Collaborate securely with anyone in Microsoft Teams
Published Feb 28 2018 09:05 AM 131K Views
Microsoft

We’re starting to roll out the ability to add anyone as a guest in Microsoft Teams. This means that anyone with a business or consumer email account, such as Outlook.com, Gmail.com or others, can participate as a guest in Teams with full access to team chats, meetings and files. 

Previously, anyone with an Azure Active Directory (Azure AD) account could be added as a guest, and now anyone with an email address can be added to a team. All guests in Teams are covered by the same compliance and auditing protection as the rest of Office 365, and can be managed securely within Azure AD.

 

How it works

 

To invite a guest to a team, select Add Members in the menu next to the team name. Then add the guest’s email address. They will receive a welcome email message with information about the team and what to expect now that they're a member. If the guest doesn’t yet have a Microsoft Account associated with their email address, they will be directed to create one for free.

 

To invite a guest to a team, select Add Members in the menu next to the team name.To invite a guest to a team, select Add Members in the menu next to the team name.You can now add anybody with a consumer account as a guest in TeamsYou can now add anybody with a consumer account as a guest in Teams

Once they accept the invitation, guests can participate in chats, join meetings, collaborate on documents, and more. Teams with guests will be identified with text and icons throughout the Teams UI to give all team members a clear indication that there are guests in that team.

Text and icon give a clear indication of guest participation in a team.Text and icon give a clear indication of guest participation in a team.

 

Enterprise-grade security and compliance

 

In Teams, the content and activities of guest users are covered under the same compliance and auditing protection as the rest of Office 365. Guest accounts are added and securely managed within Azure AD through Azure AD B2B Collaboration. This enables enterprise-grade security, like conditional access policies for guest user access. Azure AD also uses adaptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents, enabling mitigation or remediation actions, such as multi-factor authentication, to be triggered as appropriate.

 

In addition, with Azure AD, IT departments have unparalleled insight into the activities of external users in their organization through detailed sign-in and access reports. Admins can centrally manage how guests participate within their Office 365 environment and easily view, add, or revoke a guest’s access to the host tenant.

 

Let us know what you think!

 

These features will start rolling out next week, and you can expect to see them in your Teams client within the next two weeks. Try the new features and provide feedback using the feedback link in the lower left corner of Microsoft Teams. If you have suggestions on how to make Teams better, please submit your idea via User Voice or vote for existing ideas to help us prioritize the requests. We read every piece of feedback that we receive to make Teams even better.

 

FAQ

 

Who can use guest access?

Guest access is included with all Office 365 Business Premium, Office 365 Enterprise, and Office 365 Education subscriptions.

How do I enable guest access

Guest access is a tenant-level setting in Microsoft Teams and is turned off by default. To take advantage of the new functionality, admins need to enable guest access in the Office 365 admin center

How to enable guest access in Microsoft Teams.How to enable guest access in Microsoft Teams.

Watch the full video here.

If I already enabled guest access when Azure Active Directory (AAD) guest access became available, do I need to take any additional action to enable guest access for consumer email accounts?

If you have already enabled guest access, then your users will be able to add guests with a consumer account without additional action on your side.

If you enabled guest access with the expectation that you wanted to restrict it to AAD accounts only, you can disable guest access via the Teams setting by switching the feature off.

 

For more information, please read the support documentation.

 

 

 

 

142 Comments
Deleted
Not applicable

This is a great addition, here is my step by step walkthrough of how it works:

 

http://tomtalks.uk/2018/03/add-external-users-email-address-guest-microsoft-teams/

Copper Contributor

That's a great news!!!

You can move forward with centralising content on MS Teams

Copper Contributor

I'm a little concerned regarding the security implications of this - is there anyway of locking this down at all or once it is on will any member of a Team be able to invite anyone with an e-mail address into it? Seems to be a data breach waiting to happen.

Copper Contributor

Turning on allow guest access is great, however if you work in a School like me is this a global setting? Meaning students will then also be able to invite anyone they wish into a team they belong too?

 

Can it be configured so that student's cant invite guests?

