May 06 2020 08:11 AM
I'm looking for assistance to find out our options to allow guest access to Microsoft Teams sites in our Office 365 tenant. I was hoping there were more granular controls to protect sensitive information with the Teams site.
When you invite a guest user into your Teams site they become a member of the Office 365 group. The guest user basically has all the same permissions as the internal employees. This gives them access to all the chats, public channels, and member permissions to the Teams Sharepoint document library. Is there good way to control the Teams Sharepoint document library permissions so the guest user doesn't not have access to all of the Teams Sharepoint document library?
To protect the Sharepoint document library, it looks like our options are to break the Teams Sharepoint permissions by disabling inheritance and managing Sharepoint permissions manually. This seems messy and would be a burden to manage for all the Teams sites we are managing. The other option would be to create separate private Teams sites for external clients/users and then specify which domains are allowed in the Teams admin center.
Is there a better way to manage Teams guest access? What am I missing?
May 06 2020 08:32 AM
SolutionMay 06 2020 08:39 AM
@Christopher Hoard I don't see the ability to convert a standard channel to a private channel. Is there a option to do this in powershell? Or does Microsoft have this on there roadmap to have that ability?
I will have to investigate sensitivity labels.
Adding Azure Information Protection labels on documents in the Sharepoint library seems like a daunting task.
May 06 2020 09:10 AM
May 06 2020 09:23 AM
@Christopher Hoard Chris, in regards to building a separate Sharepoint site with specific permissions, then adding that Sharepoint site as a tab in Teams. Does guest access need to be turned on in the Teams Admin center for the guest to access that tab in Teams? In other words, with external access only turned on, will a guest be able to access that tab in Teams?
May 06 2020 09:34 AM
May 06 2020 09:42 AM
@Christopher Hoard Thank you for all your help with answering my questions so far. For us at this time, it seems to make the most sense to just invite the guest separately in the Sharepoint site. We can leave Teams Org Wide external access on so that the client/external user can still be invited to the Team to be able to chat/call and @ mention the external user when chatting in Teams, correct?
May 06 2020 05:14 PM - edited May 06 2020 05:18 PM
@MagicMarker in addition on the good options from @Christopher Hoard you can also take a look at Conditional access (Depends if it is included in your license). It will block access to sharepoint completely, so the “Files” tab in teams will not work. Not sure if this is an option as adding a guest to a team is because of the collaboration ;)
With this you can exclude machines from SharePoint when they are not domain joined and/or managed by the tenant (Intune).
Reference: https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices
May 07 2020 01:53 AM
May 06 2020 08:32 AM
Solution