Collaborate securely with anyone in Microsoft Teams
Published Feb 28 2018 09:05 AM 131K Views
Microsoft

We’re starting to roll out the ability to add anyone as a guest in Microsoft Teams. This means that anyone with a business or consumer email account, such as Outlook.com, Gmail.com or others, can participate as a guest in Teams with full access to team chats, meetings and files. 

Previously, anyone with an Azure Active Directory (Azure AD) account could be added as a guest, and now anyone with an email address can be added to a team. All guests in Teams are covered by the same compliance and auditing protection as the rest of Office 365, and can be managed securely within Azure AD.

 

How it works

 

To invite a guest to a team, select Add Members in the menu next to the team name. Then add the guest’s email address. They will receive a welcome email message with information about the team and what to expect now that they're a member. If the guest doesn’t yet have a Microsoft Account associated with their email address, they will be directed to create one for free.

 

To invite a guest to a team, select Add Members in the menu next to the team name.To invite a guest to a team, select Add Members in the menu next to the team name.You can now add anybody with a consumer account as a guest in TeamsYou can now add anybody with a consumer account as a guest in Teams

Once they accept the invitation, guests can participate in chats, join meetings, collaborate on documents, and more. Teams with guests will be identified with text and icons throughout the Teams UI to give all team members a clear indication that there are guests in that team.

Text and icon give a clear indication of guest participation in a team.Text and icon give a clear indication of guest participation in a team.

 

Enterprise-grade security and compliance

 

In Teams, the content and activities of guest users are covered under the same compliance and auditing protection as the rest of Office 365. Guest accounts are added and securely managed within Azure AD through Azure AD B2B Collaboration. This enables enterprise-grade security, like conditional access policies for guest user access. Azure AD also uses adaptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents, enabling mitigation or remediation actions, such as multi-factor authentication, to be triggered as appropriate.

 

In addition, with Azure AD, IT departments have unparalleled insight into the activities of external users in their organization through detailed sign-in and access reports. Admins can centrally manage how guests participate within their Office 365 environment and easily view, add, or revoke a guest’s access to the host tenant.

 

Let us know what you think!

 

These features will start rolling out next week, and you can expect to see them in your Teams client within the next two weeks. Try the new features and provide feedback using the feedback link in the lower left corner of Microsoft Teams. If you have suggestions on how to make Teams better, please submit your idea via User Voice or vote for existing ideas to help us prioritize the requests. We read every piece of feedback that we receive to make Teams even better.

 

FAQ

 

Who can use guest access?

Guest access is included with all Office 365 Business Premium, Office 365 Enterprise, and Office 365 Education subscriptions.

How do I enable guest access

Guest access is a tenant-level setting in Microsoft Teams and is turned off by default. To take advantage of the new functionality, admins need to enable guest access in the Office 365 admin center

How to enable guest access in Microsoft Teams.How to enable guest access in Microsoft Teams.

Watch the full video here.

If I already enabled guest access when Azure Active Directory (AAD) guest access became available, do I need to take any additional action to enable guest access for consumer email accounts?

If you have already enabled guest access, then your users will be able to add guests with a consumer account without additional action on your side.

If you enabled guest access with the expectation that you wanted to restrict it to AAD accounts only, you can disable guest access via the Teams setting by switching the feature off.

 

For more information, please read the support documentation.

 

 

 

 

142 Comments

Yep.

Iron Contributor

@Deleted It's not about being cheap and not wanting to offer a license - we can't legally offer a license to folks outside our organization. And we don't really get to decide whether we retain data. Our regulatory bodies and internal audit folks do that.

But regarding the license level settings - that could be a nice approach, at least for the chat part. I wasn't aware those settings were license-level.

The "allow users to chat privately" controls both tenant users and guest users. You cannot (AFAIK) assign this setting on per-user basis. See https://blogs.technet.microsoft.com/skypehybridguy/2017/08/24/microsoft-teams-disable-private-chat-h...

Deleted
Not applicable

@Tony Redmond It's per license level, I just tested it in my Test tenant, my guest account lost chat tab, other licensed user was unaffected. So that should be a viable option to use. 

So indeed it is... whatdda know... Something new every day...

Hi,

Regarding of security, How can I avoid data breach of internal user(organization) pass confidential info to guest users? Ex: I'm an internal user, let me create a team to share credit card information to a guest user. 