 

Copper Contributor

Getting so much closer. We are loving Teams for internal use but haven't been able to break away from Slack due to guest access. Unfortunately this isn't quite enough, yet. Any idea when we'll be able to have a single team with many guests invited yet invite them only to a single channel? This is pretty integrated into our processes and it just doesn't make sense to have dozens of teams with a single channel in each for this purpose.  Just isn't manageable.

 

Copper Contributor

So based on this article am I to understand that as a Office 365 Business Essentials account holder, we still cannot authorize guest access into our Teams?

Deleted
Not applicable

@null null No, because only owners of Teams can invite guests, so your students won't be able too. 

Copper Contributor

One thing I would like some information on is how we can lock this functionality down before switching it on. For example if we only want Team Owners in certain teams to be able to invite external partners on specific domains but other owners in other teams to not be able to invite any external partners it would cause us real compliance issues if we could only do this after enabling the functionality globally. Does anyone have any info on how we could accomplish that?

There's an external block policy that you can implement to create a whitelist or blacklist (but not both). See https://www.petri.com/external-access-policy-groups-teams-planner - this works for both Office 365 Groups and Teams. You can also can team membership to look for guests from specific domains and remove them.

Copper Contributor

That looks perfect for what I need, thanks!

 

One other thing I do need to look at is would it be possible to lock guests out from accessing files and other resources that are available to the team but still leave them access to the chat functionality? This whilst leaving internal members of the team with full access. I've seen that if SharePoint Online External Sharing is not allowed then it would deny access to files/notes/wiki to guests but  I've not seen anything that conclusively states guests would still have access to chat and also whether this would be able to be restricted on a team by team basis or whether if it was allowed/not allowed it would apply globally across the Tenant?

Nope. The block policy stops people being added as guest users, so they get no access to anything.

Copper Contributor

This is an improvement but we still cannot get external users to sync files locally.  This is keeping us from getting rid of DropBox.  This guest access also seems to give the guest access to the entire sharepoint site too.  What if we just want them to have access to the documents library...

If you simply want external people to access SharePoint, don't use Teams. Share the library from SharePoint. As always, only give external people the least possible access to content within your tenant.

BTW, I just published https://www.petri.com/common-questions-teams-guest-access with some answers to common questions about external guest access... It might be helpful.

Copper Contributor

Is there anyway to force the update for Teams Desktop app - and the web app as well?

 

This is the message I get when I try to add external folks:

Add members to "Testing Zone"

Start typing a name, distribution list or security group to add to your team. You can also add people outside your organisation as guests by typing their email addresses. Note: Guests need a work or school account in Office 365

My desktop build number is: You have Microsoft Teams Version 1.1.00.5855 (64-bit)

 

 

Instead of the NEW message that no longer includes  

Note: Guests need a work or school account in Office 365

 

 

You can now add anybody with a consumer account as a guest in Teams

 

Thanks for your help.

Deleted
Not applicable

@Patrick Kairns you probably don't have full guest access turned on in your Tenant yet. I have same version and it matches the screenshot. 

Copper Contributor

@Deleted Thanks for your advice, but I do have Guest Access turned on in my Tenant. The ONLY way I can create guest users "the NEW way"

is to add them through Azure Active Directory Admin Center. That adds a new Guest user, but the Guest does not get the invitation to join a team. They get an invitation to AD. Not what they should be getting.

 

Then I add new Guest to a GROUP in the Admin Center->Active Users->Group Membership

Then I open Teams and I can add the new external user to the Team.

Kind of cumbersome. 

 

Here's another screenshot that I have Guest access for Teams in  my Tenant.

Admin Teams - Guest ON.jpg

Silver Contributor

@Patrick Kairns just because you have it turned on does not mean that you have the new functionality. We have been able to turn it on for a long time, which provided the ability to invite people from other tenants. However this new functionality is showing up without any indication that it is actually deployed into your tenant. 

Copper Contributor

@Dean Gross You mention 

"However this new functionality is showing up without any indication that it is actually deployed into your tenant."

 

I've checked all the Admin Center settings and Teams is deployed in my Tenant for Business & Enterprise and Guest.

I have 5-6 Teams fully in operation; mostly internal users, but a few Guests as well after "jumping through the hoops with AD etc."

I must have a different build and it has not rolled-out to my Tenant yet.

