SOLVED
Home

Guest of my team, but Teams disabled in their tenant so customer cannot log in

%3CLINGO-SUB%20id%3D%22lingo-sub-319735%22%20slang%3D%22en-US%22%3EGuest%20of%20my%20team%2C%20but%20Teams%20disabled%20in%20their%20tenant%20so%20customer%20cannot%20log%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319735%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20invited%20my%20customer%20to%20a%20Team.%20They%20receive%20the%20email%20and%20can%20get%20logged%20in%2C%20but%20they%20get%20an%20error%20message%20saying%20%3CEM%3EAsk%20your%20admin%20to%20enable%20Microsoft%20Teams%3C%2FEM%3E.%20Is%20there%20a%20way%20for%20the%20customer%20to%20access%20my%20Team%20as%20a%20guest%20without%20Teams%20being%20enabled%20in%20their%20tenant%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-319735%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-320520%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20of%20my%20team%2C%20but%20Teams%20disabled%20in%20their%20tenant%20so%20customer%20cannot%20log%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-320520%22%20slang%3D%22en-US%22%3EExternal%20access%20doesn't%20have%20an%20effect%20on%20this.%20I%20see%20this%20often%20with%20users%20that%20have%20their%20%22personal%22%20e-mail%20hosted%20by%20a%20provider%20that%20uses%20365%2C%20many%20of%20those%20have%20Teams%20disabled.%20And%20probably%20in%20this%20case%20their%20tenant%20has%20Teams%20turned%20off%20explicitly.%20If%20that's%20they%20case%20which%20gov%20cloud%20tenant's%20probably%20aren't%20turned%20on%20by%20default%20like%20Microsoft%20has%20been%20starting%20to%20try%20to%20accomplish%20to%20alleviate%20this%20issue%20there%20isn't%20really%20a%20way%20around%20it.%20%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20main%20problem%20is%20that%20the%20desktop%20client%20always%20wants%20to%20log%20into%20your%20home%20tenant%20first%20when%20you%20authenticate%20then%20switch%20to%20the%20guest%20tenant%2C%20and%20thus%2C%20because%20Teams%20is%20disabled%20you%20get%20roadblocked.%20%3CBR%20%2F%3E%3CBR%20%2F%3EUsing%20a%20consumer%20address%20for%20the%20user%20to%20log%20into%20isn't%20really%20an%20issue%20since%20you%20don't%20control%20the%20login%20anyway%2C%20but%20it%20could%20be%20less%20secure%20due%20to%20the%20credentials%20not%20having%20password%20reset%20policies%20%2F%20MFA%20etc.%20is%20the%20only%20thing%20that%20would%20really%20be%20different%20here.%20%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20they%20would%20just%20have%20the%20clients%20bypass%20the%20default%20tenant%20check%20when%20it%20auth's%20this%20problem%20would%20go%20away.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-319820%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20of%20my%20team%2C%20but%20Teams%20disabled%20in%20their%20tenant%20so%20customer%20cannot%20log%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319820%22%20slang%3D%22en-US%22%3EHmmm.%20Just%20to%20note%20that%20GCC%20SKU's%20in%20the%20US%20for%20Microsoft%20Teams%20do%20permit%20guest%20access%20per%20this%20article.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FMicrosoftTeams%2Fplan-for-government-gcc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FMicrosoftTeams%2Fplan-for-government-gcc%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20personally%20wait%20to%20see%20what%20they%20come%20back%20with.%20I%20still%20have%20this%20feeling%20that%20its%20something%20they've%20got%20locked%20down%20within%20their%20environment.%20Being%20GCC%2C%20I%20would%20not%20be%20surprised%20at%20all%20whether%20External%20Access%20is%20disabled%20currently.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-319817%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20of%20my%20team%2C%20but%20Teams%20disabled%20in%20their%20tenant%20so%20customer%20cannot%20log%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319817%22%20slang%3D%22en-US%22%3E%3CP%3ECustomer%20is%20government%2C%20so%20I'm%20not%20sure%20this%20will%20be%20allowed.%20I'll%20wait%20to%20hear%20back%20from%20them%20and%20see.%20You%20and%20Chris%20have%20basically%20confirmed%20everything%20I%20assumed%2C%20so%20not%20a%20huge%20deal%20(but%20it%20would%20have%20been%20MUCH%20better%20if%20you%20guys%20had%20a%20magic%20fix%20for%20all%20this!!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20this%20point%20I%20think%20my%20temp%20workaround%20will%20be%20adding%20them%20into%20our%20tenant%20as%20Contractors%2C%20which%20we've%20done%20before%20for%20other%20things.%20Not%20ideal%2C%20but%20works.%20Thanks%20again%20for%20all%20the%20quick%20replies!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-319815%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20of%20my%20team%2C%20but%20Teams%20disabled%20in%20their%20tenant%20so%20customer%20cannot%20log%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319815%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20know%20much%20about%20their%20environment.%20Actually%2C%20before%20all%20this%20started%20the%20customer%20told%20me%20they%20didn't%20have%20O365%20at%20all%2C%20so%20this%20really%20caught%20me%20by%20surprise!%20I've%20confirmed%20with%20other%20guests%20that%20our%20environment%20is%20working%2C%20so%20I%20do%20think%20this%20is%20on%20my%20customer's%20end.%20I'll%20have%20to%20wait%20to%20hear%20back%20about%20anything%20else.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-319781%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20of%20my%20team%2C%20but%20Teams%20disabled%20in%20their%20tenant%20so%20customer%20cannot%20log%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319781%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20it%20seems%20that%20way.