We collaborate and communicate daily. The Microsoft 365 service to facilitate this process is, of course, Microsoft Teams. We collaborate with our colleagues in Microsoft Teams by using chat and storing our files in a central location. We also want to collaborate and communicate, within Microsoft Teams, with external people. For example: Customers or suppliers. Why should you enable guest access in your Microsoft Teams environment? The following reasons are applicable:
- Reduce shadow IT
- Provide an efficient collaboration experience
- More control & insights into who is working with your colleagues & content
Reduce shadow IT
Your business users need tools to collaborate, around files, with people outside the organization. When you do not provide these tools, they will look at the tools they use in their personal lives: Dropbox, Box or Google Drive. They will share files through these services, and you are faced with Shadow IT. This increases the risks for a data leak, and you lose all insights around the storage and activities of your organizations content.
Provide an efficient collaboration experience
Do not get me wrong. I am not against e-mail, but e-mail is not suited for an efficient collaboration process. Forwarding e-mails with files to multiple recipients, receiving the files and manually merging all changes is the fastest way to drive your business users insane. Microsoft Teams provides an efficient and easy collaboration process. Especially due to the use of SharePoint.
More control & insights into who is working with your colleagues & content
Once you enable guest access in your Microsoft Teams environment, you gain more control and insights over the people outside your organization accessing your content and their activities. This significantly reduces the risks of a data leak and gives you more control as an IT administrator.
Before your business users can collaborate with guests, Microsoft Teams guest access needs to be enabled. Be aware: Microsoft turns on guest access by default for new Microsoft 365 tenants. The following Microsoft 365 locations allow your IT administrators to enable or disable guest access:
- Azure Active Directory (AAD)
- Microsoft 365 Administration Center
- Microsoft Teams Administration Center
To enable, or disable, guest access you open the external collaboration settings menu. The following screenshot shows an example whereby guest access is disabled.
Microsoft 365 Administration Center
To allow your business users to invite guests, the following setting needs to be activated:
I advise to enable this option. In the following section we dive into the ability for more granular control around inviting guests.
Microsoft Teams Administration Center
The last step is opening the Microsoft Teams Administration Center and opening the guest access menu:
Guest access is enabled but before you share the good news with your business users, you need to go over the guest management options.
Before you enable guest access, your organizations need to make a couple of decisions. These are focused on the following guest management topics:
- Collaboration restriction
- Guest invitation
- Guests review
By default, the guest settings of your Microsoft 365 environment are open and not restricted. Guests from every organization in the world can receive an invitation to your Microsoft 365 tenant. Your first step should be focused, around deciding what guests can be invited. The following options are available:
- Allow invitations to be sent to any domain (most inclusive);
- Deny invitations to the specified domains;
- Allow invitations only to the specified domains (most restrictive)
You should only change the default option, allow any domain, when there is a specific security business case. For example: Coca Cola would not allow invitations to be sent to Pepsi.
Once you taken a decision around the collaboration restrictions, you need to decide how your guests are added to your Microsoft Teams environment. The following options are available:
- Azure AD Administrators add guests in Azure AD
- Microsoft Teams owners invite guests in their teams
Do you want to keep all the control around this process? Go for the first option. Be aware: This will increase the management activities of your IT department.
Do you want to empower your business users and reduce the management activities of your IT department? Allowing them to spend more time on other tasks? Go for the second option.
Be aware: There is not a wrong or right. The decision completely depends on the requirements of your organization.
Once a guest is invited to your Microsoft Teams environment, the guest stays in your Azure Active Directory and everyone, with access, can share files or invite the guest to other teams. It is recommended to review your guests on a regular basis. Not all guests need to have a never-ending access to your Microsoft Teams environment. The following options are available:
- Azure Access Reviews(Azure AD Premium 2)
- Custom solution
Azure Access Reviews(AAR)
The owners of a team should be responsible for reviewing the guests in their teams. By using AAR, you create a periodic review process asking the owners to keep or remove the guests in their teams. Be aware: You need an Azure AD Premium P2 license to use AAR.
Microsoft provides multiple tools, for example logic apps, allowing you to create a custom solution for a review process.
The Azure AD administrators of your IT department manually review the guests in your Azure AD. You need to determine the requirements of the manual review process. For example: Guests who have not logged in for the last three months are removed.
There are third-party tools to support with guest reviews. For example: Rencore Governance.
There are business cases whereby you do not want your employees invite guests for certain forms collaboration within Microsoft Teams. For example: Departments. You can apply a sensitivity label to a team and disable guest access.
Click here to learn more about sensitivity labels & Microsoft Teams.
Once you finalized the guest management, we need to look at the action’s guests can perform in Microsoft Teams. Guests have the same actions as members with a couple expectations. The actions are set in the Microsoft Teams administrator center and in each team. Once a guest is added to a team, the guest has access to all the content (files and chat) of the public channels.
Microsoft Teams administration center
The following options are available:
I recommend allowing your guests to edit and delete their messages. This improves the user experiences because there is nothing more annoying not being able to edit or delete potential mistakes in your messages.
The owners of a team can apply the following settings:
I recommend disabling these options. Guests can request an additional channel; they do not need to create one by themselves.
Guests have the same actions as members apart from the following:
I would stay with the default option until there is a specific business case allowing guests to create, update and delete channels.
Do you just want to share a specific file with a guest? You do not have to invite the guest to your team in Microsoft Teams. You can use the power of SharePoint to share files. Before you enable external sharing, you must make the following decisions:
- Type of sharing link
- Managing external links
- Reviewing external links
Type of sharing links
Sharepoint provides the following sharing links:
- New and existing guests
- Existing guests
- Only people in your organization
This decision correlates to the way guests are allowed to access your Microsoft 365 tenant. This is discussed in the guest invitation section. My preference goes towards new & existing guests but there is not a wrong or right. The decision completely depends on the requirements of your organization. Click here to learn more about the sharing links.
After you made your decision, there are a couple other options you must review:
- Limit external sharing by domain: Read the section about guest invitations.
- Allow only users in specific security groups to share externally: Only use this option when you do not want all your users to share externally.
- Guests must sign in using the same account to which sharing invitations are sent: I highly recommend selecting this option.
- Allow guests to share items they don’t own: I recommend against using this option. Your users should always stay in control of their data.
- People who use a verification code must reauthenticate after this many days: I recommend using this option to increase your security. Guests do not need to have forever access to content. 7 days is sufficient.
Click here to learn more about the above features.
Managing external links
You apply the preferred sharing links for you entire Microsoft 365 tenant in the SharePoint Online Administration Center. There are business cases whereby you do not want your employees externally share content or you need a different sharing link. For example: employees’ collaboration in a department team are not allowed to share externally. To facilitate this scenario, you can use sensitivity labels. You can apply a sensitivity label to a team and assign pre-defined sharing links. The following screenshot shows an example:
Click here to learn more about sensitivity labels & Microsoft Teams.
Reviewing external links
I recommend setting up a review process of external links. Guests do not need to have unlimited access to content. Often, they only need access for a brief duration of time. Microsoft provides an out-of-the-box feature to review external links. This can be done through the site usage menu:
Unfortunately, this is per site basis. There is no out-of-the-box option to get a report of all sites with shared files.
Wrap up & final recommendations
We hope to have provided you with a clear business case for allowing guest access in your Microsoft Teams environment. This connects with Microsoft’s vision around the modern workplace for the business user. The workplace needs to be dynamic, automatic, and scalable to handle both platform growth and allow collaboration to flow without friction.
Before you enable guest access it is highly recommend defining your governance strategy around guest access. The following topics, as described in this article, are applicable:
- Guest management
- Guest actions
- External sharing
Next to these topics, we want to emphasize the importance of data classification with sensitivity labels. These provide you with the tools to put an encryption on sensitive files, creating an extra layer of security and preventing unwanted access to your sensitive files. Last, but not least, do not forget to turn on MFA for your guests.
If you want to learn more about managing guest users in Teams and Teams governance in general, I recommend our free whitepaper “Teams governance best practices“. The whitepaper explores the key aspects of quality Teams governance and offers a guide on how to create a fitting governance strategy to gain full control of Microsoft Teams.