SOLVED

Need some help to understand how guest access works in Microsoft Teams

%3CLINGO-SUB%20id%3D%22lingo-sub-173981%22%20slang%3D%22en-US%22%3ENeed%20some%20help%20to%20understand%20how%20guest%20access%20works%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-173981%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20disabled%20external%20access%20for%20Office%20365%20groups%20(%3CSTRONG%3EO365%20Central%20Admin%20%26gt%3B%20Settings%20%26gt%3B%20Services%20%26amp%3B%20add-ins%20%26gt%3B%20Office%20365%20Groups%20%26gt%3B%26nbsp%3B%3CSPAN%3ELet%20group%20members%20outside%20the%20organization%20access%20group%20content)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3Ebut%20users%20are%20still%20able%20to%20add%20guests.%20The%20Team%20site%20doesn't%20work%2C%20but%20the%20user%20can%20request%20access%20and%20after%20approval%2C%20everything%20works.%20The%20guest%20setting%20for%20Teams%20has%20been%20enabled%20(%3CSTRONG%3EO365%20Central%20Admin%20%26gt%3B%20Settings%20%26gt%3B%20Services%20%26amp%3B%26nbsp%3Badd-ins%26nbsp%3B%26gt%3B%20Microsoft%20Teams%20%26gt%3B%26nbsp%3BSettings%20by%20user%2Flicense%20type%20%26gt%3B%26nbsp%3BSelect%20the%20user%2Flicense%20type%20you%20want%20to%20configure%20%26gt%3B%20Guest%20%26gt%3B%3C%2FSTRONG%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3E%3CSTRONG%3ETurn%20Microsoft%20Teams%20on%20or%20off%20for%20all%20users%20of%20this%20type).%26nbsp%3B%3C%2FSTRONG%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3EIt%20looks%20like%20the%20owner%20can%20only%20add%20guest%26nbsp%3Bthat%20have%20already%20been%20added%20to%20AAD.%20Trying%20to%20add%20a%20new%20guest%20doesn't%20work%3A%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20568px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F30655i2DFF39A23540F4DF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22guest1.png%22%20title%3D%22guest1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3EI'm%20trying%20to%20reproduce%20this%20in%20my%20test%20environment%2C%20but%20I'm%20getting%20a%20different%20experience.%20I'm%20using%20the%20same%20settings%2C%20but%20I'm%20able%20to%20add%20any%20email%20address%20I%20want%20as%20a%20guest%3A%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20585px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F30656i860DBC1B3534D1D1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22guest2.PNG%22%20title%3D%22guest2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3EThe%26nbsp%3Bfollowing%20diagram%20has%20been%20taken%20from%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fteams-dependencies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20page%3C%2FA%3E.%26nbsp%3BMy%20understanding%20after%20looking%20at%20this%20diagram%20is%20that%20when%20O365%20guest%20access%20is%20disabled%2C%20then%20adding%20guests%20in%20Teams%20won't%20work%2C%20but%20as%20soon%20as%20I%20turn%20on%20guest%20access%20for%20Teams%20in%20my%20test%20tenant%2C%20I'm%20able%20to%20add%20guests.%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20913px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F30657iE55A609E2DB47D02%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22guest3.png%22%20title%3D%22guest3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3EAlso%20don't%20get%20why%20am%20I%20getting%20different%20experiences.%20Is%20there%20a%20setting%20that%20I'm%20not%20aware%20off%20like%20the%20one%20for%20OneDrive%20and%20SharePoint%20where%20you%20can%20allow%20existing%20or%20existing%20%2B%20new%20guests%3F%20Having%20a%26nbsp%3Bseparate%20guest%20access%20setting%20for%20Microsoft%20Teams%20only%20makes%20sense%20to%20me%20if%20you%20want%20to%20disable%20that%2C%20while%20keeping%20external%20access%20enabled%20for%20O365%20groups%20and%20other%20applications.%20I'm%20lost%20here%2C%20can%20someone%20help%20me%20understand%20how%20this%20works%3F%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22font-small%20l-row-82%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22l-row-18%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-173981%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdministrator%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESettings%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-179363%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20some%20help%20to%20understand%20how%20guest%20access%20works%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-179363%22%20slang%3D%22en-US%22%3EGreat%20thread%20and%20terrific%20response%2C%20Tony.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174242%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20some%20help%20to%20understand%20how%20guest%20access%20works%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174242%22%20slang%3D%22en-US%22%3E%3CP%3EVasil%20is%20right%20-%20Admins%20can%20always%20add%20guest%20users.%20The%20assumption%20is%20that%20admins%20know%20what%20they%20are%20doing.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETeams%20uses%20Azure%20B2B%20collaboration%20to%20manage%20its%20guest%20access.%20That%20means%20that%20Azure%20AD%20has%20to%20allow%20guests%2C%20and%20because%20Teams%20is%20based%20on%20Office%20365%20Groups%2C%20Groups%20has%20to%20allow%20guests%20too%20(including%20the%20settings%20in%20the%20AAD%20policy%20for%20Groups).%20And%20then%20Teams%20gets%20to%20vote.%20Think%20of%20it%20as%20a%20flow%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Does%20AAD%20allow%20guests%3F%26nbsp%3B%20Yes%20-%20then%20apps%20can%20go%20ahead%20and%20invite%20guests.%3C%2FP%3E%0A%3CP%3E2.%20Do%20Office%20365%20Groups%20allow%20guests.%20Yes%20-%20then%20apps%20based%20on%20Office%20365%20Groups%20(like%20Teams)%20can%20invite%20guests.%3C%2FP%3E%0A%3CP%3E3.%20Does%20the%20AAD%20policy%20for%20Groups%20restrict%20the%20ability%20of%20team%20owners%20to%20add%20guests%3F%20If%20yes%2C%20then%20only%20admins%20can%20add%20guests.%3C%2FP%3E%0A%3CP%3E4.%20Does%20Teams%20give%20licenses%20to%20guests%3F%20If%20yes%2C%20then%20team%20owners%20can%20invite%20guests.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20don't%20have%20to%20do%20anything%20separate%20with%20SharePoint%20and%20OneDrive.%20The%20Office%20365%20Groups%20membership%20model%20used%20by%20Teams%20means%20that%20a%20guest%20automatically%20gains%20access%20to%20the%20SharePoint%20team%20site%20provisioned%20for%20the%20team.%20And%20if%20a%20tenant%20user%20who%20is%20a%20team%20member%20shares%20a%20file%20with%20a%20guest%20in%20a%20personal%20chat%2C%20the%20file%20is%20shared%20in%20OneDrive%20and%20available%20to%20the%20guest.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%20of%20these%20controls%20come%20together%20to%20decide%20whether%20a%20team%20owner%20is%20allowed%20to%20add%20guests%20to%20the%20membership%20of%20their%20team.%20I've%20written%20about%20this%20a%20lot%20on%20Petri.com%20(like%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.petri.com%2Fexternal-access-microsoft-teams%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.petri.com%2Fexternal-access-microsoft-teams%3C%2FA%3E).%20See%20if%20this%20makes%20sense%20and%20maybe%20some%20of%20those%20articles%20might%20help%20too.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174238%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20some%20help%20to%20understand%20how%20guest%20access%20works%20in%20Microsoft%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174238%22%20slang%3D%22en-US%22%3E%3CP%3EAdding%20the%20Guest%20user%20to%20the%20directory%20and%20adding%20him%20to%20specific%20workload%20are%20different%20things%2C%20thus%20the%20different%20settings.%20If%20the%20user%20is%20already%20present%20in%20the%20directory%2C%20the%20Group%2FTeam%20level%20settings%20will%20apply%2C%20but%20those%20can%20be%20%22overwritten%22%20by%20adding%20access%20to%20the%20guest%20user%20by%20approving%20an%20access%20request%2C%20for%20example.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20also%20different%20settings%20applied%20to%20Admins%20and%20regular%20users%2C%20those%20are%20controlled%20on%20the%20Azure%20AD%20level.%20But%20admins%20can%20override%20the%20Owner%2FMember%20restrictions%20for%20adding%20Group%20members.%20Which%20might%20explain%20what%20you%20are%20seeing%20in%20the%20test%20tenant.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20least%20that's%20how%20I%20make%20sense%20of%20it.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64%22%20target%3D%22_blank%22%3E%40Tony%20Redmond%3C%2FA%3E%26nbsp%3Bhas%20played%20a%20lot%20more%20than%20me%20with%20Guest%20access%2C%20so%20lets%20see%20what%20he%20will%20say%20about%20it%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

We have disabled external access for Office 365 groups (O365 Central Admin > Settings > Services & add-ins > Office 365 Groups > Let group members outside the organization access group content), but users are still able to add guests. The Team site doesn't work, but the user can request access and after approval, everything works. The guest setting for Teams has been enabled (O365 Central Admin > Settings > Services & add-ins > Microsoft Teams > Settings by user/license type > Select the user/license type you want to configure > Guest > 

Turn Microsoft Teams on or off for all users of this type). 
 
It looks like the owner can only add guest that have already been added to AAD. Trying to add a new guest doesn't work:
 
guest1.png
 
I'm trying to reproduce this in my test environment, but I'm getting a different experience. I'm using the same settings, but I'm able to add any email address I want as a guest:
 
guest2.PNG
 
The following diagram has been taken from this page. My understanding after looking at this diagram is that when O365 guest access is disabled, then adding guests in Teams won't work, but as soon as I turn on guest access for Teams in my test tenant, I'm able to add guests. 
 
guest3.png
 
Also don't get why am I getting different experiences. Is there a setting that I'm not aware off like the one for OneDrive and SharePoint where you can allow existing or existing + new guests? Having a separate guest access setting for Microsoft Teams only makes sense to me if you want to disable that, while keeping external access enabled for O365 groups and other applications. I'm lost here, can someone help me understand how this works? 
 
 
3 Replies

Adding the Guest user to the directory and adding him to specific workload are different things, thus the different settings. If the user is already present in the directory, the Group/Team level settings will apply, but those can be "overwritten" by adding access to the guest user by approving an access request, for example.

 

There are also different settings applied to Admins and regular users, those are controlled on the Azure AD level. But admins can override the Owner/Member restrictions for adding Group members. Which might explain what you are seeing in the test tenant.

 

At least that's how I make sense of it. @Tony Redmond has played a lot more than me with Guest access, so lets see what he will say about it

 

Best Response confirmed by Pooya Obbohat (Regular Contributor)
Solution

Vasil is right - Admins can always add guest users. The assumption is that admins know what they are doing.

 

Teams uses Azure B2B collaboration to manage its guest access. That means that Azure AD has to allow guests, and because Teams is based on Office 365 Groups, Groups has to allow guests too (including the settings in the AAD policy for Groups). And then Teams gets to vote. Think of it as a flow:

 

1. Does AAD allow guests?  Yes - then apps can go ahead and invite guests.

2. Do Office 365 Groups allow guests. Yes - then apps based on Office 365 Groups (like Teams) can invite guests.

3. Does the AAD policy for Groups restrict the ability of team owners to add guests? If yes, then only admins can add guests.

4. Does Teams give licenses to guests? If yes, then team owners can invite guests.

 

You don't have to do anything separate with SharePoint and OneDrive. The Office 365 Groups membership model used by Teams means that a guest automatically gains access to the SharePoint team site provisioned for the team. And if a tenant user who is a team member shares a file with a guest in a personal chat, the file is shared in OneDrive and available to the guest.

 

All of these controls come together to decide whether a team owner is allowed to add guests to the membership of their team. I've written about this a lot on Petri.com (like https://www.petri.com/external-access-microsoft-teams). See if this makes sense and maybe some of those articles might help too.

 

 

Great thread and terrific response, Tony.