We collaborate and communicate daily. The Microsoft 365 service to facilitate this process is, of course, Microsoft Teams. We collaborate with our colleagues in Microsoft Teams by using chat and storing our files in a central location. We also want to collaborate and communicate, within Microsoft Teams, with external people. For example: Customers or suppliers. Why should you enable guest access in your Microsoft Teams environment? The following reasons are applicable:
Your business users need tools to collaborate, around files, with people outside the organization. When you do not provide these tools, they will look at the tools they use in their personal lives: Dropbox, Box or Google Drive. They will share files through these services, and you are faced with Shadow IT. This increases the risks for a data leak, and you lose all insights around the storage and activities of your organizations content.
Do not get me wrong. I am not against e-mail, but e-mail is not suited for an efficient collaboration process. Forwarding e-mails with files to multiple recipients, receiving the files and manually merging all changes is the fastest way to drive your business users insane. Microsoft Teams provides an efficient and easy collaboration process. Especially due to the use of SharePoint.
Once you enable guest access in your Microsoft Teams environment, you gain more control and insights over the people outside your organization accessing your content and their activities. This significantly reduces the risks of a data leak and gives you more control as an IT administrator.
Before your business users can collaborate with guests, Microsoft Teams guest access needs to be enabled. Be aware: Microsoft turns on guest access by default for new Microsoft 365 tenants. The following Microsoft 365 locations allow your IT administrators to enable or disable guest access:
To enable, or disable, guest access you open the external collaboration settings menu. The following screenshot shows an example whereby guest access is disabled.
To allow your business users to invite guests, the following setting needs to be activated:
I advise to enable this option. In the following section we dive into the ability for more granular control around inviting guests.
The last step is opening the Microsoft Teams Administration Center and opening the guest access menu:
Guest access is enabled but before you share the good news with your business users, you need to go over the guest management options.
Before you enable guest access, your organizations need to make a couple of decisions. These are focused on the following guest management topics:
By default, the guest settings of your Microsoft 365 environment are open and not restricted. Guests from every organization in the world can receive an invitation to your Microsoft 365 tenant. Your first step should be focused, around deciding what guests can be invited. The following options are available:
You should only change the default option, allow any domain, when there is a specific security business case. For example: Coca Cola would not allow invitations to be sent to Pepsi.
Once you taken a decision around the collaboration restrictions, you need to decide how your guests are added to your Microsoft Teams environment. The following options are available:
Do you want to keep all the control around this process? Go for the first option. Be aware: This will increase the management activities of your IT department.
Do you want to empower your business users and reduce the management activities of your IT department? Allowing them to spend more time on other tasks? Go for the second option.
Be aware: There is not a wrong or right. The decision completely depends on the requirements of your organization.
Once a guest is invited to your Microsoft Teams environment, the guest stays in your Azure Active Directory and everyone, with access, can share files or invite the guest to other teams. It is recommended to review your guests on a regular basis. Not all guests need to have a never-ending access to your Microsoft Teams environment. The following options are available:
The owners of a team should be responsible for reviewing the guests in their teams. By using AAR, you create a periodic review process asking the owners to keep or remove the guests in their teams. Be aware: You need an Azure AD Premium P2 license to use AAR.
Microsoft provides multiple tools, for example logic apps, allowing you to create a custom solution for a review process.
The Azure AD administrators of your IT department manually review the guests in your Azure AD. You need to determine the requirements of the manual review process. For example: Guests who have not logged in for the last three months are removed.
There are third-party tools to support with guest reviews. For example: Rencore Governance.
There are business cases whereby you do not want your employees invite guests for certain forms collaboration within Microsoft Teams. For example: Departments. You can apply a sensitivity label to a team and disable guest access.
Click here to learn more about sensitivity labels & Microsoft Teams.
Once you finalized the guest management, we need to look at the action’s guests can perform in Microsoft Teams. Guests have the same actions as members with a couple expectations. The actions are set in the Microsoft Teams administrator center and in each team. Once a guest is added to a team, the guest has access to all the content (files and chat) of the public channels.
The following options are available:
I recommend allowing your guests to edit and delete their messages. This improves the user experiences because there is nothing more annoying not being able to edit or delete potential mistakes in your messages.
The owners of a team can apply the following settings:
I recommend disabling these options. Guests can request an additional channel; they do not need to create one by themselves.
Guests have the same actions as members apart from the following:
I would stay with the default option until there is a specific business case allowing guests to create, update and delete channels.
Do you just want to share a specific file with a guest? You do not have to invite the guest to your team in Microsoft Teams. You can use the power of SharePoint to share files. Before you enable external sharing, you must make the following decisions:
Sharepoint provides the following sharing links:
This decision correlates to the way guests are allowed to access your Microsoft 365 tenant. This is discussed in the guest invitation section. My preference goes towards new & existing guests but there is not a wrong or right. The decision completely depends on the requirements of your organization. Click here to learn more about the sharing links.
After you made your decision, there are a couple other options you must review:
Click here to learn more about the above features.
You apply the preferred sharing links for you entire Microsoft 365 tenant in the SharePoint Online Administration Center. There are business cases whereby you do not want your employees externally share content or you need a different sharing link. For example: employees’ collaboration in a department team are not allowed to share externally. To facilitate this scenario, you can use sensitivity labels. You can apply a sensitivity label to a team and assign pre-defined sharing links. The following screenshot shows an example:
Click here to learn more about sensitivity labels & Microsoft Teams.
I recommend setting up a review process of external links. Guests do not need to have unlimited access to content. Often, they only need access for a brief duration of time. Microsoft provides an out-of-the-box feature to review external links. This can be done through the site usage menu:
Unfortunately, this is per site basis. There is no out-of-the-box option to get a report of all sites with shared files.
We hope to have provided you with a clear business case for allowing guest access in your Microsoft Teams environment. This connects with Microsoft’s vision around the modern workplace for the business user. The workplace needs to be dynamic, automatic, and scalable to handle both platform growth and allow collaboration to flow without friction.
Before you enable guest access it is highly recommend defining your governance strategy around guest access. The following topics, as described in this article, are applicable:
Next to these topics, we want to emphasize the importance of data classification with sensitivity labels. These provide you with the tools to put an encryption on sensitive files, creating an extra layer of security and preventing unwanted access to your sensitive files. Last, but not least, do not forget to turn on MFA for your guests.
If you want to learn more about managing guest users in Teams and Teams governance in general, I recommend our free whitepaper “Teams governance best practices“. The whitepaper explores the key aspects of quality Teams governance and offers a guide on how to create a fitting governance strategy to gain full control of Microsoft Teams.