SOLVED
Home

Allow or Block Guest Users from a Specific Team in Microsoft Teams

%3CLINGO-SUB%20id%3D%22lingo-sub-286640%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-286640%22%20slang%3D%22en-US%22%3E%3CP%3EThanx%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F108367%22%20target%3D%22_blank%22%3E%40Sam%20Cosby%3C%2FA%3E%2C%26nbsp%3BJust%20tried%20this%20in%20my%20lab%20again%2C%20I%20just%20had%20to%20wait%20long%20enough%20for%20the%20change%20to%20happen%2C%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-280645%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280645%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70572%22%20target%3D%22_blank%22%3E%40Calum%20Steen%3C%2FA%3E%2C%20did%20you%20ever%20try%20that%20template%20stuff%3F%26nbsp%3B%20We're%20looking%20at%20doing%20the%20same%20thing%20for%20Teams.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-242812%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-242812%22%20slang%3D%22en-US%22%3E%3CP%3EPlease%20note%20that%20the%20instructions%20provided%20no%20longer%20work.%26nbsp%3B%20The%20ability%20to%20manage%20licenses%20for%20Guests%20has%20been%20depreciated%20as%20of%20August%20and%20no%20replacement%20for%20that%20step%20in%20the%20process%20appears%20to%20be%20available%20at%20this%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-227155%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-227155%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20company%20is%20risk%20averse%20an%20we%20want%20to%20set%20Teams%20such%20that%20Guest%20members%20have%20to%20be%20enabled%20on%20a%20Team-by-Team%20basis%2C%20the%20default%20is%20no%20Guests.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBeen%20looking%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fgroups-settings-cmdlets%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fgroups-settings-cmdlets%3C%2FA%3E%20%22Azure%20Active%20Directory%20cmdlets%20for%20configuring%20group%20settings%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CEM%3EOffice%20365%20Groups%20settings%20are%20configured%20using%20a%20Settings%20object%20and%20a%20SettingsTemplate%20object.%20Initially%2C%20you%20don't%20see%20any%20Settings%20objects%20in%20your%20directory%2C%20because%20your%20directory%20is%20configured%20with%20the%20default%20settings.%20To%20change%20the%20%3CSTRONG%3Edefault%3C%2FSTRONG%3E%20settings%2C%20you%20must%20create%20a%20new%20settings%20object%20using%20a%20settings%20template.%20Settings%20templates%20are%20defined%20by%20Microsoft.%3C%2FEM%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20hoping%20this%20means%20we%20can%20create%20a%20Settings%20object%20with%20AllowToAddGuests%20set%20to%20False%20which%20applies%20to%20Groups%20when%20created.%20We%20can%20then%20specifically%20enable%20for%20individual%20Groups%20using%20a%20settings%20object%20applied%20just%20to%20that%20Group%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182973%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182973%22%20slang%3D%22en-US%22%3E%3CP%3EWouldn't%20the%20below%20code%20be%20more%20efficient%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%24groupID%20%3D%20Get-UnifiedGroup%20-ResultSize%20Unlimited%20%7C%20Select-Object%20-ExpandProperty%20ExternalDirectoryObjectId%0A%24template%20%3D%20Get-AzureADDirectorySettingTemplate%20%7C%20%3F%20%7B%24_.displayname%20-eq%20%22group.unified.guest%22%7D%0A%24settingsCopy%20%3D%20%24template.CreateDirectorySetting()%0A%24settingsCopy%5B%22AllowToAddGuests%22%5D%3D%24False%3CBR%20%2F%3E%3CBR%20%2F%3EForeach%20(%24Group%20in%20%24GroupID)%20%7B%0ANew-AzureADObjectSetting%20-TargetType%20Groups%20-TargetObjectId%20%24group%20-DirectorySetting%20%24settingsCopy%0A%7D%26nbsp%3B%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-178368%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-178368%22%20slang%3D%22en-US%22%3E%3CP%3EReally%20good%20call-out%20in%20the%20blog%20you%20mentioned%2C%20as%20these%20are%20parameters%20that%20need%20to%20be%20treaded%20lightly%20before%20switching%2Fleveraging.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-178216%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-178216%22%20slang%3D%22en-US%22%3E%3CP%3EI%20wrote%20a%20blog%20based%20on%20this%20post%20to%20explain%20a%20little%20about%20what%20flipping%20the%20switches%20to%20allow%20guest%20access%20actually%20enables.%20I%20don't%20see%20these%20as%20things%20to%20be%20unduely%20concerned%20about%2C%20but%20it's%20useful%20to%20know%20what%20else%20you%20are%20effecting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fregarding365.com%2Fenable-guests-in-microsoft-teams-what-else-did-i-just-turn-on-2110bb400c71%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fregarding365.com%2Fenable-guests-in-microsoft-teams-what-else-did-i-just-turn-on-2110bb400c71%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177614%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177614%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Timothy%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20don't%20believe%20so%2C%20but%20I%20believe%20there%20may%20be%20another%20way%20to%20do%20that..%20I%20tested%20this%20on%20my%20side%20by%20disabling%20all%20current%20Groups%2FTeams%20to%20not%20include%20the%20ability%20for%20Guest%20Access%20and%20then%20created%20a%20new%20one%20and%20that%20new%20Group%20is%20set%20to%20%24True%2C%20so%20it%20appears%20that%20the%20only%20way%20to%20do%20this%20would%20be%20to%20create%20a%20script%20for%20any%20newly%20created%20Group%2FTeam%20to%20be%20submitted%20with%20the%20below%20as%20well%20for%20the%20time%20being.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177597%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177597%22%20slang%3D%22en-US%22%3EGreat%20info.%20Was%20just%20trying%20to%20wrap%20my%20head%20around%20this.%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20you%20know%20if%20the%20setting%20all%20groups%20to%20either%20%24true%20or%20%24false%20sticks%20for%20groups%20created%20after%20you%20run%20that%20command%3F%20If%20I%20want%20to%20only%20enable%20guests%20for%20a%20select%20few%20groups%20and%20I%20run%20through%20these%20steps%2C%20do%20newly%20created%20groups%20adhere%20to%20the%20default%20based%20on%20which%20way%20I%20set%20it%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177262%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177262%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20reason%20why%20setting%20a%20simple%20true%2Ffalse%20flag%20for%20guest%20access%20to%20specific%20groups%20has%20to%20be%20so%20complicated%3F%20I'm%20unable%20to%20get%20this%20to%20work%2C%20not%20by%20following%20your%20instructions%2C%20nor%20those%20an%20the%20linked%20article%20(which%20are%20different%20commands).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-176069%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176069%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Sam%2C%20great%20post%20Congrats%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-435361%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-435361%22%20slang%3D%22en-US%22%3EGreat%20article.%2C%20thank%20you%20.%20May%20I%20know%20if%20%2C%20there%20any%20way%20to%20turn%20adding%20guest%20users%20ON%2FOFF%20through%20UI%20(for%20individual%20team%2FGroups).%20or%20do%20we%20ask%20Groups%20owners%20to%20send%20us%20(IT%20team)%20ticket%20to%20change%20this%20and%20we%20(IT%20team)%20change%20it%20through%20powershell%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1023791%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1023791%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70572%22%20target%3D%22_blank%22%3E%40Calum%20Steen%3C%2FA%3E%26nbsp%3Bdid%20you%20ever%20get%20around%20to%20setting%20up%20a%20new%20default%20team%20creation%20template%20%3CSPAN%3Ewith%20AllowToAddGuests%20set%20to%20False%26nbsp%3B%3C%2FSPAN%3Ethat%20could%20create%20Teams%20with%20Guest%20access%20defaulting%20to%20NO%20even%20though%20the%20tenant%20is%20allowing%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1150995%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1150995%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F108367%22%20target%3D%22_blank%22%3E%40Sam%20Cosby%3C%2FA%3E%26nbsp%3B%20This%20is%20an%20absolutely%20unacceptable%20solution.%20We%20need%20a%20simple%20on%2Foff%20flag%20per%20team%20than%20can%20be%20set%20in%20the%20TEAMS%20admin%20UI.%20Good%20grief.%20the%20simplest%20of%20things...