Microsoft Teams guest access management guide

Organizations working with Microsoft 365 already give employees access to teams, documents and files, applications, resources, and channels of communication.  

Guest access shares all this externally so other people can join in, collaborate, and share data. This can all be done without the guest having a Microsoft Teams license – helping the right people have access at the right time. 

Successful guest access means supporting collaboration while maintaining control of the entire environment and the data available within Microsoft Teams.  

Deciding when you need to use Microsoft Teams guest access is down to the use case. Access may be granted temporarily – such as during an audit – or for longer periods. 

As you’ll see below, there are many ways to manage guests and guest access in Microsoft Teams. 

When you need to use Microsoft Teams guest access

A guest doesn’t have a work or school account with your organization. However, they require access to your Microsoft Teams because they’re a vendor, partner, supplier, contractor, or consultant.  

After adding a guest to your Microsoft Teams environment, they can participate in meetings, collaborate with other members, and access content and other files required for related activities. After adding a guest to a team, Microsoft advises, ‘it may take a few hours before they have access.’ 

Guest users can also change their privacy settings within Microsoft Teams. They just have to click the profile image and then click Manage account:

Teams admins control the capabilities open to Guests. However, a typical setup allows guests to: 

• Create channels.
• Join private chats.
• Join channel conversations.
• Post, edit, and delete messages.
• Share files within the Teams channel.
• Access SharePoint sites.
• Attach files to posts in the Teams channel.
• Download private chat files.

Calling capabilities vary depending on the type of Microsoft 365 license you have. For example, guests can use VoIP calling, including transfers.  

However, guests can’t access call settings or add a user to a call via their phone number – these features are limited to E1, E3, E5, and Enterprise Voice users. 

Add a guest to your Microsoft Teams environment

How to add a guest to your team in Teams

Open Teams and go to the team where you want to invite a guest: 

Click …more options > Add member. 

For guests within the same organization, add the name of the guest and click Send request.  

The team owner will then receive an alert for them to approve the request. They can also find internal guests to invite by searching for specific Microsoft 365 groups, distribution lists, or security groups. 

For a guest external to the organization, enter their email address. You can also add a guest name that will be visible to others in the organization. This will appear with (Guest) after it.  

When the guest joins a team, all members will see an announcement in the team channel. 

Guest access invitations from team owners

The guest user will then automatically receive an email from the team owner. This usually outlines the role of the team, the rules, and what should happen next.  

This also contains a button that says, “Open Microsoft Teams.” The guest will be asked to log in with their Microsoft 365 work or school account. If they don’t have an account, they’ll be redirected to set one up (for free). 

If they’re already logged into another organization, they may be prompted to sign out first. 

Guest access invitations from non-team owners

Users can submit requests for guests to join a team. Simply open the team in the teams list, click More options > Add member. And the team owner will receive the request for approval. 

Guests can’t join private channels or access private channel settings. However, they will gain access to the team’s chat, site, and content. 

What’s more, you can apply some other restrictions to guest user accounts. You can do this by using Teams policies. 

What policies are available for teams channels?

Go to the Teams admin center > Teams > Teams policies. You can either use a global policy for the entire organization or create customized policies. Click the policy you want to enable, click Edit, and then click: 

• Create private channels – When you want to allow team owners and members to create private channels. 
  
• Create shared channels – When you want to allow team owners to create shared channels. 
  
• Invite external users to shared channels – When you want to allow team owners to share shared channels with guests external to the organization. 
  
• Join external shared channels – When you want to allow users to be invited to shared channels of other organizations.

How can I create a custom teams policy?

Go to the Microsoft Teams admin center > Teams > Teams policies. 

Click Add. 

You can now add the policy’s name and description:

Toggle your chosen policy settings and click Save. 

Any changes you make to policies can take up to 24 hours to take effect. 

Guest user access restrictions policy in Azure AD

In Azure AD, you can define the collaboration settings for guests and external users. Open the Azure AD service > External Identities > External collaboration settings: 

Guest user access restrictions policy in Azure AD

Guest user settings in Azure AD

These settings define the permissions for guests in the Azure AD directory. There are three options: 

• Guest users have the same access as members – This is the least restrictive setting and makes resources and directory data as widely available to guests as it is to regular users. 
  
• Guest users have limited access to properties and memberships of directory objects – Guests don’t have permission for some directory tasks or resources using Microsoft Graph, including enumerating users or groups. 
  
• Guest users are restricted to their own properties and memberships of their own directories – This is the most restrictive policy option, with guests unable to view other users’ profiles, groups, or memberships of groups. 

Guest invite settings in Azure AD

These settings help you control the number of guests in your tenant and apply the necessary restrictions: 

• Anyone in the organization can invite guest users, including guests and non-admins – Choose this option if you want to allow guests to invite other guests who aren’t already members of your organization (this is the least restrictive option). 
  
• Member users and users assigned to specific admin roles can invite guest users, including guests with member permissions – Choose this option to permit guest invites from members and users with certain administrator roles. 
  
• Only users assigned to specific admin roles can invite guest users – Choose this option to only permit guest invites from users with administrator roles. 
  