 

Just weird and another frustration with this stuff. ;)

 

Thanks again....any further suggestions are welcome.

 

Rolling back.

 

1. All tenants can add guest users to Teams from other Office 365 tenants, assuming that the right settings are in place through the Admin Center.

2. Some tenants can add guest users to Teams from non-Office 365 tenants (any email address). I know the current percentage that deployment has reached but cannot say because of NDA. Suffice to say that the roll-out continues and should be complete worldwide in all Office 365 regions by the end of this month.

3. When you add a guest to Teams, a guest user account is created in your tenant directory. You can create the guest account manually or through Teams. Always create through an application because this will guide the guest through the invitation redemption process orchestrated by the Azure B2B Collaboration framework and make sure that they can access the inviting app without undue obstacles.  DIY guest creation is supported, but it is not a good user experience.

Copper Contributor

@Tony Redmond 3. When you add a guest to Teams, a guest user account is created in your tenant directory. You can create the guest account manually or through Teams. Always create through an application because this will guide the guest through the invitation redemption process orchestrated by the Azure B2B Collaboration framework and make sure that they can access the inviting app without undue obstacles.  DIY guest creation is supported, but it is not a good user experience. It certainly isn't. :)

 

That's the only choice I have for now in adding external Guests (with Gmail, etc accounts). I appreciate your help & will be patient for world the roll-out to  be available by the end of the month. I'll let you know when it becomes available in my Tenant.

 

Your help is appreciated, thank you.

 

 

Copper Contributor
external Guest is finally enabled on o365 here. I've added two guests (non-Microsoft accounts) BUT the invites have not come. I see these two people in admin... users... as "guests". How can we resend the invite, or how long does the invite take to arrive? (they're not in junk).
Copper Contributor

Very good news!

Deleted
Not applicable

Great news!! I just waiting this feature be available to do testings, for now is not the upgrade ready for my Org, I heard that until the end of March, is that correct?

Brass Contributor

To bad guest access is not working for the Planner part ... for know i stick to Skype for Business.

Microsoft says that MicrosoftTeams guest access for any email account is now deployed to all Office365 tenants. Close and open clients before you try to add a guest. See and for info

Copper Contributor

Well I was able to add two external Guests to two of my public Teams using the Teams interface only, not having to create them as external Guest in AAD and then add them as members to a Team - the roll-out wave got to me... ;-). So far they can participate in Conversations, Chat, but cannot see the existing files in the FILES tab.

I have followed along with the instructions on setting Tenant for external sharing, but to no avail.

 

Apart from clicking on "Open in Sharepoint" and requesting access to the files, then granting access on a file-by-file basis; that's the only

way for now that external Guests get to see Team files. 

 

Any ideas? 

 

hanks for your help.

Microsoft

Hi @Glen Cianciulli, I checked with our dev teams on your experience. We haven't heard this issue from other customers. There is no direct way to re-send the invite, but you can @mention the guest, remove and add them again (AAD, Group or Team) or add them to another team, that should send out a new notification email. Another option is to ask the guest to go to teams.microsoft.com and sign with email address associated with the invitation? There is in-app invitation redemption that should be possible.

Deleted
Not applicable

@Patrick Kairns that's odd that you can't see files as a guest it works on my tenant, however they are all private groups. I've never really messed with a public group to know how permissions work but it's possible the latest change with the Everyone permission and guests could be affecting this (which I don't think is live for awhile longer) or it's possible someone changed the default permissions on the SharePoint sites tied to you Team? There should be group connected permission groups inside the SharePoint site, need to check and make sure those are still there and didn't get removed in place of something else. 

Copper Contributor

@Deleted Hi Christopher. I am making progress by changing my Teams to Private. An external Guest can see the files in 2 of the 3 Private teams

I now have. I'll let it rest for a bit and come back at it later; have stuff in SharePoint settling down I guess. Thanks for your help.

Bronze Contributor

Well, it is getting closer I guess. Now I am getting the text in the screenshot on the blog article, but still cannot add anyone per the instructions on the dialog box. The "Add" button stays grayed out.

