SOLVED
Home

Teams enabled for guests at tenant level but groups disabled. Should it be blocked?

%3CLINGO-SUB%20id%3D%22lingo-sub-192936%22%20slang%3D%22en-US%22%3ETeams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192936%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBeen%20reading%20various%20bits%20of%20documentation%20(nicely%20summed%20up%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Teams%2FAllow-or-Block-Guest-Users-from-a-Specific-Team-in-Microsoft%2Ftd-p%2F175918%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E)%20in%20relation%20to%20governing%20guest%20access.%20I%20am%20trying%20different%20combinations%20of%20access%20in%20my%20tenant%20and%20seeing%20behavior%20that%20doesn't%20seem%20right.%20Eg%20I%20enabled%20guest%20in%20Services%20and%20add-ins%20-%26gt%3B%20Teams%20but%20in%20groups%20I%20disabled%20it%20via%20PowerShell...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPS%20C%3A%5CWINDOWS%5Csystem32%26gt%3B%20(Get-AzureADDirectorySetting%20%E2%80%93Id%20%24settingsObjectID).Values%3C%2FP%3E%0A%3CP%3E%5Bsnip%5D%3C%2FP%3E%0A%3CP%3EAllowGuestsToAccessGroups%20False%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20also%20confirm%20this%20in%26nbsp%3B%3CSPAN%3EServices%20and%20add-ins%20-%26gt%3B%26nbsp%3BGroups%20where%20%22Let%20group%20members%20outside%20the%20organization%20access%20group%20content%22%20is%20set%20to%20off.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYet%20I%20can%20add%20a%20guest%20to%20a%20team%2C%20an%20account%20gets%20added%20to%20B2B%20(which%20makes%20sense)%20but%20I%20would%20expect%20the%20group%20setting%20to%20trump%20the%20team%20setting...%20At%20least%20the%20documentation%20infers%20this...%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EOr%20am%20I%20wrong%20about%20this%3F%20The%20documentation%20here%20is%20not%20so%20clear...%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EPaul%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-192936%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESettings%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193234%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193234%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%2C%20this%20small%20but%20important%20point%20is%20easy%20to%20miss%20when%20you're%20rushing%20to%20test%20something...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193139%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193139%22%20slang%3D%22en-US%22%3E%3CP%3EAh%2C%20thanks%20Tony...%20I%20must%20have%20missed%20the%20fine%20print%20and%20indeed%20I%20did%20test%20this%2C%20logged%20in%20as%20an%20administrator.%20Thx%20for%20clarifying...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193074%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193074%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Groups%20policy%20(which%20you%20disabled%20in%20PowerShell)%20blocks%20any%20addition%20of%20a%20guest%20user%20to%20any%20group%20(including%20those%20created%20by%20Teams)%20except%20when%20administrator%20accounts%20are%20used.%20Did%20you%20test%20with%20a%20normal%20user%20account%20or%20an%20administrator%20account%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-192940%22%20slang%3D%22en-US%22%3ERE%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192940%22%20slang%3D%22en-US%22%3EI%20should%20also%20note%20that%20if%20I%20turn%20on%20guest%20groups%20policy%20on%20a%20per%20team%20basis%20via%20PowerShell%2C%20this%20does%20indeed%20work%20as%20advertised...%3C%2FLINGO-BODY%3E
Paul Culmsee
MVP

Hi

 

Been reading various bits of documentation (nicely summed up here) in relation to governing guest access. I am trying different combinations of access in my tenant and seeing behavior that doesn't seem right. Eg I enabled guest in Services and add-ins -> Teams but in groups I disabled it via PowerShell...

 

PS C:\WINDOWS\system32> (Get-AzureADDirectorySetting –Id $settingsObjectID).Values

[snip]

AllowGuestsToAccessGroups False

 

I also confirm this in Services and add-ins -> Groups where "Let group members outside the organization access group content" is set to off.

 

Yet I can add a guest to a team, an account gets added to B2B (which makes sense) but I would expect the group setting to trump the team setting... At least the documentation infers this...

 

Or am I wrong about this? The documentation here is not so clear...

 

Paul

 

 

 

4 Replies
Highlighted
I should also note that if I turn on guest groups policy on a per team basis via PowerShell, this does indeed work as advertised...
Solution

The Groups policy (which you disabled in PowerShell) blocks any addition of a guest user to any group (including those created by Teams) except when administrator accounts are used. Did you test with a normal user account or an administrator account?

Ah, thanks Tony... I must have missed the fine print and indeed I did test this, logged in as an administrator. Thx for clarifying...

 

Paul

Yeah, this small but important point is easy to miss when you're rushing to test something...

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
13 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
22 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
PacketMon Components are not loading in WAC 1909
HotCakeX in Windows Admin Center on
2 Replies