Allow or Block Guest Users from a Specific Team in Microsoft Teams

Sam Cosby

Hello all,


Sam here again from the Microsoft Teams Solutions POD within the Microsoft Teams Support Group. I wanted to share with everyone some findings that could prove helpful to customers who are trying to limit Guest Access capabilities to their Teams, but still having the option/opportunity to have Guest Access for specified Teams. Note, that the majority of the information for this is derived from the following Support Article: User PowerShell to control Guest Access


In order for this to be done, there are a few key points that need to be made:

  1. Guest Access from Azure AD must be enabled.
    1. Go to as a Global Administrator.
    2. Then go to Azure Active Directory -> User Settings -> Validate that 'Members can invite' is set to 'Yes' under the External Users section as so:Azure Guest Access.png
  2. Guest Access for Office 365 Groups must be enabled in the O365 Groups Service & Addins portal.
    1. -> Office 365 Groups
    2. Make sure 'Let Group Owners add people outside the organization to Groups' is set to 'On', as if it's not, then Group Owners will not be able to search via the PeoplePicker for any Guest Object Type.Groups Guest Access.png
  3. Guest Access for Microsoft Teams must be enabled in the Teams Service & Addins portal. 
    1. -> Microsoft Teams
    2. Drop down the 'select user/license type you want to configure and make sure that 'Guest' is set to 'On' as so:
      Teams Guest Access.png

After validating that we have the specified parameters set as required above, then we can start this process. One of the key points below is that we must work backwards at this time, meaning, we can set all of the above to $true, but then we have to start peeling the layers back and disabling either all Groups or specific Groups for Guest Access. This in turn, is how Teams leverages Guest Access capabilities as well.


Make sure you're connected to Exchange Online PowerShell and Azure AD PowerShell in order to run the steps below.

<NOTE. The following below do not apply to newly created Teams or Groups. You must either Manage Who can Create Groups/Teams and validate the Groups required or run this occasionally to block this from being in certain Groups>


Step 1: Set all Groups/Teams to 'AllowToAddGuests' to $false, so then you can specify which Teams you'd wish to have enabled for Guest Access:


#Set all Groups/Teams to 'AllowToAddGuests' == $False

$groupID = Get-UnifiedGroup -ResultSize Unlimited | Select-Object -ExpandProperty ExternalDirectoryObjectId
Foreach ($Groups in $GroupID) {
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groups -DirectorySetting $settingsCopy

Step 2: Set a specific Group/Team to $True or $False for Allowing Guest Access:


#Set specific Group back to $True or $False

$GroupID = get-unifiedgroup -Identity <Insert SMTP or Identity> | Select-Object -ExpandProperty ExternalDirectoryObjectId
$SettingID = Get-AzureADObjectSetting -TargetType Groups -TargetObjectID $GroupID | select-object -expandproperty ID
remove-azureadobjectsetting -id $settingid -targettype Groups -TargetObjectID $GroupID
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $settingsCopy

Step 3 (Optional): Remove previous settings and set all Groups and Teams back to Allow Guest Access: 


#Remove previous settings/set to all Groups back to $True

$groupID = Get-UnifiedGroup -ResultSize Unlimited | Select-Object -ExpandProperty ExternalDirectoryObjectId
Foreach ($Groups in $GroupID) {
$SettingID = Get-AzureADObjectSetting -TargetType Groups -TargetObjectID $Groups | select-object -expandproperty ID
remove-azureadobjectsetting -id $settingid -targettype Groups -TargetObjectID $Groups
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groups -DirectorySetting $settingsCopy

Step 4 (Optional): Output your validation of the settings you've changed above for Guest Access to $True or $False for all Groups and Teams.


#Output validation for $True or $False Groups/Teams:
Get-UnifiedGroup | Where-Object {$_.AllowAddGuests -eq $True} | ft PrimarySMTPAddress,  AllowAddGuests, DisplayName
Get-UnifiedGroup | Where-Object {$_.AllowAddGuests -eq $False} | ft PrimarySMTPAddress,  AllowAddGuests, DisplayName


Hope this helps some organizations provide a more segmented approach to Guest Access within Groups and Teams. Please let me know if you have any follow ups or responses. 



12 Replies

Hi Sam, great post Congrats !

Is there a reason why setting a simple true/false flag for guest access to specific groups has to be so complicated? I'm unable to get this to work, not by following your instructions, nor those an the linked article (which are different commands).

Great info. Was just trying to wrap my head around this.

Do you know if the setting all groups to either $true or $false sticks for groups created after you run that command? If I want to only enable guests for a select few groups and I run through these steps, do newly created groups adhere to the default based on which way I set it?

Hey Timothy,


I don't believe so, but I believe there may be another way to do that.. I tested this on my side by disabling all current Groups/Teams to not include the ability for Guest Access and then created a new one and that new Group is set to $True, so it appears that the only way to do this would be to create a script for any newly created Group/Team to be submitted with the below as well for the time being. 


I wrote a blog based on this post to explain a little about what flipping the switches to allow guest access actually enables. I don't see these as things to be unduely concerned about, but it's useful to know what else you are effecting.

Really good call-out in the blog you mentioned, as these are parameters that need to be treaded lightly before switching/leveraging. 

Wouldn't the below code be more efficient?


$groupID = Get-UnifiedGroup -ResultSize Unlimited | Select-Object -ExpandProperty ExternalDirectoryObjectId
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()

Foreach ($Group in $GroupID) { New-AzureADObjectSetting -TargetType Groups -TargetObjectId $group -DirectorySetting $settingsCopy } 

My company is risk averse an we want to set Teams such that Guest members have to be enabled on a Team-by-Team basis, the default is no Guests.


Been looking at "Azure Active Directory cmdlets for configuring group settings"


"Office 365 Groups settings are configured using a Settings object and a SettingsTemplate object. Initially, you don't see any Settings objects in your directory, because your directory is configured with the default settings. To change the default settings, you must create a new settings object using a settings template. Settings templates are defined by Microsoft."


I'm hoping this means we can create a Settings object with AllowToAddGuests set to False which applies to Groups when created. We can then specifically enable for individual Groups using a settings object applied just to that Group




Please note that the instructions provided no longer work.  The ability to manage licenses for Guests has been depreciated as of August and no replacement for that step in the process appears to be available at this time.

@Calum Steen, did you ever try that template stuff?  We're looking at doing the same thing for Teams.

Thanx @Sam Cosby, Just tried this in my lab again, I just had to wait long enough for the change to happen, :)

Great article., thank you . May I know if , there any way to turn adding guest users ON/OFF through UI (for individual team/Groups). or do we ask Groups owners to send us (IT team) ticket to change this and we (IT team) change it through powershell?
Related Conversations
Allows admins to create shareable Chat lists
KerryG in Microsoft Teams on
1 Replies