 

2018-03-13_9-52-46.png

Brass Contributor

A few key 'guest' features that will be great additions:

  1. guest access to 'Meetings' feature
  2. guest access to Planner tabs in different channel
  3. private channels (for both guests and members scenarios)
Deleted
Not applicable

You can already anon join meetings. Guest access to planner is in being worked on as is private channels.  

Bronze Contributor

So now this has been generally announced and rolled out per March 14 blog post and we still get this. Is something else wrong with our settings to prohibit guest access?

2018-03-15_13-37-30.png

Silver Contributor

have you double checked that the Guest setting is enabled for Teams in the O365 Admin Center?

Deleted
Not applicable

Yeah it's turned on you can tell by the description text on that Screenshot. . Try another e-mail. Since Office does some personal account federation with yahoo and gmail now it knows if your putting in a real address or not for those services I think :P. 

Bronze Contributor

Yes, it is enabled.

I tried my personal Gmail account, which is also a Microsoft account and got the same error.

I tried my personal Hotmail account, which is also a Microsoft account and got the same error.

I tried a valid address for someone at our bank that I know is a valid account and not a Microsoft account, and got the same error.

Stumped... and frustrated.

 

 

Deleted
Not applicable

Do this from the web client. You might have some cache issues going on with desktop client. If it works on web, then I can give the folder path to kill to clear your cache. 

Deleted
Not applicable

Also if that doesn't work, your going to need to start checking into your Guest access settings for Office 365 groups since Teams are built on these you have to allow it for those as well. See this screenshot. Capture.JPG

Source: https://www.petri.com/external-access-office-365-groups

Bronze Contributor

"Do this from the web client. You might have some cache issues going on with desktop client. If it works on web, then I can give the folder path to kill to clear your cache." 

You sir, are a genius @Deleted. Works just fine on the web client. 

Please give the details on how to clear any local folder paths. Logging out/in and quitting/restarting Teams didn't help.

Deleted
Not applicable

Quit teams, then remove the stuff in C:\Users\username\AppData\Roaming\Microsoft\Teams start teams. then give it a whirl. 

Bronze Contributor

Thanks. Seems to have fixed it.


Steel Contributor

@Deleted @Anne Michels great but when guest user open the SharePoint WebSite they are able to find any users in the people picker column. Basically guest users are able to retrieve the full organisation employee details and chart by using a sharepoint columns.  

Iron Contributor

Regarding the compliance features and guest access - how would guest user chats be retained? Currently retention of Teams user chats is dependent on the user having an Exchange Online mailbox to journal the chat messages to. Since guest users will not have Exchange Online mailboxes, can their private chat messages be retained?

Guest chats normally involve tenant users, so the personal chats are retained in the mailboxes of the other participants while guest contributions to channel conversations end up in the group mailbox. Microsoft has promised some improvements in this story, but as I don't work for Microsoft, I can't tell you what that might be.

 

https://www.petri.com/teams-compliance-story

Iron Contributor

@Tony Redmond I get that most of the time these chats will include internal users, but there is nothing preventing two guests from initiating private chats, at least that I'm aware of. This means that guest parties can have private chats that can't be audited or retained. Couple that with the idea that we will only be able to whitelist/blacklist guest organizations if we add Azure AD Premium licensing, and the compliance story around Teams makes guest access un palatable for many orgs. I'm a big fan of Teams, but I definitely think the urgency around security and compliance controls for Office 365 workloads needs to ratcheted up. We tend to get features in advance of getting security controls around them. At least in this case the feature was rolled out in a disabled state instead of on by default which has been what we've seen historically.

I agree that a gap exists today for situations when two guests chat using a host tenant. Happily, that's probably not as common a situation as we might think. In any case, the Teams developers are aware of the need to fix this and a couple of other compliance gaps and I am confident that we shall see some progress here soon.

Deleted
Not applicable

If you need compliance that bad for a guest  then you should be forking out to license the user ;). 

Yep. My belief is that guests won't know that they can initiate chats with other guests (without having a tenant user in the conversation) unless someone tells them, but that's beside the point.

Deleted
Not applicable

So what you could do if your concerned about them having private conversations and want guests to stick to Team chats, you always can limit guests from being able to chat for the guest license level. 

Capture.JPG

Version history
Last update:
‎Feb 28 2018 09:26 AM
Updated by: