platform. This authorization level controls the guest experience at the directory, tenant, and application level.
    Azure AD determines whether external collaborators can be invited into your tenant as guests, and in what ways.
  • Microsoft Teams: Controls the guest experience in Microsoft Teams only.
  • Microsoft 365 Groups: Controls the guest experience in Microsoft 365 Groups and Microsoft Teams.
  • SharePoint Online and OneDrive for Business: Controls the guest experience in SharePoint Online, OneDrive for Business, Microsoft 365 Groups, and Microsoft Teams.

Azure AD guest access control

  • Guest user permissions are limited:
    • Yes, guests don’t have permission for certain directory tasks, such as enumerate users, groups, or other directory resources.
    • No guests have the same access to directory data that regular users have in your directory.
  • Admins and users in the guest inviter role can invite:
    • Yes, admins and users in the guest inviter role will be able to invite guests to the tenant.
    • No admins and users can’t invite guests to the tenant.
  • Members can invite:
    • Yes, allow non-admin members of your directory to invite guests.
    • No only admins can add guests. No will limit the guest experience for non-admin teams owners; they’ll only be able to add guests in Teams that have already been added in AAD by the admin.
  • Guests can invite:
    • Yes means that guests in your directory can invite other guests to collaborate on resources secured by your Azure AD, such as SharePoint sites or Azure resources.
    • No means that guests can’t invite other guests to collaborate with your organization. This is not supported in Microsoft Teams.

Microsoft Teams guest access control

You can control this globally in the Teams Admin Center

image

You also have very granular control on what guests can and can’t do

  • Make private calls – Turn this setting On to allow guests to make peer-to-peer calls.
  • Allow IP video – Turn this setting On to allow guests to use video in their calls and meetings.
  • Screen sharing mode – This setting controls the availability of screen sharing for guest users.
    • Turn this setting to Disabled to remove the ability for guests to share their screens in Teams.
    • Turn this setting to Single application to allow sharing of individual applications.
    • Turn this setting to Entire screen to allow complete screen sharing.
  • Allow Meet Now – Turn this setting On to allow guests to use the Meet Now feature in Microsoft Teams.
  • Edit sent messages – Turn this setting On to allow guests to edit messages they previously sent.
  • Guests can delete sent messages – Turn this setting On to allow guests to delete messages they previously sent.
  • Chat – Turn this setting On to give guests the ability to use chat in Teams.
  • Use Giphys in conversations – Turn this setting On to allow guests to use Giphys in conversations. Giphy is an online database and search engine that allows users to search for and share animated GIF files. Each Giphy is assigned a content rating.
  • Giphy content rating – Select a rating from the drop-down list:
    • Allow all content – Guests will be able to insert all Giphys in chats, regardless of the content rating.
    • Moderate – Guests will be able to insert Giphys in chats, but will be moderately restricted from adult content.
    • Strict – Guests will be able to insert Giphys in chats, but will be restricted from inserting adult content.
  • Use memes in conversations – Turn this setting On to allow guests to use Memes in conversations.
  • Use Stickers in conversations – Turn this setting On to allow guests to use stickers in conversations.

Microsoft 365 Groups Guest Access Control

These settings apply at the tenant level and control the guest experience in Microsoft 365 Groups and Teams.

image

SharePoint Online and OneDrive for Business

For the full Teams guest access experience, Office 365 admins need to configure the following settings:

These settings apply at the tenant level and control the guest experience in SharePoint Online, OneDrive for Business, Microsoft 365 Groups, and Teams.

You can manage SharePoint Online external user settings for the team sites connected to Teams. To learn more, see Manage your SharePoint team site settings.

 

Can I disable Microsoft Teams team guest access by default, but selectively enable specific Microsoft Teams teams to allow guest access?

Microsoft’s default expectation is to allow guest users for groups/teams and selectively block guest access for specific groups that hold confidential information.

If guest access is turned off at the Microsoft Teams tenant level, guests are blocked from all Microsoft Teams teams.

If guest access is allowed at the Microsoft Teams tenant level, every Microsoft Teams teams created will inherit guest access being enabled by default.

There are three options to work around this:

Leverage Sensitivity Levels to Policy Control Guest Access

In addition to using sensitivity labels to classify and protect documents and emails, you can also use sensitivity labels to protect content in the following containers: Microsoft Teams sites, Microsoft 365 groups, and SharePoint sites. For this container-level classification and protection, use the following label settings:

  • Privacy (public or private) of Microsoft 365 group-connected teams sites
  • External users access
  • Access from unmanaged devices
  • Block office 365 users creating groups and have an admin or process create teams/groups with guest access disabled by default

More details on how to do this on the Microsoft docs here

Disable user creation of Office 365 Groups and then have IT or a process manually provision them and turn guest access off

Disable Office 365 group creation/Microsoft Teams team creation by users, have them request Teams in an out of band process, and create those teams with guest access off on the team you create. E.g. use an Office 365 form to get the team request from the user then create it with PowerShell with ‘AllowToAddGuests’  $false.  Unless the team is approved for guest access.

Allow office 365 users to create groups, but use a looping script or tool to disable guest access shortly after creation.

If you want only select Microsoft Teams teams to have guest access enabled, you need to have a PowerShell script (or tool written against Microsoft Graph) loop through all Microsoft 365 teams enabled groups and disable guess access, except for any groups you do want guest access enabled in.

Reference:

Authorize Guest access in Microsoft Teams

Adding guests to Microsoft 365 Groups

About the author

Tom Arbuthnot

A Microsoft MVP and Microsoft Certified Master, Tom Arbuthnot is Principal Solutions Architect at Microsoft Collaboration specialists Modality Systems.

Tom stays up to date with industry developments and shares news and his opinions on his blog, Microsoft Teams Podcast and email list. He is a regular speaker at events around the world.

5 comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • How do I see how many of the colleagues on my tenant have guest access to another tenant ?

    • That’s a great question. I don’t know. I will see if I can find anything out.

  • Tom, Great article. I have been looking for something like this. Most other “googled” references go straight into the weeds. As a Managed Service Provider (MSP), I feel it is my responsibility NOT to allow guest access across the full spectrum of Teams shares. For close to two years I have been pushing the use of Teams as a ‘friendly’ way to utilize Sharepoint and the 1Tb of storage that Microsoft provides as part of M365. I then use the Sync Link to create folders in File Explorer. Quick replacement for on-prem file servers.

    In order to minimize leakage and rogue sharing of company files, my thought would be to create one Team specifically for use with sharing files with outside guests (think subcontractors access to plans, distributing technical papers, public access to promotional material) and this team could be closely monitored and managed. Would it be best to modify the default non-guest permissions through Sharepoint or through M365 Groups? I would want to find a way that doesn’t break things in the process.

Tom Talks Microsoft Teams and Microsoft 365 news and opinions