Forum Discussion
Guest user permissions control for Teams
I'm looking for assistance to find out our options to allow guest access to Microsoft Teams sites in our Office 365 tenant. I was hoping there were more granular controls to protect sensitive information with the Teams site.
When you invite a guest user into your Teams site they become a member of the Office 365 group. The guest user basically has all the same permissions as the internal employees. This gives them access to all the chats, public channels, and member permissions to the Teams Sharepoint document library. Is there good way to control the Teams Sharepoint document library permissions so the guest user doesn't not have access to all of the Teams Sharepoint document library?
To protect the Sharepoint document library, it looks like our options are to break the Teams Sharepoint permissions by disabling inheritance and managing Sharepoint permissions manually. This seems messy and would be a burden to manage for all the Teams sites we are managing. The other option would be to create separate private Teams sites for external clients/users and then specify which domains are allowed in the Teams admin center.
Is there a better way to manage Teams guest access? What am I missing?
- Some recommendations
- Use Private Channels: only people you specify have access to private channels
- Use Sensitivity Labels: set labels on specific Teams so that guests don't have access to them
- Use Azure Information Protection / Labels on documents to ensure that only specific people can access specific documents
- Build separate SharePoint sites where only specific people have permissions and add them to Teams as Tabs
There are quite a few methods as opposed to having to break the underlying sharepoint permissions: that's a headache from a management perspective
Hope that answers your question!
Best, Chris
8 Replies
- Some recommendations
- Use Private Channels: only people you specify have access to private channels
- Use Sensitivity Labels: set labels on specific Teams so that guests don't have access to them
- Use Azure Information Protection / Labels on documents to ensure that only specific people can access specific documents
- Build separate SharePoint sites where only specific people have permissions and add them to Teams as Tabs
There are quite a few methods as opposed to having to break the underlying sharepoint permissions: that's a headache from a management perspective
Hope that answers your question!
Best, ChrisChrisHoardMVP I don't see the ability to convert a standard channel to a private channel. Is there a option to do this in powershell? Or does Microsoft have this on there roadmap to have that ability?
I will have to investigate sensitivity labels.
Adding Azure Information Protection labels on documents in the Sharepoint library seems like a daunting task.
- You can't convert standard to private or vice-versa. You will need to create them from scratch.
Sensitivity labels is here
https://docs.microsoft.com/en-us/MicrosoftTeams/sensitivity-labels
Classification of documents is here
https://docs.microsoft.com/en-us/microsoft-365/enterprise/infoprotect-configure-classification?view=o365-worldwide
Hope that answers your question
Best, Chris
