Introducing full guest access in Microsoft Teams revolutionized the whole concept of team collaboration. Now, you can invite anyone with an email to join your team, collaborate with you and even create channels on their own. As great as that is, you need to be cautious when giving people outside your company access to your content. That’s why we prepared this Ultimate admin guide to Microsoft Teams guest users for you.
Who can be a guest user in Microsoft Teams?
This year, Microsoft launched a full guest access in Microsoft Teams. This is a huge improvement in a sense of collaboration, meaning that you don’t need to have a Microsoft account to be invited as a guest user anymore. You can invite:
- Anyone with an Office 365 subscription;
- Anyone with any type of email address, such as Outlook or Gmail.
What can Microsoft Teams guest users do?
So, what are guest users allowed to do? The following table lists the features available to guest users, compared to authenticated Teams users:
Microsoft Teams guest users capabilities
As you can see, some features are not available to guest users, but those that are, are sufficient for a basic collaboration. You can even invite guest users to your team meetings via a link. That means no more entering email accounts or signing in – just a simple click and you’re ready to go. When they accept invitation, guest users are placed in a lobby where they wait for an authenticated participant to admit them. This is a security step before final acceptance in a meeting.
However, there are some limitations to meetings features for guest users. Guest participants don’t have access to Files, Chats or Activity. They can only participate in audio conversation, without the option to send instant messages or send and receive files. Guests cannot share camera or screen, but they can view other members’ shared screens. The options of this feature are still in the development, so we can expect to have more options soon.
UPDATE: All the above mentioned options of meetings are now available to guest users, but for now, only in desktop app.
Setting up guest users’ access for Microsoft Teams
Before you can add guest users to your teams, an Office 365 global admin must enable the guest option. According to Microsoft documentation, an admin can set the guest access option on four levels of authorization inside the Office 365 tenant:
- Azure Active Directory (AAD): Guest access in Microsoft Teams relies on the Azure AD business-to-business (B2B) platform. Controls the guest experience at the directory, tenant, and application level.
- SharePoint Online and OneDrive for Business: Controls the guest experience in SharePoint Online, OneDrive for Business, Office 365 Groups, and Microsoft Teams.
- Office 365 Groups: Controls the guest experience in Office 365 Groups and Microsoft Teams.
- Microsoft Teams: Controls Microsoft Teams only.
UPDATE: To enable guest access on Microsoft Teams level, an admin must:
Sign in to Microsoft Teams admin portal (https://admin.teams.microsoft.com)
In the navigation menu, choose Org-wide settings and select Guest access
Click on the toggle next to Allow guest access in Microsoft Teams
It takes 2-24 hours for changes to be effective. So, if you see a message “Contact your administrator” when you try to add a guest to your team, it’s likely that the settings haven’t become effective yet. If you’re not sure how your Teams are set up, you can check and edit the settings for each team in an upcoming version of our Microsoft Teams management tool – SysKit Security Manager.
Dear reader, we have decided to replace SysKit Security Manager with a brand new tool. Check out SysKit Point, a cloud-based Office 365 governance solution that offers even more functionalities!
In AAD, a global admin can choose, on a global level, who will be able to invite guest users to an organization:
- Directory admins and users in the guest inviter role;
- AAD members;
Inviting guest users to Microsoft Teams
According to Microsoft docs, an Office 365 global admin can add a new guest user to the organization in a couple ways:
- Through the Microsoft Teams desktop or the web clients, if a global admin is also an owner of a team. This is more intuitive and faster approach since the admin is already in the team to which he wants to invite guest users.
- Through Azure Active Directory B2B collaboration. Global admin can invite and authorize a set of external users by uploading a comma-separated values (CSV) file with up to 2,000 lines to the B2B collaboration portal.
Adding guest users through Azure AD
If global sharing settings allow, a team owner or member can invite guest users, too. They can do it in a couple of ways:
- Through the Microsoft Teams desktop or web application;
- Through Azure AD Application Access Panel, if a global admin has delegated this option to group or application owners.
Adding guest users inside a team
Depending on the applied external sharing settings, it’s possible that your global AAD admin needs to invite the guest user to the organization before a team owner or member can invite users to the team.
Viewing guest users in Microsoft Teams
Every member can view other members of their Team, including guest members, by clicking the Manage team option.
Manage Microsoft Teams guest users
UPDATE: A global admin can view all the guest users in all the Teams in the tenant. However, he can only see guests that are added as members. Meaning that if a user shares a file directly to people outside the organization, they are not listed as guests. So, it’s not exactly a polished way of tracking your guest users. With SysKit Point, you are be able to view all Microsoft Teams guests in your tenant, no matter how they were added to your Teams.
Restricting guest users
You can restrict guest access in Microsoft Teams by using Windows PowerShell. You have three options at your disposal:
- Allow or block guest access to all teams and Office 365 groups;
- Allow users to add guests to all teams and Office 365 groups;
- Allow or block guest users from a specific team or Office 365 group.
In addition to those three options, you can allow or block guest users based on their domain. It is the same procedure that you need to follow when allowing or blocking guest users in Office 365 Groups. The downfall is that this option is only available to those with Premium AAD license.
Webinar Microsoft Teams Behind the Scene – Recording
If you’re still not sure what can Microsoft Teams bring you, and how does it affect your Office 365 administration, this is the right webinar for you! Apply for recording here.
What we’ll cover:
- Microsoft Teams permissions governance
- Microsoft Teams settings
- Microsoft Teams guest access and how to control it
SysKit Point—Centralized Office 365 & Teams Reporting Tool
SysKit Point brings Microsoft Teams reporting and management tool. It helps you:
- Discover Teams in your tenant and associated Office 365 Groups.
- Find out who are Team Owners, Team Members, and Guest Members.
- Check Teams’ related audit logs for a custom time period.
- Remove guest users and sharing links from Teams with one click.