SOLVED

Possible to isolate guest users to a single team and stop users sharing other resources with them?

Copper Contributor

We have previously allowed external users to be invited as guests to teams but have found that once the user is a guest in our office365 tenant internal users can invite them to whatever they want, other teams, sharepoint files/folders etc. Due to this when we reviewed guest access we found many inappropriate guest shares (especially to entire sharepoint folders) because internal users have not considered the implication when sharing externally. So we now have a tenant that does not allow any external guest access.

Id love your help to understand if the following requirements are possible in some way:

  • The ability for a team to be setup and via administrators external guest users to be added
  • Guest users to be able to access all channels in the team
  • Guest users to be able to have full access all files within the team
  • Guest users to be able to use as many of the standard teams features as possible within the team they are invited too so nice to haves would be planner boards etc
  • No one other than administrators within the organisation being able to share other office365 resources with external guest users, e.g. no one can share a sharepoint file/folder outside of the specific team guests have been invited to

At the moment we are considering a separate tenant to achieve this external collaboration but even this has issues if we want to use it to collaborate with more than one external organisation if users can accidently share one companies data with another.

3 Replies

Hi @briannorman,

The simplest solution to isolate guest users to a single team and stop users sharing other resources with them is to:

  1. Create a new team in Teams and call it "Guest Users".
  2. Set the team permissions so that guest users have full access to all channels and files in the team.
  3. Invite guest users to the team.

Once you have done this, guest users will only be able to access the "Guest Users" team and the resources within that team. Other users in your organization will not be able to share other resources with guest users.



Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

@LeonPavesic thanks for the quick response, this is kind of what we were doing before but it had the following challenges:

 

  • any owners of the guest team can invite new external users to that team, we would like to allow owners to be able to invite internal users but need administrators to invite new guest users
  • once the guest user is created in the active directory internal users were able to invite them to access any sharepoint / onedrive files they liked, we want to ensure the only files the guests have access to are those in the team they were added to

Are there things we can do to solve the above?

best response confirmed by briannorman (Copper Contributor)
Solution

Hi @briannorman,

to address the challenges you mentioned, you can do the following:

  • To prevent owners of the guest team from inviting new external users, you can modify the team permissions to remove the "Add members" permission from the Owner role. You can then grant the "Add members" permission to a specific group of administrators who are responsible for managing guest users.
  • To prevent internal users from inviting guest users to access SharePoint or OneDrive files, you can disable guest sharing for SharePoint and OneDrive. You can do this by going to the SharePoint admin center or OneDrive admin center, respectively, and clicking Sharing. Under Guest sharing, select Disable guest sharing.

Allowing owners to invite internal users to the guest team

To allow owners to invite internal users to the guest team, you can add the "Add members" permission to the Owner role for the guest team. You can do this by going to the Teams admin center, clicking Teams, and then clicking the name of the guest team. Under Permissions, click Manage roles. Select the Owner role and then click Edit. Under Permissions, select the Add members checkbox and then click Save.

Ensuring that guest users only have access to files in the team they were added to

To ensure that guest users only have access to files in the team they were added to, you can disable guest sharing for SharePoint and OneDrive. You can also use SharePoint security groups to control access to SharePoint files and folders. For example, you can create a security group for guest users and then grant that group access to the files and folders in the guest team.


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

1 best response

Accepted Solutions
best response confirmed by briannorman (Copper Contributor)
Solution

Hi @briannorman,

to address the challenges you mentioned, you can do the following:

  • To prevent owners of the guest team from inviting new external users, you can modify the team permissions to remove the "Add members" permission from the Owner role. You can then grant the "Add members" permission to a specific group of administrators who are responsible for managing guest users.
  • To prevent internal users from inviting guest users to access SharePoint or OneDrive files, you can disable guest sharing for SharePoint and OneDrive. You can do this by going to the SharePoint admin center or OneDrive admin center, respectively, and clicking Sharing. Under Guest sharing, select Disable guest sharing.

Allowing owners to invite internal users to the guest team

To allow owners to invite internal users to the guest team, you can add the "Add members" permission to the Owner role for the guest team. You can do this by going to the Teams admin center, clicking Teams, and then clicking the name of the guest team. Under Permissions, click Manage roles. Select the Owner role and then click Edit. Under Permissions, select the Add members checkbox and then click Save.

Ensuring that guest users only have access to files in the team they were added to

To ensure that guest users only have access to files in the team they were added to, you can disable guest sharing for SharePoint and OneDrive. You can also use SharePoint security groups to control access to SharePoint files and folders. For example, you can create a security group for guest users and then grant that group access to the files and folders in the guest team.


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

View solution in original post