SOLVED
Home

Teams enabled for guests at tenant level but groups disabled. Should it be blocked?

%3CLINGO-SUB%20id%3D%22lingo-sub-192936%22%20slang%3D%22en-US%22%3ETeams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192936%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBeen%20reading%20various%20bits%20of%20documentation%20(nicely%20summed%20up%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Teams%2FAllow-or-Block-Guest-Users-from-a-Specific-Team-in-Microsoft%2Ftd-p%2F175918%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E)%20in%20relation%20to%20governing%20guest%20access.%20I%20am%20trying%20different%20combinations%20of%20access%20in%20my%20tenant%20and%20seeing%20behavior%20that%20doesn't%20seem%20right.%20Eg%20I%20enabled%20guest%20in%20Services%20and%20add-ins%20-%26gt%3B%20Teams%20but%20in%20groups%20I%20disabled%20it%20via%20PowerShell...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPS%20C%3A%5CWINDOWS%5Csystem32%26gt%3B%20(Get-AzureADDirectorySetting%20%E2%80%93Id%20%24settingsObjectID).Values%3C%2FP%3E%0A%3CP%3E%5Bsnip%5D%3C%2FP%3E%0A%3CP%3EAllowGuestsToAccessGroups%20False%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20also%20confirm%20this%20in%26nbsp%3B%3CSPAN%3EServices%20and%20add-ins%20-%26gt%3B%26nbsp%3BGroups%20where%20%22Let%20group%20members%20outside%20the%20organization%20access%20group%20content%22%20is%20set%20to%20off.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYet%20I%20can%20add%20a%20guest%20to%20a%20team%2C%20an%20account%20gets%20added%20to%20B2B%20(which%20makes%20sense)%20but%20I%20would%20expect%20the%20group%20setting%20to%20trump%20the%20team%20setting...%20At%20least%20the%20documentation%20infers%20this...%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EOr%20am%20I%20wrong%20about%20this%3F%20The%20documentation%20here%20is%20not%20so%20clear...%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EPaul%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-192936%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESettings%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193234%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193234%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%2C%20this%20small%20but%20important%20point%20is%20easy%20to%20miss%20when%20you're%20rushing%20to%20test%20something...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193139%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193139%22%20slang%3D%22en-US%22%3E%3CP%3EAh%2C%20thanks%20Tony...%20I%20must%20have%20missed%20the%20fine%20print%20and%20indeed%20I%20did%20test%20this%2C%20logged%20in%20as%20an%20administrator.%20Thx%20for%20clarifying...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193074%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193074%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Groups%20policy%20(which%20you%20disabled%20in%20PowerShell)%20blocks%20any%20addition%20of%20a%20guest%20user%20to%20any%20group%20(including%20those%20created%20by%20Teams)%20except%20when%20administrator%20accounts%20are%20used.%20Did%20you%20test%20with%20a%20normal%20user%20account%20or%20an%20administrator%20account%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-192940%22%20slang%3D%22en-US%22%3ERE%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192940%22%20slang%3D%22en-US%22%3EI%20should%20also%20note%20that%20if%20I%20turn%20on%20guest%20groups%20policy%20on%20a%20per%20team%20basis%20via%20PowerShell%2C%20this%20does%20indeed%20work%20as%20advertised...%3C%2FLINGO-BODY%3E
Paul Culmsee
MVP

Hi

 

Been reading various bits of documentation (nicely summed up here) in relation to governing guest access. I am trying different combinations of access in my tenant and seeing behavior that doesn't seem right. Eg I enabled guest in Services and add-ins -> Teams but in groups I disabled it via PowerShell...

 

PS C:\WINDOWS\system32> (Get-AzureADDirectorySetting –Id $settingsObjectID).Values

[snip]

AllowGuestsToAccessGroups False

 

I also confirm this in Services and add-ins -> Groups where "Let group members outside the organization access group content" is set to off.

 

Yet I can add a guest to a team, an account gets added to B2B (which makes sense) but I would expect the group setting to trump the team setting... At least the documentation infers this...

 

Or am I wrong about this? The documentation here is not so clear...

 

Paul

 

 

 

4 Replies
I should also note that if I turn on guest groups policy on a per team basis via PowerShell, this does indeed work as advertised...
Highlighted
Solution

The Groups policy (which you disabled in PowerShell) blocks any addition of a guest user to any group (including those created by Teams) except when administrator accounts are used. Did you test with a normal user account or an administrator account?

Ah, thanks Tony... I must have missed the fine print and indeed I did test this, logged in as an administrator. Thx for clarifying...

 

Paul

Yeah, this small but important point is easy to miss when you're rushing to test something...

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
21 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies