SOLVED

Do we need a new way to manage guest access in Teams?

%3CLINGO-SUB%20id%3D%22lingo-sub-1520768%22%20slang%3D%22en-US%22%3EDo%20we%20need%20a%20new%20way%20to%20manage%20guest%20access%20in%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520768%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20just%20started%20looking%20into%20managing%20guest%20access%20and%20it%20seems%20complex.%26nbsp%3B%20Teams%20and%20SPO%20groups%20get%20created%20with%20guest%20access%20enabled%20by%20default.%26nbsp%3B%20We%20were%20hoping%20for%20a%20way%20to%20change%20this%20default%2C%20but%20it%20doesn't%20appear%20to%20exist.%26nbsp%3B%20There%20are%20a%20few%20posts%20out%20there%20with%20info%20on%20how%20to%20manually%20manage%20this%2C%20but%20everything%20we%20found%20requires%20either%20constantly%20running%20scripts%20to%20check%20and%20modify%20guest%20access%2C%20or%20apps%20to%20create%20the%20Teams.%26nbsp%3B%20We%20are%20hoping%20for%20some%20OOTB%20ways%20to%20change%20the%20default%20access%20settings%20to%20org%20only%20when%20these%20groups%20are%20created.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20anyone%20aware%20of%20anything%20on%20the%20roadmap%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1520768%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520822%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20we%20need%20a%20new%20way%20to%20manage%20guest%20access%20in%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520822%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F13364%22%20target%3D%22_blank%22%3E%40David%20Phillips%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETeams%20and%20SharePoint%20guest%20access%20are%20separate%20so%20you%20can%20definitely%20ensure%20that%20SharePoint%20sites%20are%20created%20without%20guest%20access%20allowed%2C%20assuming%20some%20sites%20in%20your%20tenant%20need%20guest%20access%20on%2C%20then%20you%20would%20need%20to%20configure%20the%20domain%20whitelist%2C%20to%20restrict%20any%20guest%20sharing%20in%20SharePoint%20on%20creation%20of%20any%20new%20Team.%20This%20is%20done%20in%20the%20SharePoint%20Admin%20centre.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20this%20works%20is%20the%20site%20collection%20will%20get%20created%20with%20guest%20access%20on%20but%20as%20there%20are%20no%20whitelisted%20domains%20in%20the%20site%20collection%20yet%2C%20so%20no%20guests%20can%20be%20added.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%20Teams%20I%20have%20not%20had%20to%20do%20that%20so%20maybe%20someone%20else%20can%20point%20you%20in%20that%20direction.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAndy%20Hodges%20%3CSPAN%3E%7C%20ThinkShare%20%7C%20%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-%3CSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fwww.thinkshare.uk%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.thinkshare.uk%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521256%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20we%20need%20a%20new%20way%20to%20manage%20guest%20access%20in%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521256%22%20slang%3D%22en-US%22%3E%3CP%3EUnderstood%20that%20they%20are%20separate%20access%2C%20however%20as%20you%20know%2C%20when%20you%20create%20a%20Team%2C%20a%20SharePoint%20site%20also%20gets%20created.%26nbsp%3B%20Right%20now%20there%20is%20no%20way%20to%20centrally%20manage%20guest%20access%20to%20both%20-%20SP%20can%20be%20set%20in%20the%20console%2C%20Teams%20needs%20powershell.%26nbsp%3B%20Also%2C%20whitelisting%20doesn't%20really%20apply%20in%20every%20scenario.%26nbsp%3B%20Some%20may%20need%20more%20granular%20control%20at%20a%20per-Team%20level.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-ERR%3AREF-NOT-FOUND-%40ThereseSolimeno%26nbsp%3BThis%20doesn't%20really%20answer%20the%20question.%26nbsp%3B%20There%20doesn't%20appear%20to%20be%20a%20way%20to%20set%20org%20only%20access%20by%20default%20in%20either%20SharePoint%20or%20Teams.%26nbsp%3B%20My%20question%20was%20if%20anyone%20is%20aware%20of%20something%20on%20the%20roadmap%20to%20change%20this.%26nbsp%3B%20EDITED%20-%20I%20have%20unmarked%20it%20as%20the%20best%20response.%20(TS)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521291%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20we%20need%20a%20new%20way%20to%20manage%20guest%20access%20in%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521291%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F214649%22%20target%3D%22_blank%22%3E%40Andrew%20Hodges%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BOne%20of%20the%20issues%20that%20I%20have%20run%20into%20with%20this%2C%20is%20the%20inability%20to%20properly%20manage%20Guest%20without%20running%20a%20bunch%20of%20posh%20commands%20to%20check%20to%20see%20if%20we%20have%20stale%20users.%26nbsp%3B%20Once%20a%20guest%20accepts%20the%20terms%20of%20access%2C%20they%20can%20be%20added%20to%20SP%20sites%2C%20Groups%2C%20Teams%2C%20etc.%20with%20the%20only%20oversite%20being%20the%20user%2C%20unless%20you%20can%20run%20the%20PowerShell%20reports%20and%20then%20using%20those%20reports%20to%20cross%20check%20the%20audit%20to%20see%20if%20there%20has%20been%20any%20activity%2C%20in%20most%20cases%20the%2090%20day%20limit%20comes%20into%20play%20here%2C%20where%20as%20my%20users%20are%20audited%20for%20180%20days.%26nbsp%3B%20I%20then%20need%20to%20use%20PowerShell%20to%20remove%20any%20Guest%20that%20has%20had%20no%20activity%20in%2090%20days%2C%20but%20again%20PowerShell.