SOLVED
Home

Teams enabled for guests at tenant level but groups disabled. Should it be blocked?

%3CLINGO-SUB%20id%3D%22lingo-sub-192936%22%20slang%3D%22en-US%22%3ETeams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192936%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBeen%20reading%20various%20bits%20of%20documentation%20(nicely%20summed%20up%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Teams%2FAllow-or-Block-Guest-Users-from-a-Specific-Team-in-Microsoft%2Ftd-p%2F175918%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E)%20in%20relation%20to%20governing%20guest%20access.%20I%20am%20trying%20different%20combinations%20of%20access%20in%20my%20tenant%20and%20seeing%20behavior%20that%20doesn't%20seem%20right.%20Eg%20I%20enabled%20guest%20in%20Services%20and%20add-ins%20-%26gt%3B%20Teams%20but%20in%20groups%20I%20disabled%20it%20via%20PowerShell...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPS%20C%3A%5CWINDOWS%5Csystem32%26gt%3B%20(Get-AzureADDirectorySetting%20%E2%80%93Id%20%24settingsObjectID).Values%3C%2FP%3E%0A%3CP%3E%5Bsnip%5D%3C%2FP%3E%0A%3CP%3EAllowGuestsToAccessGroups%20False%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20also%20confirm%20this%20in%26nbsp%3B%3CSPAN%3EServices%20and%20add-ins%20-%26gt%3B%26nbsp%3BGroups%20where%20%22Let%20group%20members%20outside%20the%20organization%20access%20group%20content%22%20is%20set%20to%20off.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYet%20I%20can%20add%20a%20guest%20to%20a%20team%2C%20an%20account%20gets%20added%20to%20B2B%20(which%20makes%20sense)%20but%20I%20would%20expect%20the%20group%20setting%20to%20trump%20the%20team%20setting...%20At%20least%20the%20documentation%20infers%20this...%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EOr%20am%20I%20wrong%20about%20this%3F%20The%20documentation%20here%20is%20not%20so%20clear...%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EPaul%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-192936%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESettings%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193234%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193234%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%2C%20this%20small%20but%20important%20point%20is%20easy%20to%20miss%20when%20you're%20rushing%20to%20test%20something...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193139%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193139%22%20slang%3D%22en-US%22%3E%3CP%3EAh%2C%20thanks%20Tony...%20I%20must%20have%20missed%20the%20fine%20print%20and%20indeed%20I%20did%20test%20this%2C%20logged%20in%20as%20an%20administrator.%20Thx%20for%20clarifying...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193074%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193074%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Groups%20policy%20(which%20you%20disabled%20in%20PowerShell)%20blocks%20any%20addition%20of%20a%20guest%20user%20to%20any%20group%20(including%20those%20created%20by%20Teams)%20except%20when%20administrator%20accounts%20are%20used.%20Did%20you%20test%20with%20a%20normal%20user%20account%20or%20an%20administrator%20account%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-192940%22%20slang%3D%22en-US%22%3ERE%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192940%22%20slang%3D%22en-US%22%3EI%20should%20also%20note%20that%20if%20I%20turn%20on%20guest%20groups%20policy%20on%20a%20per%20team%20basis%20via%20PowerShell%2C%20this%20does%20indeed%20work%20as%20advertised...%3C%2FLINGO-BODY%3E
Paul Culmsee
MVP

Hi

 

Been reading various bits of documentation (nicely summed up here) in relation to governing guest access. I am trying different combinations of access in my tenant and seeing behavior that doesn't seem right. Eg I enabled guest in Services and add-ins -> Teams but in groups I disabled it via PowerShell...

 

PS C:\WINDOWS\system32> (Get-AzureADDirectorySetting –Id $settingsObjectID).Values

[snip]

AllowGuestsToAccessGroups False

 

I also confirm this in Services and add-ins -> Groups where "Let group members outside the organization access group content" is set to off.

 

Yet I can add a guest to a team, an account gets added to B2B (which makes sense) but I would expect the group setting to trump the team setting... At least the documentation infers this...

 

Or am I wrong about this? The documentation here is not so clear...

 

Paul

 

 

 

4 Replies
I should also note that if I turn on guest groups policy on a per team basis via PowerShell, this does indeed work as advertised...
Solution

The Groups policy (which you disabled in PowerShell) blocks any addition of a guest user to any group (including those created by Teams) except when administrator accounts are used. Did you test with a normal user account or an administrator account?

Ah, thanks Tony... I must have missed the fine print and indeed I did test this, logged in as an administrator. Thx for clarifying...

 

Paul

Yeah, this small but important point is easy to miss when you're rushing to test something...

Related Conversations