Silver Contributor

@Ernesto Alejandro Gomez Peguero the first thing to do is to Azure Information Protection to assign labels to documents, this will then assign rights to the documents. The person who opens the file will only be allowed to do what the rights permit (print, copy, etc can be blocked).   you can also use Data Loss Prevention policies to identify files that contain this type of sensitive content. 

And you can use Cloud App Security to identify/block the sending of this content from any of your applications.

see https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-information-prote...

https://support.office.com/en-us/article/overview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d9... and 

https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security 

@Dean Gross,

Yea it makes sense if we are talking on files but what would happen if its a simple chat message.

EX: 

Dean: 
458532164894, ndfiofisdofd <- Sensitive information
Guest:
Received

Is there a solution to this case? How can we avoid that?
If we're talking about files, how can we avoid Dean send a db of customers to the guest? Since he made that team and theres only that guest and dean?


What you're looking for is Data Loss Prevention (DLP) applying to chats. This isn't available today, but it is on the roadmap.

Technology will not solve every possible way that someone can pass sensitive information to a guest. If you are that worried about guests, then don't invite them to Teams or only invite them to a limited subset of Teams (you can limit the Teams that support guests). And then monitor what happens in terms of sharing, etc.

Iron Contributor

Where does one-on-one chat with guests sit on the radar? Adding guests to a team (as opposed to a channel) means a lot of pretty useless teams are going to be spawned just to establish a chat dialogue (like we used to do with S4B or Skype) with a client or vendor.

 

Right now, until someone is a guest on a team, they can't be chatted with one-on-one, unless I'm doing something wrong. If I try to start a chat with someone outside our domain, it doesn't work.

Deleted
Not applicable

This is where Skype Consumer comes into play, when that interop gets done, you'll be able to just skype them for your one on one chats. 

Iron Contributor

What about existing Skype for Business contacts - how can I stay in Teams only? I have some clients that haven't started the transition, but it is cumbersome for us to have to keep both applications launched and operating on desktops/laptops/mobile. I thought that S4B interop was ready already...

 

Deleted
Not applicable

It's supposed to be done according to Roadmap but it's still not released. I guess it could be any day, but hard to say. It's part of the Import contacts / S4B Federation / S4B Persistent chat introp roadmap items which were slated for end of Q4 2017, so not sure what status is on those items. 

Iron Contributor

Too bad Teams is not supporting our onprem managed guest accounts. SharePoint and Planner are supporting those without any issues.

 

We create guest accounts in our onprem AD, synced them with AAD Connect and label them as Guest account through a Powershell script. These accounts are in a seperate domain, can access SharePoint and Planner, but not Teams as it will say the account is missing a license when the Guest is accessing Teams.

Guest access is turned on for Teams.

 

Something to be improved upon in a next iteration of Guest access for Teams!

 

Maybe you need to issue an invitation (using the Invitation API with PowerShell) to these guest accounts to allow them to go through the Teams redemption process...

Iron Contributor

Thanks @Tony Redmond, unfortunately we get this:

New-AzureADMSInvitation : Error occurred while executing NewAzureADMSInvitation

Code: BadRequest

Message: The object either is sourced from an on prem directory or is undergoing migration

Iron Contributor

This will be nice when Planner can support guest access too (shortly).
UPDATE: This is now available.  A Team's guest users can access Planner and have asks assigned to them.

Copper Contributor

We've been waiting for this feature. Earlier this week our IT team enabled guest access but I still don't see "Add members" anywhere to invite external people. I've checked in the Windows client and in the web UI but it isn't there. Is there some other trick to getting this to work?

Copper Contributor

Admin Enables the Guest access,  is it for entire tenant or else can we restrict in user level  to add guest in Teams

Owners add guests to teams.

 

There are restrictions you can impose to stop guests being added from certain domains: https://www.petri.com/azure-active-directory-external-collaboration-policy

 

Or you can restrict certain teams to stop anyone adding guests to those teams by updating the GroupCreationAllowed setting for the group object to False.

Good day.
Help solve the problem with guest access. I am free to add guests from different domains. But not all files can see attached files. Is a filter set somewhere?
Thank.

Is this a problem when the guest user opens the Files view presented by Teams?

 

If so, can they see the missing files if they click the Open in SharePoint link?

 

Guests have the same access rights as any other user to the underlying SharePoint site... so they should be able to see everything.

