Collaborate securely with anyone in Microsoft Teams
Published Feb 28 2018 09:05 AM 131K Views
Microsoft

We’re starting to roll out the ability to add anyone as a guest in Microsoft Teams. This means that anyone with a business or consumer email account, such as Outlook.com, Gmail.com or others, can participate as a guest in Teams with full access to team chats, meetings and files. 

Previously, anyone with an Azure Active Directory (Azure AD) account could be added as a guest, and now anyone with an email address can be added to a team. All guests in Teams are covered by the same compliance and auditing protection as the rest of Office 365, and can be managed securely within Azure AD.

 

How it works

 

To invite a guest to a team, select Add Members in the menu next to the team name. Then add the guest’s email address. They will receive a welcome email message with information about the team and what to expect now that they're a member. If the guest doesn’t yet have a Microsoft Account associated with their email address, they will be directed to create one for free.

 

To invite a guest to a team, select Add Members in the menu next to the team name.To invite a guest to a team, select Add Members in the menu next to the team name.You can now add anybody with a consumer account as a guest in TeamsYou can now add anybody with a consumer account as a guest in Teams

Once they accept the invitation, guests can participate in chats, join meetings, collaborate on documents, and more. Teams with guests will be identified with text and icons throughout the Teams UI to give all team members a clear indication that there are guests in that team.

Text and icon give a clear indication of guest participation in a team.Text and icon give a clear indication of guest participation in a team.

 

Enterprise-grade security and compliance

 

In Teams, the content and activities of guest users are covered under the same compliance and auditing protection as the rest of Office 365. Guest accounts are added and securely managed within Azure AD through Azure AD B2B Collaboration. This enables enterprise-grade security, like conditional access policies for guest user access. Azure AD also uses adaptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents, enabling mitigation or remediation actions, such as multi-factor authentication, to be triggered as appropriate.

 

In addition, with Azure AD, IT departments have unparalleled insight into the activities of external users in their organization through detailed sign-in and access reports. Admins can centrally manage how guests participate within their Office 365 environment and easily view, add, or revoke a guest’s access to the host tenant.

 

Let us know what you think!

 

These features will start rolling out next week, and you can expect to see them in your Teams client within the next two weeks. Try the new features and provide feedback using the feedback link in the lower left corner of Microsoft Teams. If you have suggestions on how to make Teams better, please submit your idea via User Voice or vote for existing ideas to help us prioritize the requests. We read every piece of feedback that we receive to make Teams even better.

 

FAQ

 

Who can use guest access?

Guest access is included with all Office 365 Business Premium, Office 365 Enterprise, and Office 365 Education subscriptions.

How do I enable guest access

Guest access is a tenant-level setting in Microsoft Teams and is turned off by default. To take advantage of the new functionality, admins need to enable guest access in the Office 365 admin center

How to enable guest access in Microsoft Teams.How to enable guest access in Microsoft Teams.

Watch the full video here.

If I already enabled guest access when Azure Active Directory (AAD) guest access became available, do I need to take any additional action to enable guest access for consumer email accounts?

If you have already enabled guest access, then your users will be able to add guests with a consumer account without additional action on your side.

If you enabled guest access with the expectation that you wanted to restrict it to AAD accounts only, you can disable guest access via the Teams setting by switching the feature off.

 

For more information, please read the support documentation.

 

 

 

 

142 Comments
Deleted
Not applicable

Very Nice! This definatley closes one of the big gaps on this vs. other collab tools. I can no longer get the "You can't add guests" excuse :). Good job team!

Deleted
Not applicable

This is great news! One thing to consider: the naming scheme for current guest access is very... odd. Pulling the display name (maybe not username?) would help identify who is who when you have numerous guests from multiple tenants. I've been in Teams where guests are actually unidentifiable because the names are so... weird. You kind of show it with your guest list screenshot above. E.g., what if there are two Emily B.'s in your Team? Gets confusing.

Brass Contributor

@Anne Michels - this isn't federated chat correct?  We haven't really used guest chat much because switching between accounts is slow feels clunky.  I'm personally looking forward to a UI where we don't need to switch context and all our chats both internal and as a guest are visible.

Deleted
Not applicable

@Douglas Plumley yes, this is not federated chat. This is to allow guests to join your Team. Federated chat is still a Roadmap item being worked on. 

Deleted
Not applicable

@Deleted good point Matt but according to this experience

https://docs.microsoft.com/en-us/microsoftteams/guest-experience

 

their is a display name now showing for guests, unlike before it was just their username. Not sure where it pulls from or asks, but I know you'll be able to edit that in your AD for sure, but I'm going to assume it's a question or pulls from Display name of the MSA account. 

Steel Contributor

Yes! This is awesome and a major win for the non-profits I work with since most of the collaboration is with external volunteers.

Brass Contributor

What date are you targeting this to be released to all Tenants so that I can set a reminder to check that it has been rolled out to our tenant?

Deleted
Not applicable

@Charles Shaw it's says within 2 weeks in the article. 

Iron Contributor

This is great news! congrats! Looks like i'll have to wait 2 weeks for full roll out for this be work right?

Deleted
Not applicable

@Jeremy Thake yes, within two weeks. Whenever it hits your tenant. So could be next week could be week after. 

Iron Contributor

Good news. Any update on private channels as this would really help with scenarios where you don't necessarily want to give guests access to all channels within a team?

Deleted
Not applicable

@Deleted thanks for the documentation. It's unfortunate, though, because that's not how it actually works in practice. Happy to send you a screenshot of the Collab365 500+ member Teams community as an example. Some of these usernames are equivalent to bad Twitter handles at best. :face_with_tears_of_joy: I guess you could make changes in AAD, but at an enterprise level that's virtually impossible to keep up with. Maybe if the Team owner could change it, that would work, but you'd have to keep Teams owners informed that they even can do that, and probably hand-hold along the way. Anyway, great news, just comes down to some improvements to the ultimate user experience.

Deleted
Not applicable

@Deleted yeah, but we don't have the Guest access updated version that's going to accompany this. It might be changed :). 

Deleted
Not applicable

Finally, this is fantastic news! Great work team!

Deleted
Not applicable

@Deleted The upgrade will be nice (when it comes), but the real problem now is that documentation is live (perhaps not even new) but inaccurate. ¯\_(ツ)_/¯

Copper Contributor

This is great news! Was starting to wonder if this was ever going to happen.

Iron Contributor

Great news Anne ! Been waiting for this since Teams was first released. It was always a major stumble block for adoption since most of our projects are done with external people.

Looking forward to what else you got up your sleeve for 2018 :)

 

Kind regards

Steve

Silver Contributor

Thanks for having this turned off by default. I have some clients that are not ready for this. 

Re. the display name for guests - you can edit this when you add a new guest to a team (click the pencil icon) or you can update AAD via PowerShell or the Office 365 Admin Center. Easy...

Bronze Contributor

Security by channel is a must in many of these scenarios. Consider a company with 30 manufacturing vendors. Ideally you have one team, 30 channels, one for each vendor where you can share files, etc, but he external vendors cannot see each other's data.

Without channel security, it has to be 30 teams!

Deleted
Not applicable

@Ed Hansberry they are already working on private channels. 

I'd go with 30 teams, one for each vendor. The chances of data leakage in SharePoint, even with private channels, is too high. Security is all about boundaries - so use the boundary that is there and don't explore what might work in the future.

Brass Contributor

Will this access impact on users ability to sync content from the files - via open in SharePoint? I don't think its possible right now after the ODFB updates in early Feb even if you are a ODFB user - but seeing if its expected that guests can sync file content? or blocked?

Cheers

Rich

Bronze Contributor

@Deleted - Well, I know it has been on the list for about a 9 months. Here's hoping it is out sooner rather than later.

@Tony Redmond - Understood. Part of the issue is if we design workflows around these teams, or channels using FLOW, and had, say, 5 flows per vendor for various things, with one team, it would be easier to visualize creating flows, and power apps, to handle the data for a single team than creating 5 flows per team (150 total) with the maint that comes with it a change in workflow. Now 30 flow edits.

But maybe flows can work across teams/sharepoint sites. Not sure. We are spitballing some ideas here.

Great news !!! Now we can share more and more, to be a team on Teams !

 This is great news, can't wait to start spreading the word!

Copper Contributor

Will guests require a Teams license?

Deleted
Not applicable

@Annabella Wong Long as they are not paid by your company to do work directly aka contracted employees etc.  Same guest access rules apply as with SharePoint etc. 

Deleted
Not applicable

Is there a maximum amount of guests per team? 