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1150999%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1150999%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1081%22%20target%3D%22_blank%22%3E%40Ivan%20Unger%3C%2FA%3E%26nbsp%3B200%25%20agree.%20This%20is%20ridiculous.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-175918%22%20slang%3D%22en-US%22%3EAllow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-175918%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESam%20here%20again%20from%20the%20Microsoft%20Teams%20Solutions%20POD%20within%20the%20Microsoft%20Teams%20Support%20Group.%20I%20wanted%20to%20share%20with%20everyone%20some%20findings%20that%20could%20prove%20helpful%20to%20customers%20who%20are%20trying%20to%20limit%20Guest%20Access%20capabilities%20to%20their%20Teams%2C%20but%20still%20having%20the%20option%2Fopportunity%20to%20have%20Guest%20Access%20for%20specified%20Teams.%20Note%2C%20that%26nbsp%3Bthe%20majority%20of%20the%20information%20for%20this%20is%20derived%20from%20the%20following%20Support%20Article%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fguest-access-in-office-365-groups-bfc7a840-868f-4fd6-a390-f347bf51aff6%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%23bkmk_usepowershell%26amp%3BPickTab%3DManage%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EUser%20PowerShell%20to%20control%20Guest%20Access%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20order%20for%20this%20to%20be%20done%2C%20there%20are%20a%20few%20key%20points%20that%20need%20to%20be%20made%3A%3C%2FP%3EGuest%20Access%20from%20Azure%20AD%20must%20be%20enabled.%20Go%20to%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fportal.azure.com%3C%2FA%3E%20as%20a%20Global%20Administrator.%20Then%20go%20to%20Azure%20Active%20Directory%20-%26gt%3B%20User%20Settings%20-%26gt%3B%20Validate%20that%20'Members%20can%20invite'%20is%20set%20to%20'Yes'%20under%20the%20External%20Users%20section%20as%20so%3A%20Guest%20Access%20for%20Office%20365%20Groups%20must%20be%20enabled%20in%20the%20O365%20Groups%20Service%20%26amp%3B%20Addins%20portal.%20%3CA%20href%3D%22https%3A%2F%2Fportal.office.com%2Fadminportal%2Fhome%23%2FSettings%2FServicesAndAddIns%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fportal.office.com%2Fadminportal%2Fhome%23%2FSettings%2FServicesAndAddIns%3C%2FA%3E%20-%26gt%3B%20Office%20365%20Groups%20Make%20sure%20'Let%20Group%20Owners%20add%20people%20outside%20the%20organization%20to%20Groups'%20is%20set%20to%20'On'%2C%20as%20if%20it's%20not%2C%20then%20Group%20Owners%20will%20not%20be%20able%20to%20search%20via%20the%20PeoplePicker%20for%20any%20Guest%20Object%20Type.%20Guest%20Access%20for%20Microsoft%20Teams%20must%20be%20enabled%20in%20the%20Teams%20Service%20%26amp%3B%20Addins%20portal.%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fportal.office.com%2Fadminportal%2Fhome%23%2FSettings%2FServicesAndAddIns%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fportal.office.com%2Fadminportal%2Fhome%23%2FSettings%2FServicesAndAddIns%20%3C%2FA%3E-%26gt%3B%20Microsoft%20Teams%20Drop%20down%20the%20'select%20user%2Flicense%20type%20you%20want%20to%20configure%20and%20make%20sure%20that%20'Guest'%20is%20set%20to%20'On'%20as%20so%3A%3CBR%20%2F%3E%3CP%3EAfter%20validating%20that%20we%20have%20the%20specified%20parameters%20set%20as%20required%20above%2C%20then%20we%20can%20start%20this%20process.%20One%20of%20the%20key%20points%20below%20is%20that%20we%20must%20work%20backwards%20at%20this%20time%2C%20meaning%2C%20we%20can%20set%20all%20of%20the%20above%20to%20%24true%2C%20but%20then%20we%20have%20to%20start%20peeling%20the%20layers%20back%20and%20disabling%20either%20all%20Groups%20or%20specific%20Groups%20for%20Guest%20Access.%20This%20in%20turn%2C%20is%20how%20Teams%20leverages%20Guest%20Access%20capabilities%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EMake%20sure%20you're%20connected%20to%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj984289(v%3Dexchg.160).aspx%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchange%20Online%20PowerShell%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fazuread%2Fconnect-azuread%3Fview%3Dazureadps-2.0%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EAzure%20AD%20PowerShell%3C%2FA%3E%20in%20order%20to%20run%20the%20steps%20below.