Copper Contributor

Why can't I add anyone I want to a Team as a guest? I am NOT going to ask people to create a Microsoft email account so I can add them as a guest to a Team. Are you so out of touch that you think people will accept this??? Why are you so arrogant? Why does Microsoft continually shoot itself in the foot? Do you have no idea how infuriating this is?

Steel Contributor

@Patrick Wood - they do not need a Microsoft address. They need a Microsoft account, and any email address can be a Microsoft Account. Go to this page and enter any email address you own and Microsoft will add it as a valid Microsoft account, which can then be used to sign in to Teams as a guest.

 

Just like you have to have a google account (but not gmail address) to use Google services, you need a microsoft account (but not microsoft address) to use Microsoft services. Many many services do this. Even to get on Amazon, you sign up with your email, and that essentially becomes an Amazon account, but not an amazon address.

Copper Contributor

 @Ed Hansberry "they do not need a Microsoft address. They need a Microsoft account, and any email address can be a Microsoft Account." 

 

First, they may not have permission to do this from their company. 

Second, some people are fed up with Microsoft forcing them to do things they do not want to do.

Third, from a user's viewpoint, this is totally useless waste of time, one more hoop to jump through to make Microsoft happy.

Fourth, many other software companies do not require anything like this. 

Fifth, some people want some privacy,

 

 

First, they may not have permission to do this from their company. 

 

TR: No one needs permission to create a Microsoft account. It's a personal account. Do you mean that they need permission to associate their email address with a Microsoft account? If so, surely a good business purpose exists for this use as otherwise they won't be able to access Teams as a guest.

 

Second, some people are fed up with Microsoft forcing them to do things they do not want to do.

 

TR: All computer systems force people to follow processes. In this case, you must be able to identify yourself to participate as a guest. Remember, guests receive the same level of access to Teams resources as tenant users do, so granting someone guest access to a team is quite a big step. It seems reasonable to protect the information available to the team membership by insisting that guests have verifiable identities.

 

Third, from a user's viewpoint, this is totally useless waste of time, one more hoop to jump through to make Microsoft happy.

 

TR: Security does get in the way from time to time. In this case, it seems worthwhile. It's not making Microsoft happy - having a verifiable email address for a guest account makes the owner of the data stored in Teams happy to share it with that guest account.

 

Fourth, many other software companies do not require anything like this. 

 

TR: And many other software companies don't support the storage of data in the same way and the access through Teams for guest users (like being able to access SharePoint sites, Planner, etc.). Software companies have to come up with a reliable and robust access model to control access by users (tenant and non-tenant). Teams uses Azure B2B Collaboration to avoid creating its own model. 

 

Fifth, some people want some privacy,

 

TR: It's an email address. You share your email address with anyone you communicate with via email. Using the email address to access Teams is just another form of communication.

Silver Contributor

@Patrick Wood  I'm much more comfortable using MS systems than Googles or Facebooks. MS is only evaluating our traffic to help improve security, the others are using our traffic to sell adds and enrich themselves while not contributing much to society.

Copper Contributor

First, they may not have permission to do this from their company. 

Wrong. They do need permission if it is their company policy.  They are representing their company in online meetings and using a company email address. 

 

Everybody does not want all the bells and whistles they want something simple and easy to use. Why can't Microsoft understand that? 

 

People do not want to have to learn to use different software from Microsoft AGAIN. It is getting really, really old and we do not have the time to learn all that is needed. We have work to do.

I guess you can have absolute simplicity, but in this case you need security. Access is governed by having a guest account (using your company email address or another address, including consumer email accounts). It's straightforward and doesn't kill many brain cells to master. And to be fair to Microsoft, they use Azure B2B collaboration across Office 365, so the guest account created for Teams also works with Office 365 groups, Planner, and SharePoint and will work with other apps as they pick up support for B2B collaboration.

 

Have you tried working with G Suite? You could make the case that the same issues occur there too.

Copper Contributor

@Tony Redmond 

 

It is MY data let me configure the security options available and let me handle it. 

 

 

 

 

Eh, no. The email address is your data. The data you wish to access via a guest account belongs to the tenant in which the guest account is created. It's entirely up to that tenant to decide how to allow you access. 

Copper Contributor

@Tony Redmond 

 

It is my data. I am the administrator for the Office 365 account.

 

Can't Microsoft at least consider allowing an admin to add anyone they want to a team? You say business is about collaboration so why not let us be free to collaborate with who we want?