Deleted
Not applicable

Regarding these guest users, will they be able to see Power BI reports added to the Team channels? Is there any limitations on what the guest users do NOT have access to, compared to regular members?

Copper Contributor

This is a great addition. Now can we do the same for StaffHub? 

 

https://office365.uservoice.com/forums/264636-general/suggestions/33489634-allow-external-guests-in-...

Copper Contributor

Great feature! Any information if you can set permisisons like read only or edit for guests?

Steel Contributor

Guest cannot view View organization chart that's great. Are guest able to search all organisation employees / directory? Like open a people picker in SPO and find for anyone or by finding in Office.com/Delve for people? I known there is couple of articles on the subject but most of them are outdated. Would like to know if this will be hidden by default.

Copper Contributor

Echoing other sentiments about Private Channels. Without the ability to restrict Guest Account access to specific Channels, our org sadly still cannot adopt the Guest Access feature. 

 

We typically create a Team for each project, and then separate channels for the Engineering, Design, and Management teams. There are sensitive files and discussions - especially in the Management channel - that we wouldn't want external vendors/contractors having access to.

 

We've been waiting nearly a year and a half for Private Channels and Guest Access support. We figured that Guest Access surely would come hand-in-hand with support for Private Channels. I guess we get to wait some more...

Iron Contributor

> Let us know what you think

 

I think you shouldn't announce features and then give a single sentence at the end of the article to when the feature will be available. Make the reality of the situation known upfront or don't post at all.

Copper Contributor

Good news! Hope this will fix the guest access to Teams as my account is both an AAD account & MSA (formerly known as a LiveID)

 

bye bye error ca0002 or whatever code you go by...

Brass Contributor
We already have guests (coming from other o365 tenants) in our teams. What must we do (e. g. change which setting?) to extend guest access so that users from outlook.com can join the team? We need this feature asap.
Microsoft

Hi @Robert K, if you have alrady enabled guest access, then there is nothing else you need to do. Guest access for consumer account will then automatically work once it has been rolled out to your tenant.

Brass Contributor

Hi Anne, thanks for this update. What do you mean, when you say: 

"If you enabled guest access with the expectation that you wanted to restrict it to AAD accounts only, you can disable guest access via the Teams setting by switching the feature off."

Will I still be able to add guests with AAD accounts, when I switch the feature off?!? Is there a way to restrict guest access to AAD account guests only?

Thanks for your clarification.

Deleted
Not applicable

Hey @Anne Michels how can we tell. Will we get a version upgrade to the client that enables or will it just be random on the backend and we just have to keep testing to know?

Deleted
Not applicable

@Jacques the guests can only see team memebers in the chat drop down listing. 

Deleted
Not applicable

@Deleted You will just see it in the app, you won't noticed anything change/update.  Magically appears :)

Copper Contributor

Does the guest accounts need to have any kind of Office 365 license?

Deleted
Not applicable

@Bruno Mendes it all depends on if they are using advanced azure AD features or not such as you requiring MFA etc. There apparently is a 5:1 license ratio for guest accounts if your using any kind of advanced azure features for your logins. 

 

This article touches on that. These are MFA accounts but they are added to your organization so we can assume same rules apply with B2B. 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-licensing

 

But for Teams itself they don't need a license to be a guest it's only the B2B that really needs inspecting. 

 

Steel Contributor

Looking forward to having this. 

 

While we're on the subject of guests, where is guest access in the mobile apps on the roadmap?

 

 

Copper Contributor

That's great news! I'm looking forward to the next update to be able to use it. Thanks.

Microsoft

Hi @jab365cloud, search is limited to the team that the guest is part of.

Deleted
Not applicable

The problem with teams taking so long for private channels and guest access is because they pigeon holed themselves in a corner building it on top of groups and Sharepoint sites. There are benefits of that but because of that the guest access and private channels have to be respected across all the products which is a nightmare especially since not all of them like planner etc. even support external access.  Every change requires the AAD team etc etc. causing delay. The good news is Teams will have good security backend etc. the bad news stuff takes longer to get done.  

Copper Contributor

I assume this is an enabler for your upcoming free offering? Makes sense that such an offering would rely on MSAs, and might explain why guest access for MSAs took so long to deliver after guest access for other O365 accounts. 

Version history
Last update:
‎Feb 28 2018 09:26 AM
Updated by: