SOLVED

Guest user permissions control for Teams

%3CLINGO-SUB%20id%3D%22lingo-sub-1364119%22%20slang%3D%22en-US%22%3EGuest%20user%20permissions%20control%20for%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364119%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20looking%20for%20assistance%20to%20find%20out%20our%20options%20to%20allow%20guest%20access%20to%20Microsoft%20Teams%20sites%20in%20our%20Office%20365%20tenant.%20I%20was%20hoping%20there%20were%20more%20granular%20controls%20to%20protect%20sensitive%20information%20with%20the%20Teams%20site.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you%20invite%20a%20guest%20user%20into%20your%20Teams%20site%20they%20become%20a%20member%20of%20the%20Office%20365%20group.%20The%20guest%20user%20basically%20has%20all%20the%20same%20permissions%20as%20the%20internal%20employees.%20This%20gives%20them%20access%20to%20all%20the%20chats%2C%20public%20channels%2C%20and%20member%20permissions%20to%20the%20Teams%20Sharepoint%20document%20library.%20Is%20there%20good%20way%20to%20control%20the%20Teams%20Sharepoint%20document%20library%20permissions%20so%20the%20guest%20user%20doesn't%20not%20have%20access%20to%20all%20of%20the%20Teams%20Sharepoint%20document%20library%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20protect%20the%20Sharepoint%20document%20library%2C%20it%20looks%20like%20our%20options%20are%20to%20break%20the%20Teams%20Sharepoint%20permissions%20by%20disabling%20inheritance%20and%20managing%20Sharepoint%20permissions%20manually.%20This%20seems%20messy%20and%20would%20be%20a%20burden%20to%20manage%20for%20all%20the%20Teams%20sites%20we%20are%20managing.%20The%20other%20option%20would%20be%20to%20create%20separate%20private%20Teams%20sites%20for%20external%20clients%2Fusers%20and%20then%20specify%20which%20domains%20are%20allowed%20in%20the%20Teams%20admin%20center.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20better%20way%20to%20manage%20Teams%20guest%20access%3F%20What%20am%20I%20missing%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1364119%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364215%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20user%20permissions%20control%20for%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364215%22%20slang%3D%22en-US%22%3ESome%20recommendations%3CBR%20%2F%3E%3CBR%20%2F%3E-%20Use%20Private%20Channels%3A%20only%20people%20you%20specify%20have%20access%20to%20private%20channels%3CBR%20%2F%3E-%20Use%20Sensitivity%20Labels%3A%20set%20labels%20on%20specific%20Teams%20so%20that%20guests%20don't%20have%20access%20to%20them%3CBR%20%2F%3E-%20Use%20Azure%20Information%20Protection%20%2F%20Labels%20on%20documents%20to%20ensure%20that%20only%20specific%20people%20can%20access%20specific%20documents%3CBR%20%2F%3E-%20Build%20separate%20SharePoint%20sites%20where%20only%20specific%20people%20have%20permissions%20and%20add%20them%20to%20Teams%20as%20Tabs%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20are%20quite%20a%20few%20methods%20as%20opposed%20to%20having%20to%20break%20the%20underlying%20sharepoint%20permissions%3A%20that's%20a%20headache%20from%20a%20management%20perspective%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question!%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364265%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20user%20permissions%20control%20for%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364265%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3BI%20don't%20see%20the%20ability%20to%20convert%20a%20standard%20channel%20to%20a%20private%20channel.%20Is%20there%20a%20option%20to%20do%20this%20in%20powershell%3F%20Or%20does%20Microsoft%20have%20this%20on%20there%20roadmap%20to%20have%20that%20ability%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20have%20to%20investigate%20sensitivity%20labels.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdding%20Azure%20Information%20Protection%20labels%20on%20documents%20in%20the%20Sharepoint%20library%20seems%20like%20a%20daunting%20task.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364397%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20user%20permissions%20control%20for%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364397%22%20slang%3D%22en-US%22%3EYou%20can't%20convert%20standard%20to%20private%20or%20vice-versa.%20You%20will%20need%20to%20create%20them%20from%20scratch.%20%3CBR%20%2F%3E%3CBR%20%2F%3ESensitivity%20labels%20is%20here%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FMicrosoftTeams%2Fsensitivity-labels%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FMicrosoftTeams%2Fsensitivity-labels%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EClassification%20of%20documents%20is%20here%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Finfoprotect-configure-classification%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Finfoprotect-configure-classification%3Fview%3Do365-worldwide%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364439%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20user%20permissions%20control%20for%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364439%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3BChris%2C%20in%20regards%20to%20building%20a%20separate%20Sharepoint%20site%20with%20specific%20permissions%2C%20then%20adding%20that%20Sharepoint%20site%20as%20a%20tab%20in%20Teams.%20Does%20guest%20access%20need%20to%20be%20turned%20on%20in%20the%20Teams%20Admin%20center%20for%20the%20guest%20to%20access%20that%20tab%20in%20Teams%3F%26nbsp%3B%20In%20other%20words%2C%20with%20external%20access%20only%20turned%20on%2C%20will%20a%20guest%20be%20able%20to%20access%20that%20tab%20in%20Teams%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364480%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20user%20permissions%20control%20for%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364480%22%20slang%3D%22en-US%22%3EYes%2C%20because%20guest%20access%20is%20needed%20to%20add%20the%20guest%20to%20the%20Team%20itself%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364500%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20user%20permissions%20control%20for%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364500%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3BThank%20you%20for%20all%20your%20help%20with%20answering%20my%20questions%20so%20far.%20For%20us%20at%20this%20time%2C%20it%20seems%20to%20make%20the%20most%20sense%20to%20just%20invite%20the%20guest%20separately%20in%20the%20Sharepoint%20site.%20We%20can%20leave%20Teams%20Org%20Wide%20external%20access%20on%20so%20that%20the%20client%2Fexternal%20user%20can%26nbsp%3Bstill%20be%20invited%20to%20the%20Team%20to%20be%20able%20to%20chat%2Fcall%20and%26nbsp%3B%40%20mention%20the%20external%20user%20when%20chatting%20in%20Teams%2C%20correct%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1365805%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20user%20permissions%20control%20for%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1365805%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F626803%22%20target%3D%22_blank%22%3E%40MagicMarker%3C%2FA%3E%26nbsp%3Bin%20addition%20on%20the%20good%20options%20from%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%20you%20can%20also%20take%20a%20look%20at%20Conditional%20access%20(Depends%20if%20it%20is%20included%20in%20your%20license).%20It%20will%20block%20access%20to%20sharepoint%20completely%2C%20so%20the%20%E2%80%9CFiles%E2%80%9D%20tab%20in%20teams%20will%20not%20work.%20Not%20sure%20if%20this%20is%20an%20option%20as%20adding%20a%20guest%20to%20a%20team%20is%20because%20of%20the%20collaboration%20%3B)%3C%2Fimg%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWith%20this%20you%20can%20exclude%20machines%20from%20SharePoint%20when%20they%20are%20not%20domain%20joined%20and%2For%20managed%20by%20the%20tenant%20(Intune).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EReference%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fcontrol-access-from-unmanaged-devices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fcontrol-access-from-unmanaged-devices%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1369000%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20user%20permissions%20control%20for%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1369000%22%20slang%3D%22en-US%22%3EYes%2C%20this%20is%20possible.%20I%20have%20seen%20many%20cases%20that%20all%20the%20org%20wants%20to%20do%20is%20share%20files%20with%20the%20organisation%20rather%20than%20all%20the%20resources%20of%20and%20in%20the%20Team.%20And%20as%20Mitchell%20suggests%20you%20could%20also%20look%20to%20use%20CA%20if%20you%20want%20to%20go%20down%20that%20route%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20I%20hope%20we%20got%20there%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I'm looking for assistance to find out our options to allow guest access to Microsoft Teams sites in our Office 365 tenant. I was hoping there were more granular controls to protect sensitive information with the Teams site. 