%20I%20think%20the%20user%20definitely%20has%20AAD%20but%20that%20the%20tenant%20is%20not%20turned%20on%2C%20or%20they%20don't%20have%20Teams%20enabled%20on%20their%20licence%2C%20or%20that%20external%20communications%20is%20not%20enabled.%20The%20access%20denied%20is%20coming%20from%20the%20source%20tenant%20not%20destination.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20may%20be%20wrong%2C%20but%20that's%20what%20it%20sounds%20like.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-319780%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20of%20my%20team%2C%20but%20Teams%20disabled%20in%20their%20tenant%20so%20customer%20cannot%20log%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319780%22%20slang%3D%22en-US%22%3EAfaik%20they%20should%20need%20to%20be%20licensed%20nor%20do%20federation%20settings%20matter..if%20they%20use%20365%20their%20account%20needs%20to%20be%20in%20their%20AAD%20and%20also%20teams%20turn%20on%20as%20a%20service!%20They%20will%20authenticate%20against%20their%20own%20AAD%20if%20they%20so!%3CBR%20%2F%3EAccording%20to%20the%20message%20my%20guess%20would%20be%20that%20they%20turned%20off%20the%20service..%3CBR%20%2F%3ETry%20contacting%20their%20IT%20personel%20or%20do%20a%20workaround%20and%20invite%20via%20a%20commercial%20for%20so%20long!%20(Gmail%20%2C%20Hotmail%20etc..)%20nonits%20not%20fancy%2C%20but%20works!%20Also%20if%20they%20later%20gets%20invited%20with%20their%20365%20account%20this%20will%20be%20totally%20separated%20from%20the%20other%20one%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-319767%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20of%20my%20team%2C%20but%20Teams%20disabled%20in%20their%20tenant%20so%20customer%20cannot%20log%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319767%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15707%22%20target%3D%22_blank%22%3E%40Jason%20Barnes%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20this%20customer%20has%20Teams%20themselves%20-%20in%20their%20browser%20and%20on%20their%20Office%20365%20licence%3F%20And%20their%20tenant%20is%20set%20to%20have%20external%20access%20on%20per%20article%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Flet-your-teams-users-communicate-with-other-people%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Flet-your-teams-users-communicate-with-other-people%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20sounds%20like%20the%20issue%20is%20not%20your%20end%20at%20all%2C%20but%20their%20end%3F%20Do%20you%20have%20another%20Office%20365%20user%20with%20Teams%20that%20you%20can%20invite%20to%20a%20spun%20up%20Team%3F%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-319750%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20of%20my%20team%2C%20but%20Teams%20disabled%20in%20their%20tenant%20so%20customer%20cannot%20log%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319750%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20an%20admin%2C%20I%20can%20answer%20that%20one%20-%20it%20is!%26nbsp%3BThanks%20for%20the%20suggestion%20though!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20asked%20her%20to%20login%2C%20get%20that%26nbsp%3B%3CEM%3Eaccess%20denied%3C%2FEM%3E%20screen%2C%20then%20copy%20and%20paste%20the%20invite%20link%20into%20the%20same%20browser.%20My%20hope%20is%20that%20now%20she's%20authenticated%2C%20so%20maybe%20it%20will%20bypass%20her%20tenant%20and%20bring%20her%20right%20in%20to%20the%20Team%20I%20invited%20her%20to%20as%20a%20guest.%20I'm%20just%20not%20sure%20she'll%20understand%20what%20I'm%20asking.%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-319746%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20of%20my%20team%2C%20but%20Teams%20disabled%20in%20their%20tenant%20so%20customer%20cannot%20log%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319746%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20you%20say%20a%26nbsp%3B%3CEM%3Ecommercial%20mail%20address%3C%2FEM%3E%20you%20mean%20a%20Hotmail%20or%20Gmail%20account%20instead%20of%20a%20%22Work%20or%20school%20account%20created%20by%20their%20IT%20department%22%3F%20That%20just%20seems%20like%20a%20bad%20idea%20all%20around%2C%20since%20the%20organization%20will%20undoubtedly%20enable%20Teams%20at%20some%20point.%20If%20that's%20the%20case%20we%20probably%20won't%20be%20able%20to%20use%20Teams.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-319743%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20of%20my%20team%2C%20but%20Teams%20disabled%20in%20their%20tenant%20so%20customer%20cannot%20log%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319743%22%20slang%3D%22en-US%22%3EI%20would%20agree%20with%20Adam%20here.%20It%20could%20also%20be%20that%20Teams%20isn%E2%80%99t%20enabled%20within%20your%20Office%20365%20licence.%20I%20would%20personally%20ask%20your%20admin%20if%20this%20is%20the%20case.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-319736%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20of%20my%20team%2C%20but%20Teams%20disabled%20in%20their%20tenant%20so%20customer%20cannot%20log%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319736%22%20slang%3D%22en-US%22%3EAFAIK%20in%20this%20scenario%20either%20the%20customer%20needs%20to%20enable%20teams%20in%20their%20tenant%20or%20you%20have%20invite%20them%20through%20a%20commercial%20mail%20address%20instead%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FLINGO-BODY%3E
Jason Barnes
Contributor

I've invited my customer to a Team. They receive the email and can get logged in, but they get an error message saying Ask your admin to enable Microsoft Teams. Is there a way for the customer to access my Team as a guest without Teams being enabled in their tenant?

11 Replies
Solution
AFAIK in this scenario either the customer needs to enable teams in their tenant or you have invite them through a commercial mail address instead

Adam
I would agree with Adam here. It could also be that Teams isn’t enabled within your Office 365 licence. I would personally ask your admin if this is the case.

Best, Chris

When you say a commercial mail address you mean a Hotmail or Gmail account instead of a "Work or school account created by their IT department"? That just seems like a bad idea all around, since the organization will undoubtedly enable Teams at some point. If that's the case we probably won't be able to use Teams.

As an admin, I can answer that one - it is! Thanks for the suggestion though! :)

 

I asked her to login, get that access denied screen, then copy and paste the invite link into the same browser. My hope is that now she's authenticated, so maybe it will bypass her tenant and bring her right in to the Team I invited her to as a guest. I'm just not sure she'll understand what I'm asking. :(

Hi @Jason Barnes

And this customer has Teams themselves - in their browser and on their Office 365 licence? And their tenant is set to have external access on per article?

https://docs.microsoft.com/en-us/microsoftteams/let-your-teams-users-communicate-with-other-people

It sounds like the issue is not your end at all, but their end? Do you have another Office 365 user with Teams that you can invite to a spun up Team?

Best, Chris
Afaik they should need to be licensed nor do federation settings matter..if they use 365 their account needs to be in their AAD and also teams turn on as a service! They will authenticate against their own AAD if they so!
According to the message my guess would be that they turned off the service..
Try contacting their IT personel or do a workaround and invite via a commercial for so long! (Gmail , Hotmail etc..) nonits not fancy, but works! Also if they later gets invited with their 365 account this will be totally separated from the other one

Adam

Yes, it seems that way. I think the user definitely has AAD but that the tenant is not turned on, or they don't have Teams enabled on their licence, or that external communications is not enabled. The access denied is coming from the source tenant not destination.

 

I may be wrong, but that's what it sounds like.

Best, Chris

I don't know much about their environment. Actually, before all this started the customer told me they didn't have O365 at all, so this really caught me by surprise! I've confirmed with other guests that our environment is working, so I do think this is on my customer's end. I'll have to wait to hear back about anything else.

Customer is government, so I'm not sure this will be allowed. I'll wait to hear back from them and see. You and Chris have basically confirmed everything I assumed, so not a huge deal (but it would have been MUCH better if you guys had a magic fix for all this!! :)

 

At this point I think my temp workaround will be adding them into our tenant as Contractors, which we've done before for other things. Not ideal, but works. Thanks again for all the quick replies!

Hmmm. Just to note that GCC SKU's in the US for Microsoft Teams do permit guest access per this article.

https://docs.microsoft.com/en-us/MicrosoftTeams/plan-for-government-gcc

I would personally wait to see what they come back with. I still have this feeling that its something they've got locked down within their environment. Being GCC, I would not be surprised at all whether External Access is disabled currently.

Best, Chris
External access doesn't have an effect on this. I see this often with users that have their "personal" e-mail hosted by a provider that uses 365, many of those have Teams disabled. And probably in this case their tenant has Teams turned off explicitly. If that's they case which gov cloud tenant's probably aren't turned on by default like Microsoft has been starting to try to accomplish to alleviate this issue there isn't really a way around it.

The main problem is that the desktop client always wants to log into your home tenant first when you authenticate then switch to the guest tenant, and thus, because Teams is disabled you get roadblocked.

Using a consumer address for the user to log into isn't really an issue since you don't control the login anyway, but it could be less secure due to the credentials not having password reset policies / MFA etc. is the only thing that would really be different here.

If they would just have the clients bypass the default tenant check when it auth's this problem would go away.
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies