BLOG

Working with guests in your Microsoft Teams environment

8 min read

We collaborate and communicate daily. The Microsoft 365 service to facilitate this process is, of course, Microsoft Teams. We collaborate with our colleagues in Microsoft Teams by using chat and storing our files in a central location. We also want to collaborate and communicate, within Microsoft Teams, with external people. For example: Customers or suppliers. Why should you enable guest access in your Microsoft Teams environment? The following reasons are applicable:

  • Reduce shadow IT
  • Provide an efficient collaboration experience
  • More control & insights into who is working with your colleagues & content

Reduce shadow IT

Your business users need tools to collaborate, around files, with people outside the organization. When you do not provide these tools, they will look at the tools they use in their personal lives: Dropbox, Box or Google Drive. They will share files through these services, and you are faced with Shadow IT. This increases the risks for a data leak, and you lose all insights around the storage and activities of your organizations content.

Provide an efficient collaboration experience

Do not get me wrong. I am not against e-mail, but e-mail is not suited for an efficient collaboration process. Forwarding e-mails with files to multiple recipients, receiving the files and manually merging all changes is the fastest way to drive your business users insane. Microsoft Teams provides an efficient and easy collaboration process. Especially due to the use of SharePoint.

More control & insights into who is working with your colleagues & content

Once you enable guest access in your Microsoft Teams environment, you gain more control and insights over the people outside your organization accessing your content and their activities. This significantly reduces the risks of a data leak and gives you more control as an IT administrator.

Guest Activation

Before your business users can collaborate with guests, Microsoft Teams guest access needs to be enabled. Be aware: Microsoft turns on guest access by default for new Microsoft 365 tenants. The following Microsoft 365 locations allow your IT administrators to enable or disable guest access:

  • Azure Active Directory (AAD)
  • Microsoft 365 Administration Center
  • Microsoft Teams Administration Center

AAD

To enable, or disable, guest access you open the external collaboration settings menu. The following screenshot shows an example whereby guest access is disabled.

Image_1 Microsoft Teams guests

Microsoft 365 Administration Center

To allow your business users to invite guests, the following setting needs to be activated:

Image_2 Microsoft Teams guests

I advise to enable this option. In the following section we dive into the ability for more granular control around inviting guests.

Microsoft Teams Administration Center

The last step is opening the Microsoft Teams Administration Center and opening the guest access menu:

Image_3 Microsoft Teams guests

Guest access is enabled but before you share the good news with your business users, you need to go over the guest management options.

Guest Management

Before you enable guest access, your organizations need to make a couple of decisions. These are focused on the following guest management topics:

  • Collaboration restriction
  • Guest invitation
  • Guests review

Collaboration Restrictions

By default, the guest settings of your Microsoft 365 environment are open and not restricted. Guests from every organization in the world can receive an invitation to your Microsoft 365 tenant. Your first step should be focused, around deciding what guests can be invited. The following options are available:

  • Allow invitations to be sent to any domain (most inclusive);
  • Deny invitations to the specified domains;
  • Allow invitations only to the specified domains (most restrictive)

You should only change the default option, allow any domain, when there is a specific security business case. For example: Coca Cola would not allow invitations to be sent to Pepsi.

Guest Invitations

Once you taken a decision around the collaboration restrictions, you need to decide how your guests are added to your Microsoft Teams environment. The following options are available:

  • Azure AD Administrators add guests in Azure AD
  • Microsoft Teams owners invite guests in their teams

Do you want to keep all the control around this process? Go for the first option. Be aware: This will increase the management activities of your IT department.
Do you want to empower your business users and reduce the management activities of your IT department? Allowing them to spend more time on other tasks? Go for the second option.
Be aware: There is not a wrong or right. The decision completely depends on the requirements of your organization.

Guest Review

Once a guest is invited to your Microsoft Teams environment, the guest stays in your Azure Active Directory and everyone, with access, can share files or invite the guest to other teams. It is recommended to review your guests on a regular basis. Not all guests need to have a never-ending access to your Microsoft Teams environment. The following options are available:

  • Azure Access Reviews(Azure AD Premium 2)
  • Custom solution
  • Manually
  • Third-party

Azure Access Reviews(AAR)

The owners of a team should be responsible for reviewing the guests in their teams. By using AAR, you create a periodic review process asking the owners to keep or remove the guests in their teams. Be aware: You need an Azure AD Premium P2 license to use AAR.

Custom solution

Microsoft provides multiple tools, for example logic apps, allowing you to create a custom solution for a review process.

Manually

The Azure AD administrators of your IT department manually review the guests in your Azure AD. You need to determine the requirements of the manual review process. For example: Guests who have not logged in for the last three months are removed.