 

When you invite a guest user into your Teams site they become a member of the Office 365 group. The guest user basically has all the same permissions as the internal employees. This gives them access to all the chats, public channels, and member permissions to the Teams Sharepoint document library. Is there good way to control the Teams Sharepoint document library permissions so the guest user doesn't not have access to all of the Teams Sharepoint document library?

 

To protect the Sharepoint document library, it looks like our options are to break the Teams Sharepoint permissions by disabling inheritance and managing Sharepoint permissions manually. This seems messy and would be a burden to manage for all the Teams sites we are managing. The other option would be to create separate private Teams sites for external clients/users and then specify which domains are allowed in the Teams admin center. 

 

Is there a better way to manage Teams guest access? What am I missing? 

8 Replies
Highlighted
Best Response confirmed by MagicMarker (Occasional Contributor)
Solution
Some recommendations

- Use Private Channels: only people you specify have access to private channels
- Use Sensitivity Labels: set labels on specific Teams so that guests don't have access to them
- Use Azure Information Protection / Labels on documents to ensure that only specific people can access specific documents
- Build separate SharePoint sites where only specific people have permissions and add them to Teams as Tabs

There are quite a few methods as opposed to having to break the underlying sharepoint permissions: that's a headache from a management perspective

Hope that answers your question!

Best, Chris
Highlighted

@Christopher Hoard I don't see the ability to convert a standard channel to a private channel. Is there a option to do this in powershell? Or does Microsoft have this on there roadmap to have that ability?

 

I will have to investigate sensitivity labels.

 

Adding Azure Information Protection labels on documents in the Sharepoint library seems like a daunting task.

Highlighted
You can't convert standard to private or vice-versa. You will need to create them from scratch.

Sensitivity labels is here

https://docs.microsoft.com/en-us/MicrosoftTeams/sensitivity-labels

Classification of documents is here

https://docs.microsoft.com/en-us/microsoft-365/enterprise/infoprotect-configure-classification?view=...

Hope that answers your question

Best, Chris
Highlighted

@Christopher Hoard Chris, in regards to building a separate Sharepoint site with specific permissions, then adding that Sharepoint site as a tab in Teams. Does guest access need to be turned on in the Teams Admin center for the guest to access that tab in Teams?  In other words, with external access only turned on, will a guest be able to access that tab in Teams?

Highlighted
Yes, because guest access is needed to add the guest to the Team itself
Highlighted

@Christopher Hoard Thank you for all your help with answering my questions so far. For us at this time, it seems to make the most sense to just invite the guest separately in the Sharepoint site. We can leave Teams Org Wide external access on so that the client/external user can still be invited to the Team to be able to chat/call and @ mention the external user when chatting in Teams, correct? 

Highlighted

@MagicMarker in addition on the good options from @Christopher Hoard you can also take a look at Conditional access (Depends if it is included in your license). It will block access to sharepoint completely, so the “Files” tab in teams will not work. Not sure if this is an option as adding a guest to a team is because of the collaboration ;) 

With this you can exclude machines from SharePoint when they are not domain joined and/or managed by the tenant (Intune).

Reference: https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices

Highlighted
Yes, this is possible. I have seen many cases that all the org wants to do is share files with the organisation rather than all the resources of and in the Team. And as Mitchell suggests you could also look to use CA if you want to go down that route

So I hope we got there

Best, Chris