cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Self-prevision guest account to AzureAD from ODFB sharing, but not MS Teams guest invitation

Ming Zhang
Copper Contributor

‎Nov 27 2017 11:50 AM - last edited on ‎Feb 10 2023 02:35 PM by

‎Nov 27 2017 11:50 AM - last edited on ‎Feb 10 2023 02:35 PM by

Self-prevision guest account to AzureAD from ODFB sharing, but not MS Teams guest invitation

Our Tenant currently has "Sharing - Let users add new guests to the organization" set to Off.  All the external sharing settings for SharePoint/OneDrive for Business (ODFB) and Microsft Teams guest are set to on to the maximum permissive level. When users share a file in ODFB to a specific external user who has an external Microsft account, such as Hotmail account, or another O365 Tenant account, the account will be automatically added as Azure AD guest. However, in Microsoft Teams when users add a guest user as the Teams member who has a different O365 Tenant account, the guest user has to already exist in the Azure AD or it will report no permission. The account cannot be automatically added to Azure AD as a guest user. I wonder how come ODFB can override the Tenant level setting "Sharing - Let users add new guests to the organization", which cause the inconsistent behavior and hard to control the guest provision?  Is there any way to disable this gust account self-provision with ODFB but not affect it guest link sharing? 

1,353 Views
0 Likes
3 Replies
Reply
3 Replies
Loryan Strant

‎Nov 27 2017 03:12 PM

‎Nov 27 2017 03:12 PM

Re: Self-prevision guest account to AzureAD from ODFB sharing, but not MS Teams guest invitation

You're right - it is inconsistent.
It's because they are different types of guest mechanisms.
When inviting a guest into a Team, it's adding them into a Group which is based on AAD - and that functionality is disabled.
When sharing with someone externally it creates an object of the user in the AAD but it's not the same (but kind of is) as that user can't access any other resources.
0 Likes
Reply
Ming Zhang

‎Nov 27 2017 03:37 PM

‎Nov 27 2017 03:37 PM

Re: Self-prevision guest account to AzureAD from ODFB sharing, but not MS Teams guest invitation

But this creates a loophole. Let's say I am an Office 365 end user on our Tenant, where "Sharing - Let user add guest" is off.  I try to invite an external gust into a Microsoft Teams. Because "adding a guest" is not allowed, which is intended, I cannot add any new external users to the Teams but can add only those guest users who are already in our Azure AD.  As a workaround, I can just to go to my ODFB and pick a file and share it with the same external users that I planned to invite to the MS Teams. The external user accepts ODFB sharing and he/she would then be added to our Azure AD as a guest. After that, I can easily add the guest to the Teams without Administrator involvement, and thus avoid the blocking setting of "adding guest".   

 

My question here is that how to block the ODFB adding guest users but still allow shareable links.

 

Thanks 

0 Likes
Reply
Loryan Strant

‎Nov 27 2017 03:42 PM

‎Nov 27 2017 03:42 PM

Re: Self-prevision guest account to AzureAD from ODFB sharing, but not MS Teams guest invitation

You can't block ODFB from adding guest users, as they are an artefact left over from the sharing process.
0 Likes
Reply