Turning on guest access in Teams involves more than just flipping a switch. We break down Microsoft Teams guest access requirements, with step-by-step instructions on how to enable guest access at all four authorization levels.
When full guest access was introduced to Microsoft Teams, allowing external users to join existing teams and channels, it revolutionized external collaboration here at ShareGate.
Suddenly, employees could invite anyone with an email address to join their team, where they could then make video calls, collaborate on documents, and participate in channel-based chats; with fewer restrictions, people were more likely to use Teams to do their work. That insight was instrumental in the creation of ShareGate Apricot, our Teams governance tool.
By default, guest access is disabled—and turning it on involves more than just flipping a switch. To enable guest access in Teams, you’ll need to take a look at how your settings are configured at four different authorization levels.
Collaborating with external users in Teams? Download our latest eBook, Sharing is caring: A ShareGate guide to creating a productive and secure guest sharing environment in Microsoft Teams.
Secure collaboration in Microsoft Teams—without limiting productivity.
Guest access vs external sharing: What’s the difference?
On the surface, external sharing is the act of making content available to someone outside of your organization. Behind the scenes, though, external sharing can mean very different things.
Depending on the needs of your organization, external sharing can be used to enable:
- Collaboration with guests in a document (via sharing link)
- Collaboration with guests in a site (via sharing link)
- Collaboration with guests in a team (via guest access)
If external sharing is disabled for your organization, then guest access in Teams will also be shut down.
That’s because guest access is a form of external sharing; when you invite a guest to join a team, you’re making content available to someone outside your organization.
Because Teams is built on top of Office 365 Groups, you can manage guests in your Azure Active Directory and the same compliance and auditing protection as the rest of Office 365 apply.
Essentially, guest access lets you maintain complete control while your data never leaves your sight.
Authorize guest access in Microsoft Teams
Remember when we said that guest access is a form of external sharing? Well, here’s why that’s important: you can’t turn on guest access in Microsoft Teams if external sharing is shut down in your Office 365.
Because Microsoft Teams is essentially a unified Office 365 user interface—integrating with other Microsoft apps and services like SharePoint, OneDrive for Business, and Office 365 Groups—guest access features and capabilities in Teams can actually be managed through four different levels of authorization.
- Azure Active Directory: Controls guest experience at directory, tenant, and application level.
- Office 365 Groups: Controls guest experience at the Office 365 Groups and Microsoft Teams level.
- Microsoft Teams: Controls guest experience at the Microsoft Teams level.
- SharePoint Online / OneDrive: Controls guest experience in SharePoint Online, OneDrive for Business, Office 365 Groups, and Microsoft Teams.
Level 1: Enable guest sharing in Azure AD
Before configuring external sharing anywhere else, you need to make sure it’s enabled for your Office 365 tenant as a whole—and that means checking your Azure Active Directory.
This authorization level controls the guest experience at the directory, tenant, and application level. So, if sharing isn’t enabled for your Office 365 tenant in Azure AD, guest access in Teams will also be disabled completely.
To enable external sharing in Azure AD:
- Log in to your Microsoft Azure portal.
- Click on Azure Active Directory in the left navigation.
- In the Manage section of the left navigation, click on Organizational relationships, then Settings.
- Make sure Admins and users in the guest inviter role can invite and Members can invite are both set to Yes.
- In the Collaboration restrictions section, check to make sure the domains of the guests you want to collaborate with aren’t blocked, then click Save.
Note that you can also access these settings through the External collaboration settings page. (Azure Active Directory > Users > User settings. Under External users, select Manage external collaboration settings).
From this user interface, you can configure additional collaboration restrictions and sharing settings—but we’ll touch on those in a future blog post.
Level 2: Enable Office 365 Groups guest settings
Automated governance to make Teams everyone’s favorite tool.
The Office 365 Groups authorization level controls the guest experience in both Office 365 Groups and Microsoft Teams.
Since Microsoft Teams uses Office 365 Groups for team membership, your Office 365 Groups guest settings need to be enabled in order for guest access to work in Teams.
