Forum Discussion

MagicMarker's avatar
MagicMarker
Copper Contributor
May 06, 2020
Solved

Guest user permissions control for Teams

I'm looking for assistance to find out our options to allow guest access to Microsoft Teams sites in our Office 365 tenant. I was hoping there were more granular controls to protect sensitive informa...
Guest Access
microsoft teams
  • ChrisHoardMVP's avatar
    ChrisHoardMVP
    May 06, 2020
    Some recommendations

    - Use Private Channels: only people you specify have access to private channels
    - Use Sensitivity Labels: set labels on specific Teams so that guests don't have access to them
    - Use Azure Information Protection / Labels on documents to ensure that only specific people can access specific documents
    - Build separate SharePoint sites where only specific people have permissions and add them to Teams as Tabs

    There are quite a few methods as opposed to having to break the underlying sharepoint permissions: that's a headache from a management perspective

    Hope that answers your question!

    Best, Chris
MagicMarker's avatar
MagicMarker
Copper Contributor
May 06, 2020

ChrisHoardMVP Chris, in regards to building a separate Sharepoint site with specific permissions, then adding that Sharepoint site as a tab in Teams. Does guest access need to be turned on in the Teams Admin center for the guest to access that tab in Teams?  In other words, with external access only turned on, will a guest be able to access that tab in Teams?

ChrisHoardMVP's avatar
ChrisHoardMVP
MVP
May 06, 2020
Yes, because guest access is needed to add the guest to the Team itself
  • MagicMarker's avatar
    MagicMarker
    Copper Contributor
    May 06, 2020

    ChrisHoardMVP Thank you for all your help with answering my questions so far. For us at this time, it seems to make the most sense to just invite the guest separately in the Sharepoint site. We can leave Teams Org Wide external access on so that the client/external user can still be invited to the Team to be able to chat/call and @ mention the external user when chatting in Teams, correct? 

    • ChrisHoardMVP's avatar
      ChrisHoardMVP
      MVP
      May 07, 2020
      Yes, this is possible. I have seen many cases that all the org wants to do is share files with the organisation rather than all the resources of and in the Team. And as Mitchell suggests you could also look to use CA if you want to go down that route

      So I hope we got there

      Best, Chris
    • Mitchell Bakker's avatar
      Mitchell Bakker
      Iron Contributor
      May 07, 2020

      MagicMarker in addition on the good options from ChrisHoardMVP you can also take a look at Conditional access (Depends if it is included in your license). It will block access to sharepoint completely, so the “Files” tab in teams will not work. Not sure if this is an option as adding a guest to a team is because of the collaboration 😉 

      With this you can exclude machines from SharePoint when they are not domain joined and/or managed by the tenant (Intune).

      Reference: https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices

Resources