The most common concern we hear during Teams Governance sessions with customers is “Should we allow Guest User Access into Teams or not.” Their concerns include:
- Who should be able to invite Guests into Teams? Teams owners? IT? Guests themselves?
- Which Guests can be invited? Guests from any domain at all? Or just certain domains?
- What do Guests get to do once they are members of a Team? Same rights as any other member?
- What if Team owners inadvertently share sensitive content with a Guest in a Team?
These are all legitimate concerns and customer decisions in these areas generally depend on the kind of content that may be shared with a Guest in a Team. Those organizations with more sensitive content, as you might expect, are more cautious about allowing Guests. Those organizations whose business model thrives with more unimpeded collaboration are more welcoming.
Why is this important now? Because in February of 2021, Microsoft will automatically turn on Guest user access if your organization has not made an affirmative decision one way or another. (See the link here.) How can you tell if you haven’t made an affirmative decision? In the Teams Admin portal, click on Org-Wide Settings -> Guest Access. If you see this:
no affirmative decision has been made and you will be switched to
at the end of February. (Originally, the date was February 8, but that seems to have slipped.)
In anticipation of your decision in this regard, let’s review a few of the controls IT pros have at their disposal to manage Guests.
External User Settings
Navigate to Azure Active Directory -> Users -> User Settings -> Manage External Collaboration Settings. Here you have several controls that can be applied to Guest behavior in Teams.
First up is whether Guest Users have the same or different permissions as other Team members when accessing Azure Active Directory profile content.
Next up is who can invite Guests into your tenant. Just admins or members as well? Or can Guests themselves invite Guests?
Following this is a feature still in preview concerning whether Guests may have access to a self-service sign-up flow you might configure. See the link here.
An option to enable a one-time passcode for Guests that are not otherwise present on the Microsoft ecosystem is available as well. See more on this here.
Finally, we can limit which domains Guests can be invited from. Your choices are all domains, block specific domains, or allow specific domains.
If organizations allow Guest User Access, we recommend some kind of conditional access (i.e. MFA) be applied to those Guests who are invited to collaborate on your tenant.
In Azure Active Directory, navigate to Security -> Conditional Access -> New Policy.
Choose to apply your policy to Guest and External Users:
Select the scope for the policy, that is, what apps will your policy apply to:
You can optionally configure any risk conditions (i.e. certain locations, sign in behavior, user device settings) you might wish to protect against:
When you configure Access Controls, you can choose from an array of steps the Guest user must take to gain access to your tenant like Multi-Factor Authentication. You can also manage user access and activity during the Guest’s session on your tenant.
Guest User Access Rights – Tenant-Wide
Having made decisions about whether Guests can join and how they gain access to your tenant, you can control certain behaviors of the Guest in your Teams once you turn on Guest User access:
Guest User Access – Teams
Your Team Owners have additional controls that apply to individual Teams:
Teams Admin Portal
As Teams Administrator, you can use the Manage Teams portion of the Teams admin portal to identify which Teams have Guests.
Whatever decisions your organization makes with respect to Guest User access to your domain, be sure to familiarize yourself with the options you have available to manage that access and Guest behavior in your tenant. For help, reach out to us at email@example.com.