To configure your Office 365 Groups guest settings:
- Navigate to your Microsoft 365 admin center and expand Settings in the left navigation.
- Click on Services & add-ins and select Office 365 Groups from the list.
- Make sure the boxes are checked for both Let group members outside your organization access group content and Let group owners add people outside your organization to groups, then click Save.
It could take up to 24 hours for the changes you made to take effect.
Level 3: Enable guest access at the Teams organization level
This one is a no-brainer: if you want to collaborate with guests in Microsoft Teams, it makes sense that you need to have guest access in Teams enabled.
This authorization level controls the guest experience in Microsoft Teams only. It’s important to know that Teams guest access settings are applied across your entire tenant, and that guest access is turned off by default.
To enable guest access at the Teams level:
- Log in to your Microsoft 365 admin center and navigate to your Microsoft Teams admin center.
- Select Org-wide settings, then click on Guest access.
- Toggle the Allow guest access in Teams switch to On, then click Save.
Note that it can take up to 24 hours for changes to take effect.
Level 4: Enable guest access to SharePoint Online (and OneDrive for Business)
When users access files or folders through Microsoft Teams, that content is actually stored in SharePoint or OneDrive for Business. So it should come as no surprise that the guest experience in Teams is partly determined by the settings in your SharePoint admin center.
This authorization level controls the guest experience in SharePoint Online, OneDrive for Business, Office 365 Groups, and Microsoft Teams, and the settings are applied across your whole tenant—including SharePoint sites connected to an Office 365 group.
If external sharing is disabled at the SharePoint or OneDrive level (while guest access is enabled at the Teams level), external users will still be able to join a team as a guest.
Depending on how you’ve configured settings in Teams, those guests will still be able to do things like make calls, create channels, and chat. But they won’t have access to any documents through the Files tab, even if a user shares a document directly with them through a conversation.
So if you want to collaborate on documents with guests in Teams, you need to have external sharing enabled at the SharePoint (or OneDrive, as the case may be) organization level.
To allow external sharing at the organization level:
- Sign in to the Microsoft 365 admin center as a global or SharePoint admin.
- In the left pane, select SharePoint under Admin centers (if you don’t see it, select Show all for the full list of admin centers). If the classic SharePoint admin center appears, select Open it now at the top of the page to get to the new SharePoint admin center.
- In the left pane under Policies, select Sharing.
- Under External sharing, select Anyone, Existing guests, or New and existing guests.
We should point out that, by default, the sharing level for SharePoint and OneDrive is set to Anyone—which allows users to share files and folders with unauthenticated people.
Choose Existing guests or New and existing guests to make sure only authenticated external users can be granted access to shared content. Again, it can take up to 24 hours for changes to take effect.
Once external sharing is enabled at the organization level of your tenant, you can also manage external sharing settings on a site-by-site (i.e. team-by-team) basis. We’ll dive deeper on how to configure more granular sharing settings in a future blog post, so stay tuned!
Secure collaboration in Teams with the power of self-serve
With the rise of the cloud, sharing content externally is easier than ever for users, but it does have its risks.
While some Office 365 administrators think it’s safer to disable external sharing entirely, imposing limitations like this can negatively impact user adoption and lead to shadow IT.
Instead of doubling down, you should leverage the power of self-service to drive user adoption in productivity apps like Microsoft Teams. That way, data is kept in your tenant where you can protect it, monitor it, and control it.
If you haven't tried our automated governance platform for Microsoft Teams and Microsoft 365 Groups, what are you waiting for? ShareGate Apricot is easy to setup and even easier to manage—no clunky interface, no coding, and no Azure AD premium subscription required.
Get full visibility across each team’s lifecycle—from creation all the way through to archival. Automate manual tasks involved in identifying problem areas, like inactive or orphaned teams. And collaborate with team owners on corrective measures to keep your Teams tidy and secure.
Make Teams everyone's favorite tool, with governance that scales with you. See for yourself with a free 30-day trial.