SOLVED
Home

Teams enabled for guests at tenant level but groups disabled. Should it be blocked?

%3CLINGO-SUB%20id%3D%22lingo-sub-192936%22%20slang%3D%22en-US%22%3ETeams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192936%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBeen%20reading%20various%20bits%20of%20documentation%20(nicely%20summed%20up%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Teams%2FAllow-or-Block-Guest-Users-from-a-Specific-Team-in-Microsoft%2Ftd-p%2F175918%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E)%20in%20relation%20to%20governing%20guest%20access.%20I%20am%20trying%20different%20combinations%20of%20access%20in%20my%20tenant%20and%20seeing%20behavior%20that%20doesn't%20seem%20right.%20Eg%20I%20enabled%20guest%20in%20Services%20and%20add-ins%20-%26gt%3B%20Teams%20but%20in%20groups%20I%20disabled%20it%20via%20PowerShell...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPS%20C%3A%5CWINDOWS%5Csystem32%26gt%3B%20(Get-AzureADDirectorySetting%20%E2%80%93Id%20%24settingsObjectID).Values%3C%2FP%3E%0A%3CP%3E%5Bsnip%5D%3C%2FP%3E%0A%3CP%3EAllowGuestsToAccessGroups%20False%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20also%20confirm%20this%20in%26nbsp%3B%3CSPAN%3EServices%20and%20add-ins%20-%26gt%3B%26nbsp%3BGroups%20where%20%22Let%20group%20members%20outside%20the%20organization%20access%20group%20content%22%20is%20set%20to%20off.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYet%20I%20can%20add%20a%20guest%20to%20a%20team%2C%20an%20account%20gets%20added%20to%20B2B%20(which%20makes%20sense)%20but%20I%20would%20expect%20the%20group%20setting%20to%20trump%20the%20team%20setting...%20At%20least%20the%20documentation%20infers%20this...%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EOr%20am%20I%20wrong%20about%20this%3F%20The%20documentation%20here%20is%20not%20so%20clear...%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EPaul%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-192936%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESettings%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193234%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193234%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%2C%20this%20small%20but%20important%20point%20is%20easy%20to%20miss%20when%20you're%20rushing%20to%20test%20something...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193139%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193139%22%20slang%3D%22en-US%22%3E%3CP%3EAh%2C%20thanks%20Tony...%20I%20must%20have%20missed%20the%20fine%20print%20and%20indeed%20I%20did%20test%20this%2C%20logged%20in%20as%20an%20administrator.%20Thx%20for%20clarifying...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193074%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193074%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Groups%20policy%20(which%20you%20disabled%20in%20PowerShell)%20blocks%20any%20addition%20of%20a%20guest%20user%20to%20any%20group%20(including%20those%20created%20by%20Teams)%20except%20when%20administrator%20accounts%20are%20used.%20Did%20you%20test%20with%20a%20normal%20user%20account%20or%20an%20administrator%20account%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-192940%22%20slang%3D%22en-US%22%3ERE%3A%20Teams%20enabled%20for%20guests%20at%20tenant%20level%20but%20groups%20disabled.%20Should%20it%20be%20blocked%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192940%22%20slang%3D%22en-US%22%3EI%20should%20also%20note%20that%20if%20I%20turn%20on%20guest%20groups%20policy%20on%20a%20per%20team%20basis%20via%20PowerShell%2C%20this%20does%20indeed%20work%20as%20advertised...%3C%2FLINGO-BODY%3E
Paul Culmsee
MVP

Hi

 

Been reading various bits of documentation (nicely summed up here) in relation to governing guest access. I am trying different combinations of access in my tenant and seeing behavior that doesn't seem right. Eg I enabled guest in Services and add-ins -> Teams but in groups I disabled it via PowerShell...

 

PS C:\WINDOWS\system32> (Get-AzureADDirectorySetting –Id $settingsObjectID).Values

[snip]

AllowGuestsToAccessGroups False

 

I also confirm this in Services and add-ins -> Groups where "Let group members outside the organization access group content" is set to off.

 

Yet I can add a guest to a team, an account gets added to B2B (which makes sense) but I would expect the group setting to trump the team setting... At least the documentation infers this...

 

Or am I wrong about this? The documentation here is not so clear...

 

Paul

 

 

 

4 Replies
I should also note that if I turn on guest groups policy on a per team basis via PowerShell, this does indeed work as advertised...
Solution

The Groups policy (which you disabled in PowerShell) blocks any addition of a guest user to any group (including those created by Teams) except when administrator accounts are used. Did you test with a normal user account or an administrator account?

Ah, thanks Tony... I must have missed the fine print and indeed I did test this, logged in as an administrator. Thx for clarifying...

 

Paul

Yeah, this small but important point is easy to miss when you're rushing to test something...

Related Conversations
Tagging sub-teams
christopherDLH in Microsoft Teams on
2 Replies
GROUPS Guest Access Permissions
André Maas in Office 365 Groups on
4 Replies
Teams error code - 6
damnit95 in Office 365 on
4 Replies
Sharing a Teams Calendar
Michael Krueger in Microsoft Teams on
16 Replies