%3CP%3E%3CNOTE.%20the%3D%22%22%20following%3D%22%22%20below%3D%22%22%20do%3D%22%22%20not%3D%22%22%20apply%3D%22%22%20to%3D%22%22%20newly%3D%22%22%20created%3D%22%22%20teams%3D%22%22%20or%3D%22%22%20groups.%3D%22%22%20you%3D%22%22%20must%3D%22%22%20either%3D%22%22%20manage%3D%22%22%20who%3D%22%22%20can%3D%22%22%20create%3D%22%22%20groups%3D%22%22%3E%3C%2FNOTE.%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStep%201%3A%20Set%20all%20Groups%2FTeams%20to%20'AllowToAddGuests'%20to%20%24false%2C%20so%20then%20you%20can%20specify%20which%20Teams%20you'd%20wish%20to%20have%20enabled%20for%20Guest%20Access%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%23Set%20all%20Groups%2FTeams%20to%20'AllowToAddGuests'%20%3D%3D%20%24False%20%24groupID%20%3D%20Get-UnifiedGroup%20-ResultSize%20Unlimited%20%7C%20Select-Object%20-ExpandProperty%20ExternalDirectoryObjectId%20Foreach%20(%24Groups%20in%20%24GroupID)%20%7B%20%24template%20%3D%20Get-AzureADDirectorySettingTemplate%20%7C%20%3F%20%7B%24_.displayname%20-eq%20%22group.unified.guest%22%7D%20%24settingsCopy%20%3D%20%24template.CreateDirectorySetting()%20%24settingsCopy%5B%22AllowToAddGuests%22%5D%3D%24False%20New-AzureADObjectSetting%20-TargetType%20Groups%20-TargetObjectId%20%24groups%20-DirectorySetting%20%24settingsCopy%20%7D%26nbsp%3B%3CP%3EStep%202%3A%20Set%20a%20specific%20Group%2FTeam%20to%20%24True%20or%20%24False%20for%20Allowing%20Guest%20Access%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%23Set%20specific%20Group%20back%20to%20%24True%20or%20%24False%20%24GroupID%20%3D%20get-unifiedgroup%20-Identity%20%3CINSERT%20smtp%3D%22%22%20or%3D%22%22%20identity%3D%22%22%3E%20%7C%20Select-Object%20-ExpandProperty%20ExternalDirectoryObjectId%20%24SettingID%20%3D%20Get-AzureADObjectSetting%20-TargetType%20Groups%20-TargetObjectID%20%24GroupID%20%7C%20select-object%20-expandproperty%20ID%20remove-azureadobjectsetting%20-id%20%24settingid%20-targettype%20Groups%20-TargetObjectID%20%24GroupID%20%24template%20%3D%20Get-AzureADDirectorySettingTemplate%20%7C%20%3F%20%7B%24_.displayname%20-eq%20%22group.unified.guest%22%7D%20%24settingsCopy%20%3D%20%24template.CreateDirectorySetting()%20%24settingsCopy%5B%22AllowToAddGuests%22%5D%3D%24False%20New-AzureADObjectSetting%20-TargetType%20Groups%20-TargetObjectId%20%24groupID%20-DirectorySetting%20%24settingsCopy%3CP%3EStep%203%20(Optional)%3A%26nbsp%3BRemove%20previous%20settings%20and%20set%20all%20Groups%20and%20Teams%20back%20to%20Allow%20Guest%20Access%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%23Remove%20previous%20settings%2Fset%20to%20all%20Groups%20back%20to%20%24True%20%24groupID%20%3D%20Get-UnifiedGroup%20-ResultSize%20Unlimited%20%7C%20Select-Object%20-ExpandProperty%20ExternalDirectoryObjectId%20Foreach%20(%24Groups%20in%20%24GroupID)%20%7B%20%24SettingID%20%3D%20Get-AzureADObjectSetting%20-TargetType%20Groups%20-TargetObjectID%20%24Groups%20%7C%20select-object%20-expandproperty%20ID%20remove-azureadobjectsetting%20-id%20%24settingid%20-targettype%20Groups%20-TargetObjectID%20%24Groups%20%24template%20%3D%20Get-AzureADDirectorySettingTemplate%20%7C%20%3F%20%7B%24_.displayname%20-eq%20%22group.unified.guest%22%7D%20%24settingsCopy%20%3D%20%24template.CreateDirectorySetting()%20%24settingsCopy%5B%22AllowToAddGuests%22%5D%3D%24True%20New-AzureADObjectSetting%20-TargetType%20Groups%20-TargetObjectId%20%24groups%20-DirectorySetting%20%24settingsCopy%20%7D%3CP%3EStep%204%20(Optional)%3A%26nbsp%3BOutput%20your%20validation%20of%20the%20settings%20you've%20changed%20above%20for%20Guest%20Access%20to%20%24True%20or%20%24False%20for%20all%20Groups%20and%20Teams.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%23Output%20validation%20for%20%24True%20or%20%24False%20Groups%2FTeams%3A%20Get-UnifiedGroup%20%7C%20Where-Object%20%7B%24_.AllowAddGuests%20-eq%20%24True%7D%20%7C%20ft%20PrimarySMTPAddress%2C%20AllowAddGuests%2C%20DisplayName%20Get-UnifiedGroup%20%7C%20Where-Object%20%7B%24_.AllowAddGuests%20-eq%20%24False%7D%20%7C%20ft%20PrimarySMTPAddress%2C%20AllowAddGuests%2C%20DisplayName%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%20some%20organizations%20provide%20a%20more%20segmented%20approach%20to%20Guest%20Access%20within%20Groups%20and%20Teams.