cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Home

Allow or Block Guest Users from a Specific Team in Microsoft Teams

%3CLINGO-SUB%20id%3D%22lingo-sub-175918%22%20slang%3D%22en-US%22%3EAllow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-175918%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESam%20here%20again%20from%20the%20Microsoft%20Teams%20Solutions%20POD%20within%20the%20Microsoft%20Teams%20Support%20Group.%20I%20wanted%20to%20share%20with%20everyone%20some%20findings%20that%20could%20prove%20helpful%20to%20customers%20who%20are%20trying%20to%20limit%20Guest%20Access%20capabilities%20to%20their%20Teams%2C%20but%20still%20having%20the%20option%2Fopportunity%20to%20have%20Guest%20Access%20for%20specified%20Teams.%20Note%2C%20that%26nbsp%3Bthe%20majority%20of%20the%20information%20for%20this%20is%20derived%20from%20the%20following%20Support%20Article%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fguest-access-in-office-365-groups-bfc7a840-868f-4fd6-a390-f347bf51aff6%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%23bkmk_usepowershell%26amp%3BPickTab%3DManage%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUser%20PowerShell%20to%20control%20Guest%20Access%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20order%20for%20this%20to%20be%20done%2C%20there%20are%20a%20%3CSTRONG%3Efew%20key%20points%3C%2FSTRONG%3E%20that%20need%20to%20be%20made%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EGuest%20Access%20from%20Azure%20AD%20%3CU%3Emust%20be%20enabled%3C%2FU%3E.%3COL%3E%0A%3CLI%3EGo%20to%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%3C%2FA%3E%20as%20a%20Global%20Administrator.%3C%2FLI%3E%0A%3CLI%3EThen%20go%20to%20Azure%20Active%20Directory%20-%26gt%3B%20User%20Settings%20-%26gt%3B%20Validate%20that%20'Members%20can%20invite'%20is%20set%20to%20'Yes'%20under%20the%20External%20Users%20section%20as%20so%3A%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20539px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F30937i3FC4D71755962808%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure%20Guest%20Access.png%22%20title%3D%22Azure%20Guest%20Access.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%3EGuest%20Access%20for%20Office%20365%20Groups%20%3CU%3Emust%20be%20enabled%3C%2FU%3E%20in%20the%20O365%20Groups%20Service%20%26amp%3B%20Addins%20portal.%3COL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fportal.office.com%2Fadminportal%2Fhome%23%2FSettings%2FServicesAndAddIns%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.office.com%2Fadminportal%2Fhome%23%2FSettings%2FServicesAndAddIns%3C%2FA%3E%20-%26gt%3B%20Office%20365%20Groups%3C%2FLI%3E%0A%3CLI%3EMake%20sure%20'Let%20Group%20Owners%20add%20people%20outside%20the%20organization%20to%20Groups'%20is%20set%20to%20'On'%2C%20as%20if%20it's%20not%2C%20then%20Group%20Owners%20will%20not%20be%20able%20to%20search%20via%20the%20PeoplePicker%20for%20any%20Guest%20Object%20Type.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20527px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F30941iF2B5580D8FAAB8D7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Groups%20Guest%20Access.png%22%20title%3D%22Groups%20Guest%20Access.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%3EGuest%20Access%20for%20Microsoft%20Teams%20%3CU%3Emust%20be%20enabled%3C%2FU%3E%20in%20the%20Teams%20Service%20%26amp%3B%20Addins%20portal.%26nbsp%3B%3COL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fportal.office.com%2Fadminportal%2Fhome%23%2FSettings%2FServicesAndAddIns%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.office.com%2Fadminportal%2Fhome%23%2FSettings%2FServicesAndAddIns%20%3C%2FA%3E-%26gt%3B%20Microsoft%20Teams%3C%2FLI%3E%0A%3CLI%3EDrop%20down%20the%20'select%20user%2Flicense%20type%20you%20want%20to%20configure%20and%20make%20sure%20that%20'Guest'%20is%20set%20to%20'On'%20as%20so%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20519px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F30940iD4421AA3BDFFC584%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Teams%20Guest%20Access.png%22%20title%3D%22Teams%20Guest%20Access.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EAfter%20validating%20that%20we%20have%20the%20specified%20parameters%20set%20as%20required%20above%2C%20then%20we%20can%20start%20this%20process.%20One%20of%20the%20key%20points%20below%20is%20that%20we%20must%20work%20backwards%20at%20this%20time%2C%20meaning%2C%20we%20can%20set%20all%20of%20the%20above%20to%20%24true%2C%20but%20then%20we%20have%20to%20start%20peeling%20the%20layers%20back%20and%20disabling%20either%20all%20Groups%20or%20specific%20Groups%20for%20Guest%20Access.%20This%20in%20turn%2C%20is%20how%20Teams%20leverages%20Guest%20Access%20capabilities%20as%20well.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20class%3D%22lia-spoiler-container%22%3E%3CA%20class%3D%22lia-spoiler-link%22%20href%3D%22%23%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ESpoiler%3C%2FA%3E%3CNOSCRIPT%3E(Highlight%20to%20read)%3C%2FNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-border%22%3E%3CDIV%20class%3D%22lia-spoiler-content%22%3EMake%20sure%20you're%20connected%20to%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj984289(v%3Dexchg.160).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EExchange%20Online%20PowerShell%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fazuread%2Fconnect-azuread%3Fview%3Dazureadps-2.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20PowerShell%3C%2FA%3E%20in%20order%20to%20run%20the%20steps%20below.%3C%2FDIV%3E%3CNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-noscript-container%22%3E%3CDIV%20class%3D%22lia-spoiler-noscript-content%22%3EMake%20sure%20you're%20connected%20to%20Exchange%20Online%20PowerShell%20and%20Azure%20AD%20PowerShell%20in%20order%20to%20run%20the%20steps%20below.%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FNOSCRIPT%3E%3C%2FDIV%3E%3C%2FDIV%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3E%3CNOTE.%20the%3D%22%22%20following%3D%22%22%20below%3D%22%22%20do%3D%22%22%20not%3D%22%22%20apply%3D%22%22%20to%3D%22%22%20newly%3D%22%22%20created%3D%22%22%20teams%3D%22%22%20or%3D%22%22%20groups.%3D%22%22%20you%3D%22%22%20must%3D%22%22%20either%3D%22%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FManage-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EManage%20Who%20can%20Create%20Groups%2FTeams%3C%2FA%3E%20and%20validate%20the%20Groups%20required%20or%20run%20this%20occasionally%20to%20block%20this%20from%20being%20in%20certain%20Groups%26gt%3B%3C%2FNOTE.%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%201%3C%2FSTRONG%3E%3A%20Set%20all%20Groups%2FTeams%20to%20'AllowToAddGuests'%20to%20%24false%2C%20so%20then%20you%20can%20specify%20which%20Teams%20you'd%20wish%20to%20have%20enabled%20for%20Guest%20Access%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%23Set%20all%20Groups%2FTeams%20to%20'AllowToAddGuests'%20%3D%3D%20%24False%0A%0A%24groupID%20%3D%20Get-UnifiedGroup%20-ResultSize%20Unlimited%20%7C%20Select-Object%20-ExpandProperty%20ExternalDirectoryObjectId%0AForeach%20(%24Groups%20in%20%24GroupID)%20%7B%0A%24template%20%3D%20Get-AzureADDirectorySettingTemplate%20%7C%20%3F%20%7B%24_.displayname%20-eq%20%22group.unified.guest%22%7D%0A%24settingsCopy%20%3D%20%24template.CreateDirectorySetting()%0A%24settingsCopy%5B%22AllowToAddGuests%22%5D%3D%24False%0ANew-AzureADObjectSetting%20-TargetType%20Groups%20-TargetObjectId%20%24groups%20-DirectorySetting%20%24settingsCopy%0A%7D%26nbsp%3B%3C%2FPRE%3E%0A%3CP%3E%3CSTRONG%3EStep%202%3A%3C%2FSTRONG%3E%20Set%20a%20specific%20Group%2FTeam%20to%20%24True%