You own your tenant's data. You control that data, so you have the chance to say if you want users from other tenants to access data in your tenant. It's your decision about whom you collaborate with (and Office 365 supports other features like collaboration white and black lists to allow or block specific domains). You do control whom you collaborate with in the context of your tenant.

 

But when it comes to other tenants, they control their data. And the mechanism used to allow people (guests) from other tenants are guest accounts created using Azure B2B collaboration. I don't work for Microsoft and don't work for Microsoft so I can't represent their views. If you want things to change, come up with some cogent and well-argued reasons why another approach is better (and more secure) and post them on UserVoice. You might get more support there than you're getting here.

Steel Contributor

No one @Patrick Wood logs in to use Google service without a google ID. No one logs into use a Microsoft service without a Microsoft account. That is how it works. Yes, you own your company's data. You don't control how Microsoft develops the software. Microsoft has chosen to have a security model that requires an email address be associated with a Microsoft account to log in. I don't see what the big deal is. I have one email address that is a Microsoft Account, a Google Account, an Amazon Account, etc. I use it multiple places based on the security model of that place.

 

No one is forcing you to do anything. Use Slack. But then their email will become a slack account. So not sure then what your options are after that. Write your own collaboration app I suppose, and don't require logins.

Copper Contributor

@Tony Redmond 

See this is the entire issue right here. Microsoft is controlling everything including my guests. We can share a OneDrive Folder with anyone we want. Why not add anyone we want to a Team? Microsoft does not need to control who I can add to a Team because I am paying for the service, it is my data, and I can configure the security. If I want to collaborate with someone they should not have to have a Microsoft Account. A lot of people do not want to allow Microsoft to have access to their information through a Microsoft Account.  

UserVoice is a constructive recommendation.

Copper Contributor

@Ed Hansberry 
We can share a OneDrive Folder with anyone we want. Why not add anyone we want to a Team? Microsoft does not need to control who I can add to a Team because I am paying for the service, it is my data, and I can configure the security. 

 

There are Apple people who do not want to get a Microsoft Account. Also, employees may not have permission to create or use a Microsoft Account when they are working for their company and having online meetings. Microsoft does not need to know who they are. That is my job.

This is why Microsoft is starting to implement OTP or one time passcodes for scenario's that allow you to quickly invite people to your data easily without using other means than an e-mail address. It's still early and in preview, but I expect this to stretch across all B2B resources at some point, possibly through Teams. But for now, you really don't have any other options since as others have said all other services do the same thing. Maybe cloud isn't for you. 

 

Link to OTP: https://docs.microsoft.com/en-us/azure/active-directory/b2b/one-time-passcode

 

This is why Microsoft is starting to implement OTP or one time passcodes for scenario's that allow you to quickly invite people to your data easily without using other means than an e-mail address. It's still early and in preview, but I expect this to stretch across all B2B resources at some point, possibly through Teams. But for now, you really don't have any other options since as others have said all other services do the same thing. Maybe cloud isn't for you. 

 

Link to OTP: https://docs.microsoft.com/en-us/azure/active-directory/b2b/one-time-passcode

 

Copper Contributor

@Chris Webb  But for now, you really don't have any other options since as others have said all other services do the same thing. 

 

Oh yes I do. I have used other online meeting software that does not require you to create an account with them to be invited to a meeting or share files. Even OneDrive does not require a Microsoft Account to share a folder with anyone in the world. 

You don't have to invite people and setup guest accounts to Join Teams meetings either....... 

Copper Contributor

@Chris Webb 
Thank you. Finally someone has a helpful answer. 

I still want to add people to my Team who are not using a Microsoft Account. Some companies and individuals do not have Microsoft Accounts. They use Google or Apple or Linux. If I can get them to collaborate with me on a Team perhaps I can persuade them to use SQL Server and Office!

Well your Google users can use their existing google accounts to login to Teams since there is now google account federation. Nothing currently you can do about Apple accounts etc. other than them signing up for a Microsoft Account, or using a google account. If OTP becomes available for Teams then you'll have that option but for now that's your only option if you want them to actually join a Team. 

 

Google federation setup / experience for your reference: https://docs.microsoft.com/en-us/azure/active-directory/b2b/google-federation

 

Version history
Last update:
‎Feb 28 2018 09:26 AM
Updated by: