Microsoft Teams Guest Access is Updated
Check out how the change in Microsoft Teams guest access can affect your tenant security in the blog post by Chris Hardee.
Organizations working with Microsoft 365 already give employees access to teams, documents and files, applications, resources, and channels of communication.
Guest access shares all this externally so other people can join in, collaborate, and share data. This can all be done without the guest having a Microsoft Teams license – helping the right people have access at the right time.
Successful guest access means supporting collaboration while maintaining control of the entire environment and the data available within Microsoft Teams.
Deciding when you need to use Microsoft Teams guest access is down to the use case. Access may be granted temporarily – such as during an audit – or for longer periods.
As you’ll see below, there are many ways to manage guests and guest access in Microsoft Teams.
A guest doesn’t have a work or school account with your organization. However, they require access to your Microsoft Teams because they’re a vendor, partner, supplier, contractor, or consultant.
After adding a guest to your Microsoft Teams environment, they can participate in meetings, collaborate with other members, and access content and other files required for related activities. After adding a guest to a team, Microsoft advises, ‘it may take a few hours before they have access.’
Guest users can also change their privacy settings within Microsoft Teams. They just have to click the profile image and then click Manage account:
Teams admins control the capabilities open to Guests. However, a typical setup allows guests to:
Calling capabilities vary depending on the type of Microsoft 365 license you have. For example, guests can use VoIP calling, including transfers.
However, guests can’t access call settings or add a user to a call via their phone number – these features are limited to E1, E3, E5, and Enterprise Voice users.
Open Teams and go to the team where you want to invite a guest:
Click …more options > Add member.
For guests within the same organization, add the name of the guest and click Send request.
The team owner will then receive an alert for them to approve the request. They can also find internal guests to invite by searching for specific Microsoft 365 groups, distribution lists, or security groups.
For a guest external to the organization, enter their email address. You can also add a guest name that will be visible to others in the organization. This will appear with (Guest) after it.
When the guest joins a team, all members will see an announcement in the team channel.
The guest user will then automatically receive an email from the team owner. This usually outlines the role of the team, the rules, and what should happen next.
This also contains a button that says, “Open Microsoft Teams.” The guest will be asked to log in with their Microsoft 365 work or school account. If they don’t have an account, they’ll be redirected to set one up (for free).
If they’re already logged into another organization, they may be prompted to sign out first.
Users can submit requests for guests to join a team. Simply open the team in the teams list, click More options > Add member. And the team owner will receive the request for approval.
Guests can’t join private channels or access private channel settings. However, they will gain access to the team’s chat, site, and content.
What’s more, you can apply some other restrictions to guest user accounts. You can do this by using Teams policies.
Go to the Teams admin center > Teams > Teams policies. You can either use a global policy for the entire organization or create customized policies. Click the policy you want to enable, click Edit, and then click:
Go to the Microsoft Teams admin center > Teams > Teams policies.
Click Add.
You can now add the policy’s name and description:
Toggle your chosen policy settings and click Save.
Any changes you make to policies can take up to 24 hours to take effect.
In Azure AD, you can define the collaboration settings for guests and external users. Open the Azure AD service > External Identities > External collaboration settings:
These settings define the permissions for guests in the Azure AD directory. There are three options:
These settings help you control the number of guests in your tenant and apply the necessary restrictions:
Within the settings, you can create user flows for guests to sign-up to your organization.
This can be an automated way to gather information about your guests to better understand who’s accessing your tenant.
The standard attributes (you can also create custom attributes) you can collect are:
You can also control invitations to guest users based on their domain. The three collaboration restrictions are:
Sign in to the Microsoft Teams admin center.
Click Users > Guest access:
You’ll see the dropdown for Allow guest access in Teams. Click this and choose On. You may see that On is already there as a default master switch. Whatever settings you choose will affect all teams.
You’ll also need to consider user limits relating to Microsoft Teams. Guests count towards specifications such as:
Head to the Microsoft Teams admin center.
Click Teams > Manage teams:
Click the name of the team you want to check. Then click Members > Role column, and you can sort by guests.
You can allow users to collaborate with specific external organizations. You can do this using B2B direct connect. Guests have access only to resources in the specific channel. There’s no access to the Azure AD admin portal. The result is:
Here’s how to configure cross-tenant access settings for B2B direct connect.
When you invite a guest to Microsoft Teams, a guest account is automatically created for them in Azure AD.
Naturally, some of these will require reviews at regular intervals. You can use Azure AD to create access reviews of guests (and users) who are in groups or have been assigned to applications. It’s an effective way of doing a Microsoft 365 guest user cleanup.
Alternatively, guests, sponsors, or other nominated users can also be asked to confirm if they still require access to Microsoft Teams. Any guest who accepts an invitation will get an email from Azure AD that contains a link to the access review.
You can remove users who don’t respond to requests to review their membership. This involves putting a block on sign-ins for 30 days before completing the removal and permanent deletion.
Access reviews for guests can be completed by:
These are done by visiting the Identity Governance page.
You’ll see multiple tabs for managing guest user access:
Guests can leave a team when they want. When this happens, their guest account stays within your organization’s directory. A Microsoft 365 global admin or an Azure AD admin can complete the removal.
You can audit events and activities across Microsoft 365 services, including Teams.
Go to the Microsoft Purview compliance portal.
Click Audit:
You can then filter your audit by users:
Click Search to view an audit log of user and guest entries and activities. These may include:
You may want to export the results into a CSV file for categorization and filtering.
You have various options for preventing guests from being added to a team.
You can also apply sensitivity labels for granular control. The labels can be used to manage guest access, prevent users from adding external guests to a team, and protect content.
These can be configured and applied when you create a new team. If you want to know more, here’s how to assign sensitivity labels to Microsoft 365 groups in Azure Active Directory (AD).
You can then apply them to services, including Microsoft Teams. The sensitivity label will then appear within the team channel:
Users can also see the Sensitivity options when they use other Office 365 applications such as Outlook, Word, or Excel.
This method uses the Azure Active Directory PowerShell preview version for Graph.
You’ll need to use this script to block guest access.
As you can see, there are many options for managing guests in your Microsoft Teams environment. Finding the right balance depends on your goals around security, productivity, and communication. Be our guest and use this guide to help you!