Ultimate Admin Guide to Microsoft Teams Guest Users

Introducing full guest access in Microsoft Teams revolutionized the whole concept of teams. Now, you can invite anyone with an email to join your team, collaborate with you and even create channels on their own. As great as that is, you need to be cautious when giving people outside your company access to your content. That's why we prepared this Ultimate admin guide to Microsoft Teams guest users for you. 

Who can be a guest user in Microsoft Teams?

This year, Microsoft launched a full guest access in Microsoft Teams. This is a huge improvement in a sense of collaboration, meaning that you don’t need to have a Microsoft account to be invited as a guest user anymore. You can invite:

  • Anyone with an Office 365 subscription;
  • Anyone with any type of email address, such as Outlook or Gmail.

What can Microsoft Teams guest users do?

So, what are guest users allowed to do? The following table lists the features available to guest users, compared to authenticated Teams users:

Microsoft Teams guest users - capabilities   Microsoft Teams guest users capabilities 

As you can see, some features are not available to guest users, but those that are, are sufficient for a basic collaboration. You can even invite guest users to your team meetings via a link. That means no more entering email accounts or signing in – just a simple click and you’re ready to go. When they accept invitation, guest users are placed in a lobby where they wait for an authenticated participant to admit them. This is a security step before final acceptance in a meeting.

However, there are some limitations to meetings features for guest users. Guest participants don’t have access to Files, Chats or Activity. They can only participate in audio conversation, without the option to send instant messages or send and receive files. Guests cannot share camera or screen, but they can view other members’ shared screens. The options of this feature are still in the development, so we can expect to have more options soon.

Setting up guest users’ access for Microsoft Teams

Before you can add guest users to your teams, an Office 365 global admin must enable the guest option. According to Microsoft documentation, an admin can set the guest access option on four levels of authorization inside the Office 365 tenant:

  • Azure Active Directory (AAD): Guest access in Microsoft Teams relies on the Azure AD business-to-business (B2B) platform. Controls the guest experience at the directory, tenant, and application level.
  • SharePoint Online and OneDrive for Business: Controls the guest experience in SharePoint Online, OneDrive for Business, Office 365 Groups, and Microsoft Teams.
  • Office 365 Groups: Controls the guest experience in Office 365 Groups and Microsoft Teams.
  • Microsoft Teams: Controls Microsoft Teams only.

 

To enable guest access on Microsoft Teams level, an admin must:

check 2Sign in at Office 365 global admin portal;

check 2In the navigation menu, choose Settings and select Services & add-ins;

check 2Select Microsoft Teams;

check 2In Select the user/license type you want to configure, select Guest

check 2Click or tap the toggle next to Turn Microsoft Teams on or off for all users of this type to On;

check 2Choose Save.

 

It takes 2-24 hours for changes to be effective. So, if you see a message "Contact your administrator" when you try to add a guest to your team, it's likely that the settings haven’t become effective yet. If you're not sure how your Teams are set up, you can check and edit the settings for each team in an upcoming version of our Microsoft Teams management toolSysKit Security Manager

In AAD, a global admin can choose, on a global level, who will be able to invite guest users to an organization:

  • Directory admins and users in the guest inviter role;
  • AAD members;
  • Guests.

Inviting guest users to Microsoft Teams

According to Microsoft docs, an Office 365 global admin can add a new guest user to the organization in a couple ways:

  • Through the Microsoft Teams desktop or the web clients, if a global admin is also an owner of a team. This is more intuitive and faster approach since the admin is already in the team to which he wants to invite guest users.
  • Through Azure Active Directory B2B collaboration. Global admin can invite and authorize a set of external users by uploading a comma-separated values (CSV) file with up to 2,000 lines to the B2B collaboration portal.

Microsoft Teams guest users - adding guest through Azure AD

        Adding guest users through Azure AD

If global sharing settings allow, a team owner or member can invite guest users, too. They can do it in a couple of ways:

  • Through the Microsoft Teams desktop or web application;
  • Through Azure AD Application Access Panel, if a global admin has delegated this option to group or application owners.

Microsoft Teams guest users - adding guest inside team

        Adding guest users inside a team

Depending on the applied external sharing settings, it's possible that your global AAD admin needs to invite the guest user to the organization before a team owner or member can invite users to the team.

Viewing guest users in Microsoft Teams

Every member can view other members of their Team, including guest members, by clicking the Manage team option.

 new one ill 676 fav

       Manage Microsoft Teams guest users

But, only a global admin can view all the guest users in the tenant. However, even they can’t filter out guest users that belong to Microsoft Teams. So, if you wish to know who the guest users are in all your teams, you have to manually extract the data. With the new version of our tool, SysKit Security Manager, you will be able to view team members and owners from all Microsoft Teams in your tenant.

Restricting guest users

You can restrict guest access in Microsoft Teams by using Windows PowerShell. You have three options at your disposal:

  • Allow or block guest access to all teams and Office 365 groups;
  • Allow users to add guests to all teams and Office 365 groups;
  • Allow or block guest users from a specific team or Office 365 group.

In addition to those three options, you can allow or block guest users based on their domain. It is the same procedure that you need to follow when allowing or blocking guest users in Office 365 Groups. The downfall is that this option is only available to those with Premium AAD license.

SysKit Security Manager—Centralized Office 365 & Teams Reporting Tool 

SysKit Security Manager brings Microsoft Teams reporting and management tool. It helps you: 

  • Discover Teams in your tenant and associated Office 365 Groups.  
  • Find out who are Team Owners, Team Members, and Guest Members. 
  • Check the tenant-wide settings for all Microsoft Teams and change Team-specific settings. 
  • Check if Team settings are set according to your company policies.  

syskit security manager cta