Microsoft Teams allows people external to the tenant, “guests” to be added to the team. This is called “guest access”.
Guest access is different from “external access” (previously called federation), where a user on tenant A can have a 1:1 chat, voice or video call to a user in tenant B.
By default, guest access is turned off on Office 365 tenants.
Enabling Guest Access in Microsoft Teams and dependency services
An Office 365 admin must turn on guest access for Teams before the admin or team owners can add guests to teams.
Microsoft Teams teams are actually Microsoft 365 groups (previously called Office 365 groups).
The guest access experience depends on guest access being enabled across multiple services.
- Azure Active Directory: Guest access in Microsoft Teams relies on the Azure AD business-to-business (B2B) platform. This authorization level controls the guest experience at the directory, tenant, and application level.
Azure AD determines whether external collaborators can be invited into your tenant as guests, and in what ways.
- Microsoft Teams: Controls the guest experience in Microsoft Teams only.
- Microsoft 365 Groups: Controls the guest experience in Microsoft 365 Groups and Microsoft Teams.
- SharePoint Online and OneDrive for Business: Controls the guest experience in SharePoint Online, OneDrive for Business, Microsoft 365 Groups, and Microsoft Teams.
Azure AD guest access control
- Guest user permissions are limited:
- Yes, guests don’t have permission for certain directory tasks, such as enumerate users, groups, or other directory resources.
- No guests have the same access to directory data that regular users have in your directory.
- Admins and users in the guest inviter role can invite:
- Yes, admins and users in the guest inviter role will be able to invite guests to the tenant.
- No admins and users can’t invite guests to the tenant.
- Members can invite:
- Yes, allow non-admin members of your directory to invite guests.
- No only admins can add guests. No will limit the guest experience for non-admin teams owners; they’ll only be able to add guests in Teams that have already been added in AAD by the admin.
- Guests can invite:
- Yes means that guests in your directory can invite other guests to collaborate on resources secured by your Azure AD, such as SharePoint sites or Azure resources.
- No means that guests can’t invite other guests to collaborate with your organization. This is not supported in Microsoft Teams.
Microsoft Teams guest access control
You can control this globally in the Teams Admin Center
You also have very granular control on what guests can and can’t do
- Make private calls – Turn this setting On to allow guests to make peer-to-peer calls.
- Allow IP video – Turn this setting On to allow guests to use video in their calls and meetings.
- Screen sharing mode – This setting controls the availability of screen sharing for guest users.
- Turn this setting to Disabled to remove the ability for guests to share their screens in Teams.
- Turn this setting to Single application to allow sharing of individual applications.
- Turn this setting to Entire screen to allow complete screen sharing.
- Allow Meet Now – Turn this setting On to allow guests to use the Meet Now feature in Microsoft Teams.
- Edit sent messages – Turn this setting On to allow guests to edit messages they previously sent.
- Guests can delete sent messages – Turn this setting On to allow guests to delete messages they previously sent.
- Chat – Turn this setting On to give guests the ability to use chat in Teams.
- Use Giphys in conversations – Turn this setting On to allow guests to use Giphys in conversations. Giphy is an online database and search engine that allows users to search for and share animated GIF files. Each Giphy is assigned a content rating.
- Giphy content rating – Select a rating from the drop-down list:
- Allow all content – Guests will be able to insert all Giphys in chats, regardless of the content rating.
- Moderate – Guests will be able to insert Giphys in chats, but will be moderately restricted from adult content.
- Strict – Guests will be able to insert Giphys in chats, but will be restricted from inserting adult content.
- Use memes in conversations – Turn this setting On to allow guests to use Memes in conversations.
- Use Stickers in conversations – Turn this setting On to allow guests to use stickers in conversations.
Microsoft 365 Groups Guest Access Control
These settings apply at the tenant level and control the guest experience in Microsoft 365 Groups and Teams.
- Sign in with your global admin account at https://portal.office.com/adminportal/home.
- On the left, choose Settings and then select Services & add-ins.
- Select Microsoft 365 Groups
SharePoint Online and OneDrive for Business
For the full Teams guest access experience, Office 365 admins need to configure the following settings:
- In SharePoint Online: Select Existing guests, New and existing guests, or Anyone. For more information, see Turn external sharing on or off.
- In Microsoft 365 Groups: Turn on Let group owners add people outside the organization to groups. For more information, see Control guest access in Microsoft 365 Groups, above.
These settings apply at the tenant level and control the guest experience in SharePoint Online, OneDrive for Business, Microsoft 365 Groups, and Teams.
You can manage SharePoint Online external user settings for the team sites connected to Teams. To learn more, see Manage your SharePoint team site settings.
Can I disable Microsoft Teams team guest access by default, but selectively enable specific Microsoft Teams teams to allow guest access?
Microsoft’s default expectation is to allow guest users for groups/teams and selectively block guest access for specific groups that hold confidential information.
If guest access is turned off at the Microsoft Teams tenant level, guests are blocked from all Microsoft Teams teams.
If guest access is allowed at the Microsoft Teams tenant level, every Microsoft Teams teams created will inherit guest access being enabled by default.
There are three options to work around this:
Leverage Sensitivity Levels to Policy Control Guest Access
In addition to using sensitivity labels to classify and protect documents and emails, you can also use sensitivity labels to protect content in the following containers: Microsoft Teams sites, Microsoft 365 groups, and SharePoint sites. For this container-level classification and protection, use the following label settings:
- Privacy (public or private) of Microsoft 365 group-connected teams sites
- External users access
- Access from unmanaged devices
- Block office 365 users creating groups and have an admin or process create teams/groups with guest access disabled by default
More details on how to do this on the Microsoft docs here
Disable user creation of Office 365 Groups and then have IT or a process manually provision them and turn guest access off
Disable Office 365 group creation/Microsoft Teams team creation by users, have them request Teams in an out of band process, and create those teams with guest access off on the team you create. E.g. use an Office 365 form to get the team request from the user then create it with PowerShell with ‘AllowToAddGuests’ $false. Unless the team is approved for guest access.
Allow office 365 users to create groups, but use a looping script or tool to disable guest access shortly after creation.
If you want only select Microsoft Teams teams to have guest access enabled, you need to have a PowerShell script (or tool written against Microsoft Graph) loop through all Microsoft 365 teams enabled groups and disable guess access, except for any groups you do want guest access enabled in.