%20Please%20let%20me%20know%20if%20you%20have%20any%20follow%20ups%20or%20responses.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Sam%3C%2FP%3E%3C%2FINSERT%3E%3CLINGO-LABS%20id%3D%22lingo-labs-175918%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdministrator%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHow-to%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESettings%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1213867%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1213867%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I%20see%20some%20people%20saying%20these%20steps%20don't%20work%20any%20more%3F%26nbsp%3B%20We're%20trying%20to%20enable%20Guest%20access%20to%20one%20specific%20team%20and%20only%20to%20that%20team.%26nbsp%3B%20Is%20there%20any%20way%20to%20do%20that%3F%3C%2FP%3E%3CUL%3E%3CLI%3ECan%20the%20default%20be%20No%20but%20then%20can%20I%20override%20the%20specific%20team%20I%20want%20to%20have%20guest%20access%3F%3C%2FLI%3E%3CLI%3EDo%20I%20need%20to%20enable%20it%20for%20everything%20and%20then%20go%20back%20and%20turn%20it%20off%20for%20the%20ones%20we%20don't%20want%20to%20have%20access%3F%26nbsp%3B%20And%20then%20do%20I%20need%20to%20do%20that%20for%20every%20team%20we%20create%20going%20forward%3F%3C%2FLI%3E%3CLI%3ECan%20I%20limit%20it%20so%20that%20the%20actual%20guest%20users%20have%20to%20be%20created%20by%20an%20Admin%20in%20the%20admin%20portal%20before%20they%20can%20be%20added%20to%20a%20team%20instead%20of%20team%20owners%20adding%20them%20directly%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1221850%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1221850%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20is%20going%20to%20help%20to%20set%20the%20option%20to%20allow%20Guest%20users%20per%20Team.%20It%20will%20not%20be%20a%20GUI%20switch%20per%20Team%20to%20allow%20or%20block.%26nbsp%3B%20It%20will%20be%20managed%20by%20the%20Sensitivity%20Labels%20in%20the%20new%20%3CSPAN%3E%3CSTRONG%3ESite%20and%20group%20settings%3C%2FSTRONG%3E%3CFONT%20face%3D%22%26quot%3BSegoeUI%26quot%3B%2C%26quot%3BLato%26quot%3B%2C%26quot%3BHelvetica%20Neue%26quot%3B%2CHelvetica%2CArial%2Csans-serif%22%20color%3D%22%23001000%22%3E%20-%26nbsp%3B%3CFONT%3EControl%20whether%20the%20group%20owner%20can%20add%20guests%20to%20the%20group%3C%2FFONT%3E.%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ESee%3A%20%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsensitivity-labels-teams-groups-sites%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsensitivity-labels-teams-groups-sites%3Fview%3Do365-worldwide%3C%2FA%3E.%20So%20based%20on%20the%20sensitivity%20of%20the%20information%20and%20the%20label%20that%20has%20been%20chosen%20for%20a%20site%20or%20team%20guest%20user%20access%20is%20allowed%20or%20blocked.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1365535%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20or%20Block%20Guest%20Users%20from%20a%20Specific%20Team%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1365535%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F658592%22%20target%3D%22_blank%22%3E%40JohnMiller-ETC%3C%2FA%3E%26nbsp%3B%20The%20sensitivity%20labels%20work%20but%20the%20problem%20is%20that%20you%20are%20relying%20on%20the%20Team%20creator%20to%20apply%20the%20label%20when%20creating%20(or%20post%20creation)%20the%20Team.%20You%20still%20have%20no%20way%20to%20control%20it%20when%20your%20goal%20is%20to%20have%20Guest%20Access%20off%20by%20default%20but%20turn%20it%20on%20with%20appropriate%20justification%20and%20risk%5Cbenefit%20review.%20Having%20Guest%20Access%20off%20for%20all%20Teams%20and%20enabling%20it%20sparingly%20is%20very%20much%20like%20a%20firewall%20philosophy----block%20all%2C%20open%20only%20what's%20needed.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20idea%20might%20be%20to%20assign%20a%20sensitivity%20label%20automatically%20to%20Teams%20as%20they%20are%20created.%20Call%20it%20%22NoGuestAccess%22.%20Setup%20your%20policy%20to%20block%20Guest%20Access%20for%20Teams%20with%20this%20label.%20You'd%20need%20to%20be%20able%20to%20control%20who%20can%20add%20and%20remove%20this%20label%20from%20a%20Team.%20I'm%20not%20sure%20this%20can%20be%20done%20currently%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

Hello all,

 

Sam here again from the Microsoft Teams Solutions POD within the Microsoft Teams Support Group. I wanted to share with everyone some findings that could prove helpful to customers who are trying to limit Guest Access capabilities to their Teams, but still having the option/opportunity to have Guest Access for specified Teams. Note, that the majority of the information for this is derived from the following Support Article: User PowerShell to control Guest Access

 

In order for this to be done, there are a few key points that need to be made:

  1. Guest Access from Azure AD must be enabled.
    1. Go to https://portal.azure.com as a Global Administrator.
    2. Then go to Azure Active Directory -> User Settings -> Validate that 'Members can invite' is set to 'Yes' under the External Users section as so:Azure Guest Access.png
  2. Guest Access for Office 365 Groups must be enabled in the O365 Groups Service & Addins portal.
    1. https://portal.office.com/adminportal/home#/Settings/ServicesAndAddIns -> Office 365 Groups
    2. Make sure 'Let Group Owners add people outside the organization to Groups' is set to 'On', as if it's not, then Group Owners will not be able to search via the PeoplePicker for any Guest Object Type.Groups Guest Access.png
  3. Guest Access for Microsoft Teams must be enabled in the Teams Service & Addins portal. 
    1. https://portal.office.com/adminportal/home#/Settings/ServicesAndAddIns -> Microsoft Teams
    2. Drop down the 'select user/license type you want to configure and make sure that 'Guest' is set to 'On' as so:
      Teams Guest Access.png

After validating that we have the specified parameters set as required above, then we can start this process. One of the key points below is that we must work backwards at this time, meaning, we can set all of the above to $true, but then we have to start peeling the layers back and disabling either all Groups or specific Groups for Guest Access. This in turn, is how Teams leverages Guest Access capabilities as well.

 

Spoiler
Make sure you're connected to Exchange Online PowerShell and Azure AD PowerShell in order to run the steps below.

<NOTE. The following below do not apply to newly created Teams or Groups. You must either Manage Who can Create Groups/Teams and validate the Groups required or run this occasionally to block this from being in certain Groups>

 

Step 1: Set all Groups/Teams to 'AllowToAddGuests' to $false, so then you can specify which Teams you'd wish to have enabled for Guest Access:

  

#Set all Groups/Teams to 'AllowToAddGuests' == $False

$groupID = Get-UnifiedGroup -ResultSize Unlimited | Select-Object -ExpandProperty ExternalDirectoryObjectId
Foreach ($Groups in $GroupID) {
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
$settingsCopy["AllowToAddGuests"]=$False
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groups -DirectorySetting $settingsCopy
} 

Step 2: Set a specific Group/Team to $True or $False for Allowing Guest Access:

  

#Set specific Group back to $True or $False

$GroupID = get-unifiedgroup -Identity <Insert SMTP or Identity> | Select-Object -ExpandProperty ExternalDirectoryObjectId
$SettingID = Get-AzureADObjectSetting -TargetType Groups -TargetObjectID $GroupID | select-object -expandproperty ID
remove-azureadobjectsetting -id $settingid -targettype Groups -TargetObjectID $GroupID
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
$settingsCopy["AllowToAddGuests"]=$False
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $settingsCopy

Step 3 (Optional): Remove previous settings and set all Groups and Teams back to Allow Guest Access: 

 

#Remove previous settings/set to all Groups back to $True

$groupID = Get-UnifiedGroup -ResultSize Unlimited | Select-Object -ExpandProperty ExternalDirectoryObjectId
Foreach ($Groups in $GroupID) {
$SettingID = Get-AzureADObjectSetting -TargetType Groups -TargetObjectID $Groups | select-object -expandproperty ID
remove-azureadobjectsetting -id $settingid -targettype Groups -TargetObjectID $Groups
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
$settingsCopy["AllowToAddGuests"]=$True
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groups -DirectorySetting $settingsCopy
}

Step 4 (Optional): Output your validation of the settings you've changed above for Guest Access to $True or $False for all Groups and Teams.

 

#Output validation for $True or $False Groups/Teams:
Get-UnifiedGroup | Where-Object {$_.AllowAddGuests -eq $True} | ft PrimarySMTPAddress,  AllowAddGuests, DisplayName
Get-UnifiedGroup | Where-Object {$_.AllowAddGuests -eq $False} | ft PrimarySMTPAddress,  AllowAddGuests, DisplayName

 

Hope this helps some organizations provide a more segmented approach to Guest Access within Groups and Teams. Please let me know if you have any follow ups or responses. 

 

-Sam

18 Replies
Highlighted

Hi Sam, great post Congrats !

Highlighted

Is there a reason why setting a simple true/false flag for guest access to specific groups has to be so complicated? I'm unable to get this to work, not by following your instructions, nor those an the linked article (which are different commands).

Highlighted
Great info. Was just trying to wrap my head around this.

Do you know if the setting all groups to either $true or $false sticks for groups created after you run that command? If I want to only enable guests for a select few groups and I run through these steps, do newly created groups adhere to the default based on which way I set it?
Highlighted

Hey Timothy,

 

I don't believe so, but I believe there may be another way to do that.. I tested this on my side by disabling all current Groups/Teams to not include the ability for Guest Access and then created a new one and that new Group is set to $True, so it appears that the only way to do this would be to create a script for any newly created Group/Team to be submitted with the below as well for the time being. 

Highlighted
Solution

I wrote a blog based on this post to explain a little about what flipping the switches to allow guest access actually enables. I don't see these as things to be unduely concerned about, but it's useful to know what else you are effecting.

 

https://regarding365.com/enable-guests-in-microsoft-teams-what-else-did-i-just-turn-on-2110bb400c71

Really good call-out in the blog you mentioned, as these are parameters that need to be treaded lightly before switching/leveraging. 

Highlighted

Wouldn't the below code be more efficient?

 

$groupID = Get-UnifiedGroup -ResultSize Unlimited | Select-Object -ExpandProperty ExternalDirectoryObjectId
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
$settingsCopy["AllowToAddGuests"]=$False

Foreach ($Group in $GroupID) { New-AzureADObjectSetting -TargetType Groups -TargetObjectId $group -DirectorySetting $settingsCopy } 
Highlighted

My company is risk averse an we want to set Teams such that Guest members have to be enabled on a Team-by-Team basis, the default is no Guests.

 

Been looking at https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-settings-cmdlets "Azure Active Directory cmdlets for configuring group settings"

 

"Office 365 Groups settings are configured using a Settings object and a SettingsTemplate object. Initially, you don't see any Settings objects in your directory, because your directory is configured with the default settings. To change the default settings, you must create a new settings object using a settings template. Settings templates are defined by Microsoft."

 

I'm hoping this means we can create a Settings object with AllowToAddGuests set to False which applies to Groups when created. We can then specifically enable for individual Groups using a settings object applied just to that Group

 

 

 

Highlighted

Please note that the instructions provided no longer work.  The ability to manage licenses for Guests has been depreciated as of August and no replacement for that step in the process appears to be available at this time.

Highlighted

@Calum Steen, did you ever try that template stuff?  We're looking at doing the same thing for Teams.

Highlighted

Thanx @Sam Cosby, Just tried this in my lab again, I just had to wait long enough for the change to happen, :)

Highlighted
Great article., thank you . May I know if , there any way to turn adding guest users ON/OFF through UI (for individual team/Groups). or do we ask Groups owners to send us (IT team) ticket to change this and we (IT team) change it through powershell?
Highlighted

@Calum Steen did you ever get around to setting up a new default team creation template with AllowToAddGuests set to False that could create Teams with Guest access defaulting to NO even though the tenant is allowing it?

Highlighted

@Sam Cosby  This is an absolutely unacceptable solution. We need a simple on/off flag per team than can be set in the TEAMS admin UI. Good grief. the simplest of things...

Highlighted

@Ivan Unger 200% agree. This is ridiculous. 

Highlighted

So I see some people saying these steps don't work any more?  We're trying to enable Guest access to one specific team and only to that team.  Is there any way to do that?

  • Can the default be No but then can I override the specific team I want to have guest access?
  • Do I need to enable it for everything and then go back and turn it off for the ones we don't want to have access?  And then do I need to do that for every team we create going forward?
  • Can I limit it so that the actual guest users have to be created by an Admin in the admin portal before they can be added to a team instead of team owners adding them directly?

Thanks.

Highlighted

Microsoft is going to help to set the option to allow Guest users per Team. It will not be a GUI switch per Team to allow or block.  It will be managed by the Sensitivity Labels in the new Site and group settingsControl whether the group owner can add guests to the group.

See: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view.... So based on the sensitivity of the information and the label that has been chosen for a site or team guest user access is allowed or blocked.

Highlighted

@JohnMiller-ETC  The sensitivity labels work but the problem is that you are relying on the Team creator to apply the label when creating (or post creation) the Team. You still have no way to control it when your goal is to have Guest Access off by default but turn it on with appropriate justification and risk\benefit review. Having Guest Access off for all Teams and enabling it sparingly is very much like a firewall philosophy----block all, open only what's needed. 

 

Another idea might be to assign a sensitivity label automatically to Teams as they are created. Call it "NoGuestAccess". Setup your policy to block Guest Access for Teams with this label. You'd need to be able to control who can add and remove this label from a Team. I'm not sure this can be done currently