20or%20%24False%20for%20Allowing%20Guest%20Access%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%23Set%20specific%20Group%20back%20to%20%24True%20or%20%24False%0A%0A%24GroupID%20%3D%20get-unifiedgroup%20-Identity%20%26lt%3BInsert%20SMTP%20or%20Identity%26gt%3B%20%7C%20Select-Object%20-ExpandProperty%20ExternalDirectoryObjectId%0A%24SettingID%20%3D%20Get-AzureADObjectSetting%20-TargetType%20Groups%20-TargetObjectID%20%24GroupID%20%7C%20select-object%20-expandproperty%20ID%0Aremove-azureadobjectsetting%20-id%20%24settingid%20-targettype%20Groups%20-TargetObjectID%20%24GroupID%0A%24template%20%3D%20Get-AzureADDirectorySettingTemplate%20%7C%20%3F%20%7B%24_.displayname%20-eq%20%22group.unified.guest%22%7D%0A%24settingsCopy%20%3D%20%24template.CreateDirectorySetting()%0A%24settingsCopy%5B%22AllowToAddGuests%22%5D%3D%24False%0ANew-AzureADObjectSetting%20-TargetType%20Groups%20-TargetObjectId%20%24groupID%20-DirectorySetting%20%24settingsCopy%3C%2FPRE%3E%0A%3CP%3E%3CSTRONG%3EStep%203%20(Optional)%3A%26nbsp%3B%3C%2FSTRONG%3ERemove%20previous%20settings%20and%20set%20all%20Groups%20and%20Teams%20back%20to%20Allow%20Guest%20Access%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%23Remove%20previous%20settings%2Fset%20to%20all%20Groups%20back%20to%20%24True%0A%0A%24groupID%20%3D%20Get-UnifiedGroup%20-ResultSize%20Unlimited%20%7C%20Select-Object%20-ExpandProperty%20ExternalDirectoryObjectId%0AForeach%20(%24Groups%20in%20%24GroupID)%20%7B%0A%24SettingID%20%3D%20Get-AzureADObjectSetting%20-TargetType%20Groups%20-TargetObjectID%20%24Groups%20%7C%20select-object%20-expandproperty%20ID%0Aremove-azureadobjectsetting%20-id%20%24settingid%20-targettype%20Groups%20-TargetObjectID%20%24Groups%0A%24template%20%3D%20Get-AzureADDirectorySettingTemplate%20%7C%20%3F%20%7B%24_.displayname%20-eq%20%22group.unified.guest%22%7D%0A%24settingsCopy%20%3D%20%24template.CreateDirectorySetting()%0A%24settingsCopy%5B%22AllowToAddGuests%22%5D%3D%24True%0ANew-AzureADObjectSetting%20-TargetType%20Groups%20-TargetObjectId%20%24groups%20-DirectorySetting%20%24settingsCopy%0A%7D%3C%2FPRE%3E%0A%3CP%3E%3CSTRONG%3EStep%204%20(Optional)%3A%26nbsp%3B%3C%2FSTRONG%3EOutput%20your%20validation%20of%20the%20settings%20you've%20changed%20above%20for%20Guest%20Access%20to%20%24True%20or%20%24False%20for%20all%20Groups%20and%20Teams.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%23Output%20validation%20for%20%24True%20or%20%24False%20Groups%2FTeams%3A%0AGet-UnifiedGroup%20%7C%20Where-Object%20%7B%24_.AllowAddGuests%20-eq%20%24True%7D%20%7C%20ft%20PrimarySMTPAddress%2C%20%20AllowAddGuests%2C%20DisplayName%0AGet-UnifiedGroup%20%7C%20Where-Object%20%7B%24_.AllowAddGuests%20-eq%20%24False%7D%20%7C%20ft%20PrimarySMTPAddress%2C%20%20AllowAddGuests%2C%20DisplayName%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20this%20helps%20some%20organizations%20provide%20a%20more%20segmented%20approach%20to%20Guest%20Access%20within%20Groups%20and%20Teams.%20Please%20let%20me%20know%20if%20you%20have%20any%20follow%20ups%20or%20responses.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-Sam%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-175918%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdministrator%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHow-to%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESettings%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-286640%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-286640%22%20slang%3D%22en-US%22%3E%3CP%3EThanx%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F108367%22%20target%3D%22_blank%22%3E%40Sam%20Cosby%3C%2FA%3E%2C%26nbsp%3BJust%20tried%20this%20in%20my%20lab%20again%2C%20I%20just%20had%20to%20wait%20long%20enough%20for%20the%20change%20to%20happen%2C%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-280645%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280645%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70572%22%20target%3D%22_blank%22%3E%40Calum%20Steen%3C%2FA%3E%2C%20did%20you%20ever%20try%20that%20template%20stuff%3F%26nbsp%3B%20We're%20looking%20at%20doing%20the%20same%20thing%20for%20Teams.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-242812%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-242812%22%20slang%3D%22en-US%22%3E%3CP%3EPlease%20note%20that%20the%20instructions%20provided%20no%20longer%20work.%26nbsp%3B%20The%20ability%20to%20manage%20licenses%20for%20Guests%20has%20been%20depreciated%20as%20of%20August%20and%20no%20replacement%20for%20that%20step%20in%20the%20process%20appears%20to%20be%20available%20at%20this%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-227155%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-227155%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20company%20is%20risk%20averse%20an%20we%20want%20to%20set%20Teams%20such%20that%20Guest%20members%20have%20to%20be%20enabled%20on%20a%20Team-by-Team%20basis%2C%20the%20default%20is%20no%20Guests.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBeen%20looking%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fgroups-settings-cmdlets%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fgroups-settings-cmdlets%3C%2FA%3E%20%22Azure%20Active%20Directory%20cmdlets%20for%20configuring%20group%20settings%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CEM%3EOffice%20365%20Groups%20settings%20are%20configured%20using%20a%20Settings%20object%20and%20a%20SettingsTemplate%20object.%20Initially%2C%20you%20don't%20see%20any%20Settings%20objects%20in%20your%20directory%2C%20because%20your%20directory%20is%20configured%20with%20the%20default%20settings.%20To%20change%20the%20%3CSTRONG%3Edefault%3C%2FSTRONG%3E%20settings%2C%20you%20must%20create%20a%20new%20settings%20object%20using%20a%20settings%20template.%20Settings%20templates%20are%20defined%20by%20Microsoft.%3C%2FEM%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20hoping%20this%20means%20we%20can%20create%20a%20Settings%20object%20with%20AllowToAddGuests%20set%20to%20False%20which%20applies%20to%20Groups%20when%20created.%20We%20can%20then%20specifically%20enable%20for%20individual%20Groups%20using%20a%20settings%20object%20applied%20just%20to%20that%20Group%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182973%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182973%22%20slang%3D%22en-US%22%3E%3CP%3EWouldn't%20the%20below%20code%20be%20more%20efficient%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%24groupID%20%3D%20Get-UnifiedGroup%20-ResultSize%20Unlimited%20%7C%20Select-Object%20-ExpandProperty%20ExternalDirectoryObjectId%0A%24template%20%3D%20Get-AzureADDirectorySettingTemplate%20%7C%20%3F%20%7B%24_.displayname%20-eq%20%22group.unified.guest%22%7D%0A%24settingsCopy%20%3D%20%24template.CreateDirectorySetting()%0A%24settingsCopy%5B%22AllowToAddGuests%22%5D%3D%24False%3CBR%20%2F%3E%3CBR%20%2F%3EForeach%20(%24Group%20in%20%24GroupID)%20%7B%0ANew-AzureADObjectSetting%20-TargetType%20Groups%20-TargetObjectId%20%24group%20-DirectorySetting%20%24settingsCopy%0A%7D%26nbsp%3B%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-178368%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-178368%22%20slang%3D%22en-US%22%3E%3CP%3EReally%20good%20call-out%20in%20the%20blog%20you%20mentioned%2C%20as%20these%20are%20parameters%20that%20need%20to%20be%20treaded%20lightly%20before%20switching%2Fleveraging.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-178216%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-178216%22%20slang%3D%22en-US%22%3E%3CP%3EI%20wrote%20a%20blog%20based%20on%20this%20post%20to%20explain%20a%20little%20about%20what%20flipping%20the%20switches%20to%20allow%20guest%20access%20actually%20enables.%20I%20don't%20see%20these%20as%20things%20to%20be%20unduely%20concerned%20about%2C%20but%20it's%20useful%20to%20know%20what%20else%20you%20are%20effecting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fregarding365.com%2Fenable-guests-in-microsoft-teams-what-else-did-i-just-turn-on-2110bb400c71%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fregarding365.com%2Fenable-guests-in-microsoft-teams-what-else-did-i-just-turn-on-2110bb400c71%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177614%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177614%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Timothy%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20don't%20believe%20so%2C%20but%20I%20believe%20there%20may%20be%20another%20way%20to%20do%20that..%20I%20tested%20this%20on%20my%20side%20by%20disabling%20all%20current%20Groups%2FTeams%20to%20not%20include%20the%20ability%20for%20Guest%20Access%20and%20then%20created%20a%20new%20one%20and%20that%20new%20Group%20is%20set%20to%20%24True%2C%20so%20it%20appears%20that%20the%20only%20way%20to%20do%20this%20would%20be%20to%20create%20a%20script%20for%20any%20newly%20created%20Group%2FTeam%20to%20be%20submitted%20with%20the%20below%20as%20well%20for%20the%20time%20being.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177597%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177597%22%20slang%3D%22en-US%22%3EGreat%20info.%20Was%20just%20trying%20to%20wrap%20my%20head%20around%20this.%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20you%20know%20if%20the%20setting%20all%20groups%20to%20either%20%24true%20or%20%24false%20sticks%20for%20groups%20created%20after%20you%20run%20that%20command%3F%20If%20I%20want%20to%20only%20enable%20guests%20for%20a%20select%20few%20groups%20and%20I%20run%20through%20these%20steps%2C%20do%20newly%20created%20groups%20adhere%20to%20the%20default%20based%20on%20which%20way%20I%20set%20it%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177262%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177262%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20reason%20why%20setting%20a%20simple%20true%2Ffalse%20flag%20for%20guest%20access%20to%20specific%20groups%20has%20to%20be%20so%20complicated%3F%20I'm%20unable%20to%20get%20this%20to%20work%2C%20not%20by%20following%20your%20instructions%2C%20nor%20those%20an%20the%20linked%20article%20(which%20are%20different%20commands).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-176069%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176069%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Sam%2C%20great%20post%20Congrats%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-435361%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-435361%22%20slang%3D%22en-US%22%3EGreat%20article.%2C%20thank%20you%20.%20May%20I%20know%20if%20%2C%20there%20any%20way%20to%20turn%20adding%20guest%20users%20ON%2FOFF%20through%20UI%20(for%20individual%20team%2FGroups).%20or%20do%20we%20ask%20Groups%20owners%20to%20send%20us%20(IT%20team)%20ticket%20to%20change%20this%20and%20we%20(IT%20team)%20change%20it%20through%20powershell%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1023791%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1023791%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70572%22%20target%3D%22_blank%22%3E%40Calum%20Steen%3C%2FA%3E%26nbsp%3Bdid%20you%20ever%20get%20around%20to%20setting%20up%20a%20new%20default%20team%20creation%20template%20%3CSPAN%3Ewith%20AllowToAddGuests%20set%20to%20False%26nbsp%3B%3C%2FSPAN%3Ethat%20could%20create%20Teams%20with%20Guest%20access%20defaulting%20to%20NO%20even%20though%20the%20tenant%20is%20allowing%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Sam Cosby
Sam Cosby
Microsoft

‎03-26-2018 08:27 AM - edited ‎03-26-2018 08:37 AM

‎03-26-2018 08:27 AM - edited ‎03-26-2018 08:37 AM

Allow or Block Guest Users from a Specific Team in Microsoft Teams

Hello all,

 

Sam here again from the Microsoft Teams Solutions POD within the Microsoft Teams Support Group. I wanted to share with everyone some findings that could prove helpful to customers who are trying to limit Guest Access capabilities to their Teams, but still having the option/opportunity to have Guest Access for specified Teams. Note, that the majority of the information for this is derived from the following Support Article: User PowerShell to control Guest Access

 

In order for this to be done, there are a few key points that need to be made:

  1. Guest Access from Azure AD must be enabled.
    1. Go to https://portal.azure.com as a Global Administrator.
    2. Then go to Azure Active Directory -> User Settings -> Validate that 'Members can invite' is set to 'Yes' under the External Users section as so:Azure Guest Access.png
  2. Guest Access for Office 365 Groups must be enabled in the O365 Groups Service & Addins portal.
    1. https://portal.office.com/adminportal/home#/Settings/ServicesAndAddIns -> Office 365 Groups
    2. Make sure 'Let Group Owners add people outside the organization to Groups' is set to 'On', as if it's not, then Group Owners will not be able to search via the PeoplePicker for any Guest Object Type.Groups Guest Access.png
  3. Guest Access for Microsoft Teams must be enabled in the Teams Service & Addins portal. 
    1. https://portal.office.com/adminportal/home#/Settings/ServicesAndAddIns -> Microsoft Teams
    2. Drop down the 'select user/license type you want to configure and make sure that 'Guest' is set to 'On' as so:
      Teams Guest Access.png

After validating that we have the specified parameters set as required above, then we can start this process. One of the key points below is that we must work backwards at this time, meaning, we can set all of the above to $true, but then we have to start peeling the layers back and disabling either all Groups or specific Groups for Guest Access. This in turn, is how Teams leverages Guest Access capabilities as well.

 

Spoiler
Make sure you're connected to Exchange Online PowerShell and Azure AD PowerShell in order to run the steps below.

<NOTE. The following below do not apply to newly created Teams or Groups. You must either Manage Who can Create Groups/Teams and validate the Groups required or run this occasionally to block this from being in certain Groups>

 

Step 1: Set all Groups/Teams to 'AllowToAddGuests' to $false, so then you can specify which Teams you'd wish to have enabled for Guest Access:

  

#Set all Groups/Teams to 'AllowToAddGuests' == $False

$groupID = Get-UnifiedGroup -ResultSize Unlimited | Select-Object -ExpandProperty ExternalDirectoryObjectId
Foreach ($Groups in $GroupID) {
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
$settingsCopy["AllowToAddGuests"]=$False
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groups -DirectorySetting $settingsCopy
} 

Step 2: Set a specific Group/Team to $True or $False for Allowing Guest Access:

  

#Set specific Group back to $True or $False

$GroupID = get-unifiedgroup -Identity <Insert SMTP or Identity> | Select-Object -ExpandProperty ExternalDirectoryObjectId
$SettingID = Get-AzureADObjectSetting -TargetType Groups -TargetObjectID $GroupID | select-object -expandproperty ID
remove-azureadobjectsetting -id $settingid -targettype Groups -TargetObjectID $GroupID
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
$settingsCopy["AllowToAddGuests"]=$False
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $settingsCopy

Step 3 (Optional): Remove previous settings and set all Groups and Teams back to Allow Guest Access: 

 

#Remove previous settings/set to all Groups back to $True

$groupID = Get-UnifiedGroup -ResultSize Unlimited | Select-Object -ExpandProperty ExternalDirectoryObjectId
Foreach ($Groups in $GroupID) {
$SettingID = Get-AzureADObjectSetting -TargetType Groups -TargetObjectID $Groups | select-object -expandproperty ID
remove-azureadobjectsetting -id $settingid -targettype Groups -TargetObjectID $Groups
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
$settingsCopy["AllowToAddGuests"]=$True
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groups -DirectorySetting $settingsCopy
}

Step 4 (Optional): Output your validation of the settings you've changed above for Guest Access to $True or $False for all Groups and Teams.

 

#Output validation for $True or $False Groups/Teams:
Get-UnifiedGroup | Where-Object {$_.AllowAddGuests -eq $True} | ft PrimarySMTPAddress,  AllowAddGuests, DisplayName
Get-UnifiedGroup | Where-Object {$_.AllowAddGuests -eq $False} | ft PrimarySMTPAddress,  AllowAddGuests, DisplayName

 

Hope this helps some organizations provide a more segmented approach to Guest Access within Groups and Teams. Please let me know if you have any follow ups or responses. 

 

-Sam

20.9K Views
13 Likes
13 Replies
Reply
13 Replies
Highlighted
Nuno Silva

‎03-26-2018 01:16 PM

‎03-26-2018 01:16 PM

Re: Allow or Block Guest Users from a Specific Team in Microsoft Teams

Hi Sam, great post Congrats !

1 Like
Reply
Ivan Unger

‎03-28-2018 11:28 PM - edited ‎03-28-2018 11:39 PM

‎03-28-2018 11:28 PM - edited ‎03-28-2018 11:39 PM

Re: Allow or Block Guest Users from a Specific Team in Microsoft Teams

Is there a reason why setting a simple true/false flag for guest access to specific groups has to be so complicated? I'm unable to get this to work, not by following your instructions, nor those an the linked article (which are different commands).

1 Like
Reply
Timothy Anderson

‎03-29-2018 01:30 PM

‎03-29-2018 01:30 PM

Re: Allow or Block Guest Users from a Specific Team in Microsoft Teams

Great info. Was just trying to wrap my head around this.

Do you know if the setting all groups to either $true or $false sticks for groups created after you run that command? If I want to only enable guests for a select few groups and I run through these steps, do newly created groups adhere to the default based on which way I set it?
0 Likes
Reply
Sam Cosby

‎03-29-2018 02:08 PM - edited ‎03-29-2018 02:13 PM

‎03-29-2018 02:08 PM - edited ‎03-29-2018 02:13 PM

Re: Allow or Block Guest Users from a Specific Team in Microsoft Teams

Hey Timothy,

 

I don't believe so, but I believe there may be another way to do that.. I tested this on my side by disabling all current Groups/Teams to not include the ability for Guest Access and then created a new one and that new Group is set to $True, so it appears that the only way to do this would be to create a script for any newly created Group/Team to be submitted with the below as well for the time being. 

0 Likes
Reply
Steven Collier

‎04-01-2018 01:30 AM

‎04-01-2018 01:30 AM

Solution

Re: Allow or Block Guest Users from a Specific Team in Microsoft Teams

I wrote a blog based on this post to explain a little about what flipping the switches to allow guest access actually enables. I don't see these as things to be unduely concerned about, but it's useful to know what else you are effecting.

 

https://regarding365.com/enable-guests-in-microsoft-teams-what-else-did-i-just-turn-on-2110bb400c71

Best Response confirmed by Sam Cosby (Microsoft)
3 Likes
Reply
Sam Cosby

‎04-02-2018 05:26 AM

‎04-02-2018 05:26 AM

Re: Allow or Block Guest Users from a Specific Team in Microsoft Teams

Really good call-out in the blog you mentioned, as these are parameters that need to be treaded lightly before switching/leveraging. 