Third-party

There are third-party tools to support with guest reviews. For example: Rencore Governance.

Sensitivity labels

There are business cases whereby you do not want your employees invite guests for certain forms collaboration within Microsoft Teams. For example: Departments. You can apply a sensitivity label to a team and disable guest access.

Click here to learn more about sensitivity labels & Microsoft Teams.

Guest actions

Once you finalized the guest management, we need to look at the action’s guests can perform in Microsoft Teams. Guests have the same actions as members with a couple expectations. The actions are set in the Microsoft Teams administrator center and in each team. Once a guest is added to a team, the guest has access to all the content (files and chat) of the public channels.

Microsoft Teams administration center

The following options are available:

Image_4 Microsoft Teams admin center

I recommend allowing your guests to edit and delete their messages. This improves the user experiences because there is nothing more annoying not being able to edit or delete potential mistakes in your messages.

Team settings

The owners of a team can apply the following settings:

Image_5 Microsoft Teams guests

I recommend disabling these options. Guests can request an additional channel; they do not need to create one by themselves.

Team

Guests have the same actions as members apart from the following:

Image_6 Microsoft Teams guests

I would stay with the default option until there is a specific business case allowing guests to create, update and delete channels.

External sharing

Do you just want to share a specific file with a guest? You do not have to invite the guest to your team in Microsoft Teams. You can use the power of SharePoint to share files. Before you enable external sharing, you must make the following decisions:

  • Type of sharing link
  • Managing external links
  • Reviewing external links

Type of sharing links

Sharepoint provides the following sharing links:

  • Anyone
  • New and existing guests
  • Existing guests
  • Only people in your organization

This decision correlates to the way guests are allowed to access your Microsoft 365 tenant. This is discussed in the guest invitation section. My preference goes towards new & existing guests but there is not a wrong or right. The decision completely depends on the requirements of your organization. Click here to learn more about the sharing links.
After you made your decision, there are a couple other options you must review:

  • Limit external sharing by domain: Read the section about guest invitations.
  • Allow only users in specific security groups to share externally: Only use this option when you do not want all your users to share externally.
  • Guests must sign in using the same account to which sharing invitations are sent: I highly recommend selecting this option.
  • Allow guests to share items they don’t own: I recommend against using this option. Your users should always stay in control of their data.
  • People who use a verification code must reauthenticate after this many days: I recommend using this option to increase your security. Guests do not need to have forever access to content. 7 days is sufficient.

Click here to learn more about the above features.

Managing external links

You apply the preferred sharing links for you entire Microsoft 365 tenant in the SharePoint Online Administration Center. There are business cases whereby you do not want your employees externally share content or you need a different sharing link. For example: employees’ collaboration in a department team are not allowed to share externally. To facilitate this scenario, you can use sensitivity labels. You can apply a sensitivity label to a team and assign pre-defined sharing links. The following screenshot shows an example:

Image_7 Managing external links

Click here to learn more about sensitivity labels & Microsoft Teams.

Reviewing external links

I recommend setting up a review process of external links. Guests do not need to have unlimited access to content. Often, they only need access for a brief duration of time. Microsoft provides an out-of-the-box feature to review external links. This can be done through the site usage menu:

Image_8 External Links

Unfortunately, this is per site basis. There is no out-of-the-box option to get a report of all sites with shared files.

Wrap up & final recommendations

We hope to have provided you with a clear business case for allowing guest access in your Microsoft Teams environment. This connects with Microsoft’s vision around the modern workplace for the business user. The workplace needs to be dynamic, automatic, and scalable to handle both platform growth and allow collaboration to flow without friction.
Before you enable guest access it is highly recommend defining your governance strategy around guest access. The following topics, as described in this article, are applicable:

  • Guest management
  • Guest actions
  • External sharing

Next to these topics, we want to emphasize the importance of data classification with sensitivity labels. These provide you with the tools to put an encryption on sensitive files, creating an extra layer of security and preventing unwanted access to your sensitive files. Last, but not least, do not forget to turn on MFA for your guests.

Check out Rencore Governance

If you are looking into third-party tools that help you manage external access, it’s worth reading up on Rencore Governance. It’s one such tool that caters to the complete Microsoft 365 stack -including teams – and allows you to foster collaboration while also keeping control within IT.

Learn more

Jasper Oosterveld

Jasper Oosterveld is a Microsoft MVP and Modern Workplace Consultant from InSpark within the Netherlands. On a daily basis, he works with customers to implement the Modern Workplace with Microsoft 365. Jasper focuses on collaboration, governance and compliance. Jasper loves to share his expertise and love for Microsoft products with everyone who is willing to listen.