Microsoft Teams is the device-agnostic, all-in-one cloud collaboration platform for Microsoft 365 users. With its open and flexible permissions policies, Teams lets you communicate and share content with other users, both inside and outside your organization.
However, external collaboration raises security concerns, including risks of uncontrolled file sharing and sensitive data leakage. Fortunately, Microsoft provides a range of configuration options that grant you safe ways to make portions of your Teams environment accessible to external users.
In a changing workplace that has become reliant on remote communication, you can use Teams to leverage the power of the cloud without sacrificing security. This article will walk you through some security best practices for configuring the external sharing capabilities of Teams.
- What’s the difference between guest access and external access in Microsoft Teams?
- Guest Access in Microsoft Teams
- External Access in Microsoft Teams
- Security Best Practices for Guest and External Access in Microsoft Teams
Microsoft provides two different ways to communicate and collaborate with Microsoft Teams external users. You can implement either, both or neither of these access methods, depending on your external collaboration needs.
- Guest access — Allows users from outside the organization to become nearly full-fledged team members who can make calls, participate in chats, set up meetings and access shared files. Team owners can add guests on an individual basis.Use guest access when you want to grant an external user access to the same Teams activities, channels and shared resources as native team members.
- External access (federation): Allow Teams users in specified external domains to find, chat, call, and send meeting invitations to people in your organization. Federated users from outside can’t access your internal Teams activities or resources.Use external access when you want to enable collaboration with an external user on Skype for Business or to prevent external users from accessing Teams content.
For more details about these access methods, consult this comparison chart.
Guest access is a tenant-wide capability in Teams that is disabled by default.
When guest access is enabled, anyone outside your organization who has a business or consumer email account can become a guest. Eligible guests receive an email invitation from the team owner. Once they redeem the invitation by clicking Open Microsoft Teams, they get added to the team with guest user permissions.
Guests can chat, make calls and participate in channel conversations. They can also create channels and share files. However, guests don’t have access to other functions available to team members of the organization, like OneDrive for Business and the Teams calendar.
For a complete list of guest user capabilities and limitations in Teams, consult this capabilities table.
Team owners can add as many guests as they wish, up to the limit defined by your Azure Active Directory (Azure AD) license. Guest access is governed by service limits in Azure AD and Microsoft 365 (formerly known as Office 365).
For security, Microsoft covers Teams guest accounts with the same compliance and auditing protection used elsewhere in Microsoft 365.
To enable and manage guest access in Teams, you must have Global Administrator or Teams Administrator privileges. Once guest access is turned on, it will take 2–24 hours for the change to take full effect across your Microsoft 365 tenant.
There are four separate configuration portals you can use to manage guest access in Teams. Each portal controls a distinct authorization level of the guest experience:
- Azure AD — Authorizes guest access at the directory, tenant and application levels.
- Microsoft 365 Groups — Authorizes guest access to Microsoft 365 groups and Teams (each team in Teams is built on an underlying Microsoft 365 group)
- Microsoft Teams — Authorizes guest access to Teams only
- SharePoint Online and OneDrive for Business: Authorizes guest access to SharePoint, OneDrive, Microsoft 365 groups, and Teams (the SharePoint configuration governs the file-sharing experience for guests in Teams)
The guest access configuration in each portal has dependencies and effects on the configuration in other portals, according to the authorization level. For example, if you disable external sharing at the Azure AD level, guest access will be disabled in Teams. If you enable sharing in Azure AD and guest access in the Teams admin center but disable external sharing in SharePoint, guests can join a team but will have limited access to shared team files.
Take the following steps to enable and set guest permissions in the Teams admin center:
- Log in to the Teams admin center using Teams Administrator privileges.
- Navigate to Org-wide settings > Guest access.
- Switch the Allow guest access in Microsoft Teams toggle to On. This setting enables guest access capabilities.
- Use the controls under the Calling, Meeting and Messaging sections to fine-tune the specific capabilities granted to guests. Configurable capabilities include:
- Private peer-to-peer calls
- Use of IP video in calls and meetings
- Screen sharing
- Meet Now (lets users start a meeting immediately from the context of a conversation)
- Editing of sent messages
- Giphy (lets users share animated GIFs of a specified content rating)
- Meme usage in conversations
- Sticker usage in conversations
- Click Save to apply the configuration.
By default, external access is fully enabled in Teams tenant-wide. The default setting of “open federation” allows Teams users in any external domain to find and contact team members in your organization using an email address.
The three external access configurations are:
- Open federation (default setting) — Permits external access from any domain
- Allow specific domains — Allows external access from the specified domains only
- Block specific domains — Blocks external access from the specified domains and allows access from all other domains
To change the external access configuration from the default setting, take these steps:
- In the Microsoft Teams admin center, go to Org-wide settings > External access.
- Switch the Users can communicate with other Skype for Business and Teams users toggle to On.
- To allow or block specific domains, click Add domain. Specify the name of the domain and add it to the Allow or Block list.
- Save your changes. You have just configured the outgoing federation.
- Work with Teams administrators in other organizations to configure the incoming federation. For example, make sure they add your business domain to their Allow list.
- Test the configuration by using the Teams app to find and send a chat request to a federated external Teams user, and have the external user send a Teams chat request to you. If you each receive the requests, you know the federation has been configured successfully.
Follow these basic tips to optimize the security and management of guest access and external access to your organization’s teams:
- Enforce the principle of least privilege: Grant the minimum level of guest permissions necessary for native and guest team members to complete their work.
- Make sure your sharing settings in Microsoft 365 groups, SharePoint Online and the Microsoft 365 Admin Center support the intended levels of guest permissions.
- Define who has authorization to invite guests into Teams — admins, non-admins or even guests — by configuring the external collaboration settings in Azure AD.
- Another way to restrict the number of users who can invite guests is to define a Microsoft 365 group that consists exclusively of users who have permission to create groups; only authorized users will be able to create teams and add members or guests.
- Configure guest permissions for an individual team:
- In the Teams app, click Teams in the left-hand ribbon.
- Select the team and go to More options (…) > Manage team.
- Navigate to Settings > Guest permissions and use the settings to define how much control guests have over team channels.
- Protect data privacy by classifying your content using a solution such as Netwrix Data Classification, which lets you create workflows governing where sensitive data can and cannot be stored.
- Disable external sharing for folders or files that should be kept in house.
- To add or remove guests from a team, always use the Teams client rather than another configuration portal, such as the Microsoft 365 Admin Center. Using the Teams client ensures that changes in guest access cascade correctly to other dependent apps.
1. What is guest access in Microsoft Teams?
Guest access is a way for people outside your organization to join Teams in order to communicate and collaborate with your native Teams users.
2. Does Microsoft Teams allow external users?
Yes. Guests are external users who can participate in Teams activities.
3. What can a guest do in Microsoft Teams?
Depending on how the Teams administrator has configured guest capabilities, guests can chat, make calls and post messages in channel conversations. They can also create and delete channels and share files with native team members.