1 Like
Reply

‎04-15-2018 07:02 PM

‎04-15-2018 07:02 PM

Re: Allow or Block Guest Users from a Specific Team in Microsoft Teams

Wouldn't the below code be more efficient?

 

$groupID = Get-UnifiedGroup -ResultSize Unlimited | Select-Object -ExpandProperty ExternalDirectoryObjectId
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
$settingsCopy["AllowToAddGuests"]=$False

Foreach ($Group in $GroupID) {
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $group -DirectorySetting $settingsCopy
} 
0 Likes
Reply
Calum Steen

‎08-10-2018 12:44 PM - edited ‎08-10-2018 01:01 PM

‎08-10-2018 12:44 PM - edited ‎08-10-2018 01:01 PM

Re: Allow or Block Guest Users from a Specific Team in Microsoft Teams

My company is risk averse an we want to set Teams such that Guest members have to be enabled on a Team-by-Team basis, the default is no Guests.

 

Been looking at https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-settings-cmdlets "Azure Active Directory cmdlets for configuring group settings"

 

"Office 365 Groups settings are configured using a Settings object and a SettingsTemplate object. Initially, you don't see any Settings objects in your directory, because your directory is configured with the default settings. To change the default settings, you must create a new settings object using a settings template. Settings templates are defined by Microsoft."

 

I'm hoping this means we can create a Settings object with AllowToAddGuests set to False which applies to Groups when created. We can then specifically enable for individual Groups using a settings object applied just to that Group

 

 

 

0 Likes
Reply

‎09-06-2018 09:01 AM

‎09-06-2018 09:01 AM

Re: Allow or Block Guest Users from a Specific Team in Microsoft Teams

Please note that the instructions provided no longer work.  The ability to manage licenses for Guests has been depreciated as of August and no replacement for that step in the process appears to be available at this time.

0 Likes
Reply
Christopher Neuendorf

‎10-31-2018 09:31 AM

‎10-31-2018 09:31 AM

Re: Allow or Block Guest Users from a Specific Team in Microsoft Teams

@Calum Steen, did you ever try that template stuff?  We're looking at doing the same thing for Teams.

0 Likes
Reply
Jimmy Hang

‎11-14-2018 07:17 AM - edited ‎11-14-2018 07:45 AM

‎11-14-2018 07:17 AM - edited ‎11-14-2018 07:45 AM

Re: Allow or Block Guest Users from a Specific Team in Microsoft Teams

Thanx @Sam Cosby, Just tried this in my lab again, I just had to wait long enough for the change to happen, :)

0 Likes
Reply
Rohit Devmore

‎04-11-2019 02:07 AM

‎04-11-2019 02:07 AM

Re: Allow or Block Guest Users from a Specific Team in Microsoft Teams

Great article., thank you . May I know if , there any way to turn adding guest users ON/OFF through UI (for individual team/Groups). or do we ask Groups owners to send us (IT team) ticket to change this and we (IT team) change it through powershell?
0 Likes
Reply
TheBigBear

‎11-21-2019 02:48 AM

‎11-21-2019 02:48 AM

Re: Allow or Block Guest Users from a Specific Team in Microsoft Teams

@Calum Steen did you ever get around to setting up a new default team creation template with AllowToAddGuests set to False that could create Teams with Guest access defaulting to NO even though the tenant is allowing it?

0 Likes
Reply
Related Conversations
Tabs and Dark Mode
 cjc2112 in Discussions on 09-18-2019
46 Replies
Extentions Synchronization
 Deleted in Discussions on 11-13-2019
3 Replies
Stable version of Edge insider browser
 HotCakeX in Discussions on 10-12-2019
35 Replies
flashing a white screen while open new tab
 Deleted in Discussions on 10-05-2019
14 Replies
How to Prevent Teams from Auto-Launch
 chenrylee in Microsoft Teams on 06-27-2019
29 Replies
Security Community Webinars
 Valon_Kolica in Security, Privacy & Compliance on 10-22-2019
13 Replies