Once guest access is enabled in Microsoft Teams, you still need a strategy in place to govern its use according to your company mandates. Configuring these settings and policies will help ensure that sensitive company data stays secure.
Because of the risks associated with external sharing, some Office 365 administrators think it’s better to disable it entirely. But this can lead to a multitude of other problems, like employees turning to unapproved tools such as wetransfer, Box.com, or Google Drive to send documents—the dreaded shadow IT.
When we first deployed Teams here at ShareGate, we saw user adoption improve after we removed unnecessary friction; people are more likely to use the tools you choose if they have the freedom they need to do their work. That realization led to our stance that you should keep self-service enabled, and ended up being central to the creation of ShareGate Apricot, our Teams management tool.
It’s a better idea to enable guest access in Teams alongside policies and rules to control its use. We recommend configuring the following settings based on the needs of your organization.
Collaborating with external users in Teams? Download our latest eBook, Sharing is caring: A ShareGate guide to creating a productive and secure guest sharing environment in Microsoft Teams.
Secure collaboration in Microsoft Teams—without limiting productivity.
Step 1: Determine how external collaborators can be invited into your tenant
Before you get into the nitty gritty of what guests can and can’t do, you need to think about how they’ll be invited into your tenant in the first place.
The guest access experience in Teams is managed at the highest level through your Azure Active Directory.
Global admins can configure settings for external users across your entire organization in the Organizational relationships settings (Azure Active Directory > Organizational relationships > Settings).
From here, you can enable policies to control how external collaborators can be invited into your tenant. Consider the following questions:
- Who do you want to allow to invite guests?
- Where do you want to allow guest invites to be sent?
Who do you want to allow to invite guests?
For guest access to be enabled in Teams, the Admins and users in the guest inviter role policy must be set to Yes (Teams does not currently support the guest inviter role, so it only applies to admins).
But once enabled, you can choose whether you want to allow other users in your organization—or even other guests—to invite external users to join as guests.
Members can invite
Choose Yes to allow all of your organization’s users to invite guests to collaborate on resources like SharePoint team sites that are secured by your Azure AD.
Selecting No means that only admins can invite guests, and it will limit the guest experience for teams that have non-admin owners: they’ll only be able to add guests once an IT admin has added them in Azure AD.
Guests can invite
Do you want to allow guests to invite other external users into your tenant?
Select Yes if you do, or slide the toggle to No to prevent guests from inviting other guests.
Where do you want to allow guest invites to be sent?
The settings under Collaboration restrictions let you control where guest invitations can be sent according to domain.
Allow invitations to be sent to any domain is the most inclusive option, meaning users can send invitations to external users at any email domain, without any restrictions.
Automated governance to make Teams everyone’s favorite tool.
The other two options are more restrictive, allowing or blocking invitations to specific domains. Choose Deny invitations to specific domains if you want to allow users to share freely for the most part—they’ll only be blocked from sending invites to the domains you choose. For example, you could block invites to any user with an email address at competitor.com.
If your employees only ever need to collaborate with a handful of other businesses, you could select Allow invitations only to the specified domains to limit external collaboration to users in those domains. This is the most restrictive option, so in most cases we recommend choosing one of the first two.
Step 2: Configure guest permissions in Teams
Let’s assume you’ve already turned on guest access in the Teams admin center (Org-wide settings > Guest access). If not, follow the instructions in our blog post on how to enable guest access in Teams.
Once guest access is enabled, people outside your organization can access teams and channels they’ve been invited to join. But you can further configure settings to control specific features guests can access, such as:
- Calling: Do you want to allow your guests to make private calls?
- Meetings: Do you want to allow guests to use IP video, screen sharing mode, and/or Meet now?
- Messaging: Do you want to allow guests to chat, edit or delete sent messages, and/or use things like GIFs and memes in conversation?
Configure guest user permissions for individual teams
Depending on their purpose, you probably have at least a few teams in your tenant that have different security requirements.
Maybe your marketing team does everything in-house while your procurement team is in constant contact with outside vendors, for example.
In the Settings tab for a team within Microsoft Teams, admins and team owners can configure team specific guest permissions, including the ability to:
- Create and update channels
- Delete channels
Step 3: Control guest access to shared content in SharePoint
Teams is an all-in-one collaboration hub with chat capabilities—and while files can be shared, it is actually not the “home” for these files. When users access files or folders through the Files tab in Microsoft Teams, that content is actually stored in SharePoint.
This means that you need to head over to the SharePoint admin center to configure settings around what guests can access.
SharePoint Online lets you control external sharing settings for your entire organization as well as for individual team sites:
- Organization level sharing settings: Decide whether to allow users to share content anonymously or limit sharing to authenticated external users. These settings are applied across every SharePoint site (and thus every team) in your tenant.
(SharePoint admin center > Policies > Sharing)
- Site level sharing settings: Apply more restrictive sharing settings on a site-by-site (i.e. team-by-team) basis.
(SharePoint admin center > Sites > Active sites > select the site in question. Then select Policies and click on Edit under External sharing)
If a site’s external sharing option and the organization-level sharing option don’t match, the most restrictive value will always be applied—so to maintain a culture of external sharing, think about the most permissive setting needed by any site in your organization when configuring sharing at the organization level.
To keep external collaboration in Teams secure, we recommend that you configure the following SharePoint sharing settings:
- Limit sharing to authenticated external users
- Change your default sharing link type
- Choose additional SharePoint settings based on the needs of your organization
Limit sharing to authenticated external users
If you want guest users in Teams to have access to a team’s SharePoint documents, it’s a good idea to limit external sharing to authenticated users only. That way, guests can’t turn around and forward an anonymous link to someone else.
Sharing with authenticated external users
Content—including lists, libraries, and complete sites—can be shared directly with specified external users. With this method, external collaborators are sent an invitation by email and prompted to sign in using an account from a trusted provider (or in some cases, a verification code) in order to access the content in question.
Once the invitation is accepted, the collaborator is typically added to your organization’s Azure Active Directory as a guest user, but will only have access to the specific elements you shared with them. If you’ve shared an entire site, they’ll have access to everything in it, so the responsible team or owner should make sure it’s free of sensitive content.
To restrict sharing to authenticated external users, select the New and existing guests or the Existing guests only sharing options in your SharePoint admin center.
We recommend choosing New and existing guests whenever possible—otherwise users have to wait for an admin to add new guests to your directory.
Additional security settings for sharing via anonymous link
When you share a document or file via anonymous link, permission to access your content is given to the hyperlink, not to a specific user. That means that anyone with access to the shared link can view and edit the relevant files, and they can forward the link freely as well.
But maybe you have a PR team that needs to share press releases on a regular basis. Or you have another department that needs to publicly share information to a wide reader base.
If you absolutely have to enable anonymous sharing, we recommend that you configure additional security settings, like Link expiration and Link permissions.
Even with these additional security measures in place, you should be wary of anonymous sharing—you won’t be able to tell if sensitive information is being shared with unsuitable users outside your organization.
Change your default sharing link type
Instead of placing unnecessary restrictions, you can nudge users towards a more secure sharing option by defining which type of sharing link is selected by default when users share files and folders.
Users can still change the type of link to another option before sharing (so long as it’s enabled); however, changing the default option can help prevent accidental and unnecessary anonymous sharing.
You can choose any of the following link types as the default:
- Specific people: This is the safest option if your users collaborate frequently with people outside your organization. This type of sharing link can be used to grant a guest user access and requires them to authenticate.
- Only people in your organization: Choose this option if you think that most of your sharing in your organization takes place between your own users.
- Anyone with the link: This type of sharing link grants anonymous access to anyone who has access to the link. You can only use this link type if you have the Anyone sharing setting enabled.
Choose additional SharePoint settings based on the needs of your organization
The following three sharing policies can also be enabled at the SharePoint authorization level:
- Limit external sharing by domain: Just like you can restrict collaboration at the Azure AD level, you can choose to allow sharing generally—except for with a few specified domains of your choosing. You could also go the other way and choose the more restrictive option: block sharing except for the domains you include. This setting can be configured org-wide as well as at the individual site level.
- Guests must sign in using the same account to which sharing invitations are sent: Because guests can, by default, receive an email invitation at one account and sign in with another, you can enable this policy to limit external users to one account.
- Allow guests to share items they don’t own: By default, guests can only share items if they have full control permissions. Only check this box if you want to let external users share documents they didn’t create.
The two settings listed under Other settings are turned on by default at the organization level—and in most cases, we recommend that you keep them enabled.
- Show owners the names of people who viewed their files in OneDrive: If this option is disabled, the owner of a shared file will no longer see info on the file card like: which users viewed the file without editing it; the number of views on the file; and the number of people who have viewed it.
- Let site owners choose to display the names of people who viewed files or pages in SharePoint: This setting determines whether site owners can allow users with access to see details about who has viewed something on its file card. Note that it’s turned off by default at the site level for existing sites. We recommend that site owners only turn this feature on for team sites that don’t have sensitive information.
Leverage the power of self-service with guest access in Microsoft Teams
Instead of shutting down external sharing, you should leverage the power of self-service to drive user adoption in productivity apps like Microsoft Teams. That’s why we recommend keeping external sharing and guest access enabled.
Of course, securing sensitive data involves more than just flipping a switch. Once guest access in Teams is enabled, it’s crucial to have the right settings and policies in place. Configuring your settings according to needs of your organization ensures that external collaboration remains productive and secure.
If you haven't tried our automated governance platform for Microsoft Teams and Microsoft 365 Groups, what are you waiting for? ShareGate Apricot is easy to setup and even easier to manage—no clunky interface, no coding, and no Azure AD premium subscription required.
Get full visibility across each team’s lifecycle—from creation all the way through to archival. Automate manual tasks involved in identifying problem areas, like inactive or orphaned teams. And collaborate with team owners on corrective measures to keep your Teams tidy and secure.
Make Teams everyone's favorite tool, with governance that scales with you. See for yourself with a free 30-day trial.