Guest access with Teams but also SharePoint

%3CLINGO-SUB%20id%3D%22lingo-sub-226247%22%20slang%3D%22en-US%22%3EGuest%20access%20with%20Teams%20but%20also%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-226247%22%20slang%3D%22en-US%22%3E%3CP%3EMany%20of%20our%20Teams%20users%20would%20like%20to%20use%20Guest%20Access%20for%20the%20conversations%20in%20MS%20Teams.%20But%2C%20in%20order%20to%20enable%20this%20it%20seems%20we%20have%20to%20enable%20Guest%20Access%20for%20Office%20365%20Groups%20generally%2C%20including%20SharePoint%20Group%20Sites%20(%22team%20sites%22)%20that%20aren't%20otherwise%20connected%20to%20MS%20Teams.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20doesn't%20seem%20to%20be%20an%20obvious%20UI%20element%20when%20guests%20are%20added%20to%20SharePoint%20Group%20Sites%2C%20and%20so%20that's%20a%20concern%20for%20many%20in%20our%20org%20who%20are%20concerned%20that%20guest-enabled%20SharePoint%20sites%20might%20have%20%22internal%20only%22%20docs%20added%20to%20them%20and%20thus%20exposed%20to%20outside%20folks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHow%20are%20others%20handling%20Guest%20Mode%2C%20especially%20with%20non-Teams%20connected%20sites%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-226247%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-226398%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20with%20Teams%20but%20also%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-226398%22%20slang%3D%22en-US%22%3E%3CP%3EI%20see%2C%20thanks%20that%20is%20helpful.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-226355%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20with%20Teams%20but%20also%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-226355%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20you%20turn%20sharing%20on%20as%20the%20default.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20set%20a%20site%20classification%20scheme%20with%20internal%20and%20external%20options%2C%20set%20internal%20as%20the%20default.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERun%20a%20script%20every%2030%20mins%20that%20disabled%20guests%20on%20any%20sites%20labelled%20internal%2C%20and%20enables%20it%20on%20any%20labelled%20external.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-226328%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20with%20Teams%20but%20also%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-226328%22%20slang%3D%22en-US%22%3E%3CP%3EBut%20enabling%20Teams%20guest%20access%20does%20require%20Groups%20having%20Guest%20access%20on%2C%20right%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPowershell%20to%20remove%20%22can%20add%20external%20guests%22%20from%20a%20site%20is%20a%20solution.%20But%20when%20you%20enable%20Groups%20and%20allow%20anyone%20to%20create%20a%20Group%2FSite%20(drinking%20the%20%22self%20service%22%20Kool%20Aid%20that%20Microsoft%20has%20been%20espousing)%20then%20you%20have%20to%20start%20tracking%20all%20new%20site%20creation%20actions%2C%20and%20individually%20check%20with%20users%20if%20they%20do%20or%20do%20not%20expect%20to%20add%20external%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-226304%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20with%20Teams%20but%20also%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-226304%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20one%20scenario%20(estates%20with%20external%20contractors)%20we%20used%20a%20sub-site%20with%20the%20internal%20only%20content%20and%20put%20the%20guests%20in%20the%20main%20SharePoint%20site%20above%20it.%26nbsp%3B%20We%20put%20a%20link%20in%20the%20main%20site%20menu%20saying%20%22%5BStaff%20Only%5D%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-226293%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20with%20Teams%20but%20also%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-226293%22%20slang%3D%22en-US%22%3EWhen%20a%20guest%20is%20added%20to%20Teams%2C%20they%20only%20have%20Access%20to%20the%20Team%20and%20that%20SharePoint%20site%2C%20unless%20you%20allow%20the%20flag%20to%20allow%20external%20users%20to%20access%20everyone%20group%20resources%20and%20are%20using%20the%20Everyone%20permission%20on%20sites%20in%20your%20organization.%20Otherwise%20they%20are%20scoped%20to%20the%20group%20resources.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-226288%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20with%20Teams%20but%20also%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-226288%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104%22%20target%3D%22_blank%22%3E%40Kevin%20Crossman%3C%2FA%3E%20Site%20Classifications%20are%20surfaced%20in%20Teams%20and%20SharePoint%2C%20so%20you%20can%20designate%20a%20team%20to%20be%20internal.%20If%20you%20want%20to%20prevent%20guests%20in%20an%20internal%20team%20a%20small%20powershell%20can%20do%20this%20on%20a%20timer%2C%20but%20I%20suspect%20an%20integrated%20solution%20will%20come%20in%20the%20future.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
MVP

Many of our Teams users would like to use Guest Access for the conversations in MS Teams. But, in order to enable this it seems we have to enable Guest Access for Office 365 Groups generally, including SharePoint Group Sites ("team sites") that aren't otherwise connected to MS Teams.

 

There doesn't seem to be an obvious UI element when guests are added to SharePoint Group Sites, and so that's a concern for many in our org who are concerned that guest-enabled SharePoint sites might have "internal only" docs added to them and thus exposed to outside folks.

 

How are others handling Guest Mode, especially with non-Teams connected sites?

6 Replies

@Kevin Crossman Site Classifications are surfaced in Teams and SharePoint, so you can designate a team to be internal. If you want to prevent guests in an internal team a small powershell can do this on a timer, but I suspect an integrated solution will come in the future.

 

When a guest is added to Teams, they only have Access to the Team and that SharePoint site, unless you allow the flag to allow external users to access everyone group resources and are using the Everyone permission on sites in your organization. Otherwise they are scoped to the group resources.

In one scenario (estates with external contractors) we used a sub-site with the internal only content and put the guests in the main SharePoint site above it.  We put a link in the main site menu saying "[Staff Only]"

But enabling Teams guest access does require Groups having Guest access on, right?

 

Powershell to remove "can add external guests" from a site is a solution. But when you enable Groups and allow anyone to create a Group/Site (drinking the "self service" Kool Aid that Microsoft has been espousing) then you have to start tracking all new site creation actions, and individually check with users if they do or do not expect to add external users.

Yes you turn sharing on as the default.

 

Then set a site classification scheme with internal and external options, set internal as the default.

 

Run a script every 30 mins that disabled guests on any sites labelled internal, and enables it on any labelled external.

 

 

I see, thanks that is helpful.