Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Managing Guests

Iron Contributor

Hi,

 

I would like to ask you how to manage guest. We would like to manage all guests and provide our end users only list of allowed guests which they can add to Teams. They can not add guests by themselves.

 

On the other hand we would like to provide them an option that they can share documents from their OneDrive as they wish and with who they need. But, if we allow sharing files from OneDrive, they share files with someone from different tenant, it automatically creates guest account in our AAD when guest accepts the invitation. 

 

Do you have any advice how to manage it? Is it possible to combine it?

 

Thanks,

 

Mirek

4 Replies
Hi Miroslav,
I think you can use Azure AD B2B collaboration, then allow them to show up on Teams from Org Wide Setting->Guest Access. You can also force Conditional Access restriction for those Accounts.

Hope this helps!
Moe

https://docs.microsoft.com/en-us/azure/active-directory/b2b/licensing-guidance

https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b

https://docs.microsoft.com/en-us/microsoftteams/manage-guests

Hi @Moe_Kinani,

 

thank you for the links. I have read all of them already but I have not found the answer there or I am not sure about it and this is the reason why I posted here the question.

 

I know that I can set conditional access to external people. My case is only about managing guests and have a control who is in my tenant as a guest but on the other side provide comfortable platform for my end users. I am not sure if these to ways are not against each other. For managing access guests is really nice feature "Access packages". But when I allow end users to share content from OneDrive or SharePoint then they create guests in my tenant also and first way is absolutely pointless...

 

Mirek

@Miroslav Novák 

 

Managing guests can be extremely tricky and it's well manageable in MS365 at the moment.

 

It's try if you disable adding guests through Teams, they can go around and add them through Sharepoint/Onedrive.

 

If you want complete control, you need to disable guest invites all together and work out some kind of automated system. Here you setup up a request form, a business owner decides and an automated guest provisioning is kicked off.

Hi @Thijs Lecomte, thank you for your comment. I was afraid of this solution that there does not exist a way how to manage it together. Currently Microsoft provides a solution how to manage guest it is called "Access packages" https://aad.portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/elmEntitlement

It is not so comfortable but it is a way how to do it. I wanted let people share documents directly from OneDrive and avoid going to different portal, add guest and then share files.

 

Mirek