Microsoft Teams is an extraordinarily powerful collaboration tool. Today, we’ll focus on Microsoft Teams guest access — one of the most important features in Teams.
Guest access is a necessity for even the most guarded Teams groups. For the majority of companies, there are instances when getting assistance outside your organization is more efficient than within your existing team. With its open and flexible permissions policies, Microsoft Teams allows you to communicate and share content with other users, both inside and outside your organization via its guest access feature.
What is guest access?
Guest access extends the robust collaboration functionality of Microsoft Teams beyond your internal staff by enabling team owners to invite people from outside your organization (partners, customers, contractors and so on) to access their teams and the content in them. Anyone with a working email address can join Teams via this role. A guest can have access to teams, documents, resources, chats, and shared applications, subject to sharing rules set by the team owner or administrator. In addition, there are limitations in Microsoft Team functions compared to team members.
Note: This article assumes a working familiarity with Microsoft Teams and some knowledge of Microsoft 365 and Azure Active Directory.
When (and who) should you grant guest access?
There will always be instances where Teams users will need to collaborate with external users. Guest access is an ideal way to grant access levels to external users without the need to provide full team membership. Some of the situations that require guest access levels include the following:
- Teams could use advice or assistance from a former co-worker or business partner, who used to be the authority on the subject. However, providing the usual access levels to a former employee is not the best way to do this. It’s probably safer to provide guest access that limits the former co-worker to documents and communications that pertains to their expertise. In the same manner, guest access can also be provided to team members who already gave two weeks notice.
- An external contractor/consultant. In most cases, contractors often provide assistance on specific areas of a project. As such, it only makes sense to grant access to these areas only, and not the entire project.
- A vendor or supplier, who needs access to specific internal resources and collaboration with an internal person in charge to integrate their provided solution.
Differences between a team member and a guest
Guests have limited functionality compared to full team members. They can only participate in collaborative efforts such as join chats, participate in channel conversations, post messages, access SharePoint files and attach files during Team chats. While call functionality is available, many advanced call features are inaccessible. Limited functionality ensures the control of the team and its resources remain solely in the hands of the team and its admins.
In short, Microsoft Teams guest access is a more suitable permission level when assigning access to persons outside of the team organization. For example, you may want to include them in the collaboration and execution stage, but they don’t necessarily need full access to the project.
How do you permit guest access?
Joining a team as a guest is by invitation only. Team owners or admins are the ones that can send an invite via the guest’s email address or authorize members to send invites. The target guest will need to confirm joining the team by accepting the email invitation. At this point, guests with Azure Active Directory accounts can proceed and authenticate their guest status. Those without, will have to undergo additional security measures, including authenticating the invite via a one-time passcode. Once accepted, guests can now join in team activities. They can receive and reply to messages, join chats, share, and collaborate on files.
As of February 2021, the guest access feature is turned on by default for users who haven’t configured this setting. If you’d like guest access disabled for your organization, you’ll need to confirm that the setting is set to Off instead of Service default.
Securing Microsoft Teams when sharing with guests
Why do we need guest access anyway? If they’re going to share resources and collaborate, why not make them members? Unlike Microsoft Teams members, guests only need limited access to certain resources in their assigned areas of responsibility. This way, you can ensure the security of your Microsoft Teams environment and maintain the confidentiality of your files and documents. In addition, adding full members counts towards your license limit.
That being said, certain cautionary measures must be implemented when having guests around. This way, you don’t inadvertently share resources that should have stayed private. Managing guest security also ensures that guess access accounts remain secure and confidential.
Some additional security measures that you can implement are:
- Implementing multi-factor authentication for guests’ accounts
- Provide detailed terms of use
- Set up quarterly audits to remove dormant or dead accounts and review access permissions for existing guests
- Limit guests to web-only access when using an unregistered device
- Implement session timeouts to encourage frequent authentication
- Identify and label sensitive files and documents, then remove guest access
Microsoft Azure permission levels
For increased security, you can assign permission levels to your guests using the guest user restrictions policy controls in Azure Active Directory. These let you assign different policy options to each guest, ranging from most inclusive to the most restrictive.
- The guest users have the same access as members is the most inclusive, allowing guests the same access levels to directory data as Teams members.
- The guest users have limited access to properties and membership of directory objects settings are restricted from performing certain directory tasks, including using Microsoft Graph for enumerating users, groups, or other directory resources.
- The guest user access is restricted to properties and memberships of their own directory objects is the most restrictive, which limits guests’ access to only their own directory objects.
Changing permission levels in the Azure Active Directory will require administrator or Team owner participation.
How much will it cost to add guests?
Licensing for Microsoft Teams guest access is already incorporated with your existing Microsoft 365 subscriptions, including Microsoft 365 Business Standard, Microsoft 365 Enterprise, and Microsoft 365 Education. Additional licenses are unnecessary to add guests.
Teams can also add an unlimited number of guests. However, the actual total may depend on the paid features in your Azure Active Directory license. In addition, standalone Microsoft 365 subscribers are considered as belonging to the same organization and will not be recognized as guests. To access Teams, they must secure a Microsoft 365 Business Standard, Office 365 Enterprise, or Office 365 Education subscription.
Teams is here to stay
Many organizations adopted Microsoft Teams quickly to enable users to work from home during the COVID-19 pandemic, but the platform is so powerful and flexible that it will undoubtedly continue to be an essential business application even as workers return to the office. The guest access feature is especially useful, since it extends the extensive collaboration capabilities of Teams to your business partners, customers, contractors and other third parties. Understanding how to use is properly and securely will be important for every organization moving forward.
For more insight into how to get the most value from the platform, check out some of our other Teams posts below.
How to use Microsoft Teams: Putting the team back in teamwork
Everything you should know about Microsoft Teams
Microsoft Teams security: A primer on How to Secure Microsoft Teams
An overview of Microsoft Teams shared calendar functionality