%26nbsp%3B%20There%20are%20no%20reports%20in%20the%20GUI%20for%20this%20and%20no%20centralized%20management%20of%20this.%20This%20part%20I%20think%20is%20what%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F13364%22%20target%3D%22_blank%22%3E%40David%20Phillips%3C%2FA%3E%26nbsp%3B%20is%20referring%20to%2C%20(At%20least%20I%20hope%20it%20is..lol).%26nbsp%3B%20It%20would%20be%20good%20to%20truly%20have%20some%20centralized%20management%20for%20Guest%20users%20in%20O365.%26nbsp%3B%20Right%20now%20I%20have%20to%20take%20too%20many%20steps%20to%20check%2C%20and%20in%20a%20large%20environment's%2C%20this%20takes%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522221%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20we%20need%20a%20new%20way%20to%20manage%20guest%20access%20in%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522221%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F664737%22%20target%3D%22_blank%22%3E%40kerry6a1%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F13364%22%20target%3D%22_blank%22%3E%40David%20Phillips%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BYou've%20thought%20this%20out%20very%20well%20-%20have%20you%20check%20our%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoftteams.uservoice.com%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUservoice%20feedback%20forum%3C%2FA%3E%20to%20see%20if%20this%20suggestion%20has%20been%20made%20to%20the%20development%20team%3F%26nbsp%3B%20If%20so%2C%20you%20can%20vote%20on%20the%20item%20and%20you'll%20get%20notified%20of%20developments.%26nbsp%3B%20If%20not%2C%20you%20can%20create%20a%20new%20request%20and%20others%20will%20vote%20on%20it%2Fthem.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522795%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20we%20need%20a%20new%20way%20to%20manage%20guest%20access%20in%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522795%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F664737%22%20target%3D%22_blank%22%3E%40kerry6a1%3C%2FA%3E%26nbsp%3B%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20a%20look%20at%20this%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fgovernance%2Fmanage-guest-access-with-access-reviews%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fgovernance%2Fmanage-guest-access-with-access-reviews%3C%2FA%3E%26nbsp%3B%20.%20Youi%20need%20extra%26nbsp%3B%20licenses%20for%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20some%20soon%20to%20be%20released%20functionality.%26nbsp%3B%20Called%20%3CSPAN%3EExpiring%20External%20Access%20feature%3C%2FSPAN%3E%20for%20a%20site.%20The%20documentation%20for%20this%20was%20released%20ahead%20of%20the%20functionality%20and%20has%20been%20pulled%20by%20Microsoft%20but%20you%20can%20see%20the%20functionality%20in%20action%20here%20-%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmyignite.techcommunity.microsoft.com%2Fsessions%2F81495%3Fsource%3Dsessions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmyignite.techcommunity.microsoft.com%2Fsessions%2F81495%3Fsource%3Dsessions%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat's%20all%20I%20know%20about%20at%20present.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1523146%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20we%20need%20a%20new%20way%20to%20manage%20guest%20access%20in%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1523146%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F214649%22%20target%3D%22_blank%22%3E%40Andrew%20Hodges%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20going%20through%20this%20now%2C%20and%20it%20looks%20promising%20for%20the%20external%20file%20sharing%2C%20I%20just%20did%20something%20similar%20with%20forced%20encryption%20to%20external%20parties%20and%20limiting%20the%20life%20of%20those%20messages%20to%2030%20days%2C%20but%20the%20needed%20P2%20license%20would%20come%20into%20question.%26nbsp%3B%20Normally%20for%20actions%20such%20as%20this%2C%20(any%20security%20related%20Azure%20Policy)%2C%20you%20cannot%20just%20get%20away%20with%20purchasing%20just%201%20or%202%20-%20P1%2FP2%20license%2C%20for%20any%20security%20needs%2C%20you%20have%20to%20license%20the%20entire%20tenant%2C%20or%20you%20are%20out%20of%20compliance%20with%20Microsoft%20depending%20on%20what%20you%20are%20doing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CEM%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%20Found%20this%20out%20while%20getting%20my%20Secure%20Score%20up!!%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20large%20tenants%20such%20as%20mine%20this%20could%20be%20very%20costly%2C%20even%20as%20we%20are%20planning%20our%20full%20Azure%20subscription%20rollout%20in%20our%20prod%20tenant.%26nbsp%3B%20I%20will%20test%20this%20out%20in%20our%20Dev%2FTest%20tenant%20to%20see%20if%20I%20can%20justify%20the%20potential%20cost.%26nbsp%3B%20If%20seems%20to%20help%20the%20issue%2C%20but%20seems%20puts%20to%20'%3CEM%3Eowness%3C%2FEM%3E'%20on%20the%20user%2C%20(Group%20Owners%2FManagers)%2C%20to%20police%20behind%20themselves%20honestly%2C%20(%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fxd_40x40.gif%22%20alt%3D%22%3Axd%3A%22%20title%3D%22%3Axd%3A%22%20%2F%3E%20).%26nbsp%3B%20%26nbsp%3B%20But%20if%20this%20works%20as%20shown%2C%20it%20is%20a%20really%20good%20step%20forward.%26nbsp%3B%20Thanks%20for%20providing.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Super Contributor

We just started looking into managing guest access and it seems complex.  Teams and SPO groups get created with guest access enabled by default.  We were hoping for a way to change this default, but it doesn't appear to exist.  There are a few posts out there with info on how to manually manage this, but everything we found requires either constantly running scripts to check and modify guest access, or apps to create the Teams.  We are hoping for some OOTB ways to change the default access settings to org only when these groups are created.

 

Is anyone aware of anything on the roadmap?

6 Replies
Highlighted

Hi @David Phillips ,

 

Teams and SharePoint guest access are separate so you can definitely ensure that SharePoint sites are created without guest access allowed, assuming some sites in your tenant need guest access on, then you would need to configure the domain whitelist, to restrict any guest sharing in SharePoint on creation of any new Team. This is done in the SharePoint Admin centre. 

 

How this works is the site collection will get created with guest access on but as there are no whitelisted domains in the site collection yet, so no guests can be added.

 

As for Teams I have not had to do that so maybe someone else can point you in that direction. 

 

Andy Hodges | ThinkShare | www.thinkshare.uk

Highlighted

Understood that they are separate access, however as you know, when you create a Team, a SharePoint site also gets created.  Right now there is no way to centrally manage guest access to both - SP can be set in the console, Teams needs powershell.  Also, whitelisting doesn't really apply in every scenario.  Some may need more granular control at a per-Team level.

 

@ThereseSolimeno This doesn't really answer the question.  There doesn't appear to be a way to set org only access by default in either SharePoint or Teams.  My question was if anyone is aware of something on the roadmap to change this.  EDITED - I have unmarked it as the best response. (TS)

Highlighted

@Andrew Hodges   One of the issues that I have run into with this, is the inability to properly manage Guest without running a bunch of posh commands to check to see if we have stale users.  Once a guest accepts the terms of access, they can be added to SP sites, Groups, Teams, etc. with the only oversite being the user, unless you can run the PowerShell reports and then using those reports to cross check the audit to see if there has been any activity, in most cases the 90 day limit comes into play here, where as my users are audited for 180 days.  I then need to use PowerShell to remove any Guest that has had no activity in 90 days, but again PowerShell.  There are no reports in the GUI for this and no centralized management of this. This part I think is what @David Phillips  is referring to, (At least I hope it is..lol).  It would be good to truly have some centralized management for Guest users in O365.  Right now I have to take too many steps to check, and in a large environment's, this takes time.

Highlighted

@kerry6a1 @David Phillips   You've thought this out very well - have you check our Uservoice feedback forum to see if this suggestion has been made to the development team?  If so, you can vote on the item and you'll get notified of developments.  If not, you can create a new request and others will vote on it/them.

Highlighted
Best Response confirmed by ThereseSolimeno (Microsoft)
Solution

Hi @kerry6a1 ;

 

Have a look at this - https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-r...  . Youi need extra  licenses for Azure AD.

 

There is some soon to be released functionality.  Called Expiring External Access feature for a site. The documentation for this was released ahead of the functionality and has been pulled by Microsoft but you can see the functionality in action here - 

 

https://myignite.techcommunity.microsoft.com/sessions/81495?source=sessions

 

That's all I know about at present. 

 

 

 

Highlighted

Thanks @Andrew Hodges ,

 

I am going through this now, and it looks promising for the external file sharing, I just did something similar with forced encryption to external parties and limiting the life of those messages to 30 days, but the needed P2 license would come into question.  Normally for actions such as this, (any security related Azure Policy), you cannot just get away with purchasing just 1 or 2 - P1/P2 license, for any security needs, you have to license the entire tenant, or you are out of compliance with Microsoft depending on what you are doing.

 

Note: Found this out while getting my Secure Score up!!

 

For large tenants such as mine this could be very costly, even as we are planning our full Azure subscription rollout in our prod tenant.  I will test this out in our Dev/Test tenant to see if I can justify the potential cost.  If seems to help the issue, but seems puts to 'owness' on the user, (Group Owners/Managers), to police behind themselves honestly, ( :xd: ).    But if this works as shown, it is a really good step forward.  Thanks for providing.