• No one in the organization can invite guest users, including admins – The most restrictive option where nobody in the organization can invite guests. 

Enabling guests to sign-up using self-service flows

Within the settings, you can create user flows for guests to sign-up to your organization.  

This can be an automated way to gather information about your guests to better understand who’s accessing your tenant. 

The standard attributes (you can also create custom attributes) you can collect are: 

• Given name
• Surname 
• City 
• Country/region 
• Display name 

Create user flows for guests to sign-up to your organization

Collaboration restrictions based on domains

You can also control invitations to guest users based on their domain. The three collaboration restrictions are: 

• Invitations can be sent to any domain. 
  
• Deny invitations to specified domains (enter as many as you want). 
  
• Allow invitations to specified domains (this is the most restrictive).

Sign in to the Microsoft Teams admin center. 

Click Users > Guest access: 

You’ll see the dropdown for Allow guest access in Teams. Click this and choose On. You may see that On is already there as a default master switch. Whatever settings you choose will affect all teams. 

You’ll also need to consider user limits relating to Microsoft Teams. Guests count towards specifications such as: 

• Maximum 25,000 users. 
• Maximum 250 members in a private channel. 
• Maximum 500,000 teams allowed for a Microsoft 365 or Office 365 organization. 

Microsoft Teams admin center User limits relating to Microsoft Teams

How to view a list of guests in your Microsoft Teams

Head to the Microsoft Teams admin center. 

Click Teams > Manage teams: 

Click the name of the team you want to check. Then click Members > Role column, and you can sort by guests. 

Microsoft Teams admin center

How to enable collaboration with guests in shared channels

You can allow users to collaborate with specific external organizations. You can do this using B2B direct connect. Guests have access only to resources in the specific channel. There’s no access to the Azure AD admin portal. The result is: 

• Team owners can invite people from the chosen organization to join and collaborate within shared channels. 
• Organizational apps and the apps list are available in shared channels for external users to access. 

Here’s how to configure cross-tenant access settings for B2B direct connect. 

B2B direct connect Configure cross-tenant access settings for B2B direct connect

Microsoft Teams guest users’ access reviews and tracking

When you invite a guest to Microsoft Teams, a guest account is automatically created for them in Azure AD.  

Naturally, some of these will require reviews at regular intervals. You can use Azure AD to create access reviews of guests (and users) who are in groups or have been assigned to applications. It’s an effective way of doing a Microsoft 365 guest user cleanup. 

Alternatively, guests, sponsors, or other nominated users can also be asked to confirm if they still require access to Microsoft Teams. Any guest who accepts an invitation will get an email from Azure AD that contains a link to the access review.  

You can remove users who don’t respond to requests to review their membership. This involves putting a block on sign-ins for 30 days before completing the removal and permanent deletion. 

Microsoft 365 guest user cleanup

How to review guest access in Microsoft Teams

Access reviews for guests can be completed by: 

• Global administrators
• User administrators
• Owners (Microsoft 365 or Azure AD Security Group) of the group to be reviewed

These are done by visiting the Identity Governance page.

You’ll see multiple tabs for managing guest user access: 

• External user lifecycle – Define the default access granted to guests. It’s a self-service approval process where you choose the resources that can be requested. 
  
• Group membership – Set up recurring reviews to check that current members only access the resources they need. 
  
• Role assignments – Azure AD roles or Azure resource roles can be made with permissions set to expire when necessary. 
  
• Auditing and reporting – View historical activity relating to privileged role assignments and activations, and set up alerts for unusual behaviors or excessive global admin assignments. 

Guests can leave a team when they want. When this happens, their guest account stays within your organization’s directory. A Microsoft 365 global admin or an Azure AD admin can complete the removal. 

Identity Governance page

How to track guest user activity in Microsoft Teams

You can audit events and activities across Microsoft 365 services, including Teams. 

Go to the Microsoft Purview compliance portal. 

Click Audit: 

You can then filter your audit by users: 

Click Search to view an audit log of user and guest entries and activities. These may include:

• Channel messages
• Replies
• Posts
• Meetings organized
• 1:1 calls
• Audio time
• Video time
• Screen share time
• Last activity

You may want to export the results into a CSV file for categorization and filtering.

Microsoft Purview compliance portal

You have various options for preventing guests from being added to a team.

Using sensitivity labels for controlling guest access

You can also apply sensitivity labels for granular control. The labels can be used to manage guest access, prevent users from adding external guests to a team, and protect content. 

These can be configured and applied when you create a new team. If you want to know more, here’s how to assign sensitivity labels to Microsoft 365 groups in Azure Active Directory (AD).  

You can then apply them to services, including Microsoft Teams. The sensitivity label will then appear within the team channel: 

Users can also see the Sensitivity options when they use other Office 365 applications such as Outlook, Word, or Excel. 

Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory (AD)

Using Microsoft PowerShell to prevent a guest from being added

This method uses the Azure Active Directory PowerShell preview version for Graph. 

You’ll need to use this script to block guest access. 

Block guest access

Microsoft Teams management: Be our guest

As you can see, there are many options for managing guests in your Microsoft Teams environment. Finding the right balance depends on your goals around security, productivity, and communication. Be our guest and use this guide to help you!