Turning on guest access in Teams involves more than just flipping a switch. We break down Microsoft Teams guest access requirements, with step-by-step instructions on how to enable guest access at all four authorization levels.
Related reading: The ultimate guide to Office 365/ Microsoft 365 external sharing
When full guest access was introduced to Microsoft Teams, allowing external users to join existing teams and channels, it revolutionized external collaboration here at ShareGate.
Suddenly, employees could invite anyone with an email address to join their team, where they could then make video calls, collaborate on documents, and participate in channel-based chats; with fewer restrictions, people were more likely to use Teams to do their work. That insight was instrumental in the creation of ShareGate, our Teams governance tool.
Originally, guest access was disabled by default. But, with Microsoft’s recent change to the default configuration for guest access in Teams, guest access is now enabled by default for any customers who have not configured this setting—bringing the Teams guest access capability into alignment with the rest of the suite, where the setting is already enabled by default. If your organization is just starting out in Teams and you haven’t configured any additional security settings yet, this means that users can start inviting external users to join your teams as guests from the get-go.
Whether you’re looking to enable guest access in Teams after previously disabling it or you want to control the guest access experience once its been enabled, it’s important to understand that guest access features and capabilities in Teams can be managed through four different levels of authorization.
Depending on the needs of your organization, these different authorization levels provide you with flexibility in how you set up guest access for your organization. To help you get started, we created this handy guide to help explain what these levels are and how each one controls the guest access experience in Teams.
Table of contents
Guest access vs external sharing: What’s the difference?
On the surface, external sharing is the act of making content available to someone outside of your organization. Behind the scenes, though, external sharing can mean very different things.
Depending on the needs of your organization, external sharing can be used to enable:
- Collaboration with guests in a document (via sharing link)
- Collaboration with guests in a site (via sharing link)
- Collaboration with guests in a team (via guest access)
If external sharing is disabled for your organization, then guest access in Teams will also be shut down.
That’s because guest access is a form of external sharing; when you invite a guest to join a team, you’re making content available to someone outside your organization.
Because Teams is built on top of Microsoft 365 Groups, you can manage guests in your Azure Active Directory and the same compliance and auditing protection as the rest of Microsoft 365 apply.
Essentially, guest access lets you maintain complete control while your data never leaves your sight.
Get started managing external guest access with this step-by-step guide for IT Admins
Authorize guest access in Microsoft Teams
Remember when we said that guest access is a form of external sharing? Well, here’s why that’s important: you can’t turn on guest access in Microsoft Teams if external sharing is shut down completely in your Microsoft 365 environment.
Because Microsoft Teams is essentially a unified Microsoft 365 user interface—integrating with other Microsoft apps and services like SharePoint, OneDrive for Business, and Microsoft 365 Groups—guest access features and capabilities in Teams can actually be managed through four different levels of authorization.
- Azure Active Directory: Controls guest experience at directory, tenant, and application level.
- Microsoft 365 Groups: Controls guest experience at the Microsoft 365 Groups and Microsoft Teams level.
- Microsoft Teams: Controls guest experience at the Microsoft Teams level.
- SharePoint Online / OneDrive: Controls guest experience in SharePoint Online, OneDrive for Business, Microsoft 365 Groups, and Microsoft Teams.
Level 1: Enable guest sharing in Azure Active Directory
Before configuring sharing settings anywhere else, you need to make sure external collaboration is enabled for your Microsoft 365 tenant as a whole—and that means checking your Azure Active Directory.
Sharing in Microsoft 365 is governed at the highest level by the external collaboration settings in your Azure AD. If guest sharing is disabled here, it will override any other sharing settings you’ve configured.
To enable external sharing in Azure AD:
- Log in to your Microsoft Azure portal as a tenant administrator.
- Click on Azure Active Directory in the left navigation.
- In the Manage section of the left navigation, click on External identities, then External collaboration settings.
- Make sure Admins and users in the guest inviter role can invite and Members can invite are both set to Yes. Having both settings enabled ensures that non-admin members of your directory are allowed to invite guests.
- In the Collaboration restrictions section, check to make sure the domains of the guests you want to collaborate with aren’t blocked, then click Save.
From this user interface, you can configure additional collaboration restrictions and sharing settings—but we’ll touch on those in a future blog post.
Level 2: Enable Microsoft 365 Groups guest settings
The Microsoft 365 Groups authorization level controls the guest experience in both Microsoft 365 Groups and Microsoft Teams.
Since Microsoft Teams uses Microsoft 365 Groups for team membership, your Microsoft 365 Groups guest settings need to be enabled in order for guest access to work in Teams.
To configure your Microsoft 365 Groups guest settings:
- Navigate to your Microsoft 365 admin center and expand Settings in the left navigation.
- Click on Org settings and select Microsoft 365 Groups from the list.
- Make sure the boxes are checked for both Let group owners add people outside your organization to Microsoft 365 Groups as guests and Let guest group members access group content, then click Save.
Note: If you don’t select Let guest group members access group content, guests will still be listed as members of the group, but they won’t receive group emails or be able to access any group content. They’ll only be able to access files that were shared directly with them.
It could take up to 24 hours for the changes you made to take effect.
Level 3: Enable guest access at the Teams organization level
This one is a no-brainer: if you want to collaborate with guests in Microsoft Teams, it makes sense that you need to have guest access in Teams enabled.
Note: as of February 8, 2021, guest access is turned on by default for any customers who have not already configured this setting. This brings the Teams guest access capability into alignment with the rest of the suite, where the setting is already on by default.
If you want to disable guest access for your organization (although we don’t recommend it!), you will need to confirm that the guest access setting is set to “Off” instead of “On” after following the directions below.
This authorization level controls the guest experience in Microsoft Teams only. It’s important to know that Teams guest access settings are applied across your entire tenant.
To enable guest access at the Teams level:
- Log in to your Microsoft 365 admin center as a global or Teams admin.
- In the left pane, select Teams under Admin centers (if you don’t see it, select Show all for the full list of admin centers).
- In the Microsoft Teams admin center, select Org-wide settings in the left navigation, then click on Guest access.
- Ensure that Allow guest access in Teams is set to On, then click Save.
Note that it can take up to 24 hours for changes to take effect.
Level 4: Enable guest access to SharePoint Online (and OneDrive for Business)
Within the Microsoft 365 ecosystem, SharePoint is the tool for document management—and that probably won’t change anytime soon.
Case in point? When users access files or folders through Microsoft Teams, that content is actually stored in SharePoint or OneDrive for Business. Files and folders stored in a team’s document library or shared in a channel are actually stored in a SharePoint Online team site. And files attached to private chat sessions or a chat during a meeting or call are uploaded and stored in the OneDrive for Business account of the user who shared the files.
So, it should come as no surprise that the guest experience in Teams is partly determined by the settings in your SharePoint admin center. In order for guests to have access to a team’s shared files, folders, and lists, your SharePoint settings need to allow for sharing with guests.
This authorization level controls the guest experience in SharePoint Online, OneDrive for Business, Microsoft 365 Groups, and Microsoft Teams, and the settings are applied across your whole tenant—including SharePoint sites connected to an Microsoft 365 group.
If external sharing is disabled at the SharePoint or OneDrive level (while guest access is enabled at the Teams level), external users will still be able to join a team as a guest.
Depending on how you’ve configured settings in Teams, those guests will still be able to do things like make calls, create channels, and chat. But they won’t have access to any documents through the Files tab, even if a user shares a document directly with them through a conversation.
So if you want to collaborate on documents with guests in Teams, you need to have external sharing enabled at the SharePoint (or OneDrive, as the case may be) organization level.
To allow external sharing at the organization level:
- Sign in to the Microsoft 365 admin center as a global or SharePoint admin.
- In the left pane, select SharePoint under Admin centers (if you don’t see it, select Show all for the full list of admin centers). If the classic SharePoint admin center appears, select Open it now at the top of the page to get to the new SharePoint admin center.
- In the left pane under Policies, select Sharing.
- Under External sharing, select Anyone, Existing guests, or New and existing guests.
We should point out that, by default, the sharing level for SharePoint and OneDrive is set to Anyone—which allows users to share files and folders with unauthenticated people.
Choose Existing guests or New and existing guests to make sure only authenticated external users can be granted access to shared content. Again, it can take up to 24 hours for changes to take effect.
Once external sharing is enabled at the organization level of your tenant, you can also manage external sharing settings on a site-by-site (i.e. team-by-team) basis. We’ll dive deeper on how to configure more granular sharing settings in a future blog post, so stay tuned!
Secure collaboration in Teams with the power of self-serve
With the rise of the cloud, sharing content externally is easier than ever for users, but it does have its risks.
While some Microsoft 365 administrators think it’s safer to disable external sharing entirely, imposing limitations like this can negatively impact user adoption and lead to shadow IT.
Instead of doubling down, you should leverage the power of self-service to drive user adoption in productivity apps like Microsoft Teams with our tool for automated Teams governance and security. That way, data is kept in your tenant where you can protect it, monitor it, and control it.