Guest access in Microsoft Teams
With guest access, you can provide access to teams, documents in channels, resources, chats, and applications to people outside your organization, while maintaining control over your corporate data. Anyone with a business or consumer email account, such as Outlook, Gmail, or others, can participate as a guest in Teams.
When you invite a guest to Teams, a guest account is created for them in Azure Active Directory and they are covered by the same compliance and auditing protection as other Microsoft 365 users. Guest access is subject to Azure AD and Microsoft 365 service limits.
If you just want to find, call, chat, and set up meetings with people in other Microsoft 365 organizations, use external access.
As an admin, you can add a new guest to the organization in a couple of ways:
Global admins or Teams admins and team owners add a guest to a team in the Teams clients or in the Teams admin center. To learn more, read Add guests to a team. If you haven't set up guest access yet, go through the steps in the Collaborate with guests in a team.
Add guests to your organization through Azure Active Directory (Azure AD) B2B collaboration. For details, check out Quickstart: Add guests to your directory in the Azure portal.
Admins can also delegate permissions to add guests to others in their organization by assigning the Guest Inviter role. For more information, see Enable B2B external collaboration and manage who can invite guests.
With Azure AD B2B collaboration, organizations can enforce conditional access and multi-factor authentication (MFA) policies for B2B users. These policies can be enforced at the tenant, app, or individual user level, the same way that they are enabled for full-time employees and members of the organization. Such policies are enforced at the resource organization. For more information, see Conditional access for B2B collaboration users. Individual guests can't be blocked.
Guests you have already added via Azure AD B2B, Microsoft 365 Groups, or SharePoint are ready to go. The Microsoft 365 admin or a team owner can add those guests to their respective teams. If you add a guest directly to the Microsoft 365 group associated with a team, the guest will get access to the team but the Microsoft 365 group doesn't generate an invitation email to the guest, so someone on the team should notify the guest.
Guests follow Teams Org-wide settings for the coexistence Upgrade mode. This can't be changed.
Shared channels offer an alternative to guest access, allowing you to invite people outside your organization without requiring a guest account in Azure AD. To compare guest access with shared channels, see Plan external collaboration.
Set up guest access
Guest access in Teams is an organization-wide setting and is turned on by default. You can control guest access to individual teams by using sensitivity labels.
Guest access in Teams requires configuring other settings in Microsoft 365, including settings in Azure AD, Microsoft 365 Groups, and SharePoint. If you're ready to start inviting guests to teams, read one of the following:
- To configure guest access for Teams for general use, see Collaborate with guests in a team.
- To collaborate with a partner organization that uses Azure Active Directory and allow guests to self-enroll for team access, see Create a B2B extranet with managed guests.
See Set up secure collaboration with Microsoft 365 and Microsoft Teams for overall information about secure collaboration using Teams.
Guest invitation process from Teams
- A team owner or a Microsoft 365 admin adds a guest to a team.
- The guest receives a welcome email from the team owner, with information about the team and what to expect now that they've been added.
- The guest accepts the invitation. Guests who have a work or school account in Azure Active Directory can accept the invitation and authenticate directly. Other users are sent a one-time pass code to validate their identity (One-time passcode authentication required).
- After accepting the invitation, the guest can participate in teams and channels, receive and respond to channel messages, access files in channels, participate in chats, join meetings, collaborate on documents, and more.
In Teams, guests are clearly identified. A guest's name includes the label (Guest), and a channel includes an icon to indicate that there are guests on the team. For more details, see What the guest experience is like.
Guests can leave the team at any time from within Teams. For details, see How do I leave a team?. (Leaving the team doesn't remove the guest account from your organization's directory. This must be done by a Microsoft 365 global admin or an Azure AD admin.)
The guest experience has limitations by design. For a full list of what a guest can and can't do in Teams, see Guest experience in Microsoft Teams.
Licensing for guest access
Guest access can be used with all Microsoft 365 Business Standard, Microsoft 365 Enterprise, and Microsoft 365 Education subscriptions. No additional Microsoft 365 license is necessary. The billing model for Azure AD External Identities applies to guests in Microsoft 365. Only people from outside your organization can be invited as guests.
Guests are subject to Microsoft 365 or Office 365 and Azure Active Directory service limits.
Converting a guest account into an Azure AD member account or converting an Azure AD member account into a guest is not supported by Teams.
Diagnosing issues with Guest Access
To troubleshoot issues with inviting guest users in Teams, administrators can run a diagnostic tool in the Microsoft 365 admin center to validate that guest access is correctly configured for use in Microsoft Teams.
Select Run Tests below to populate the diagnostic in the Microsoft 365 admin center.
The test result will tell you if the tenant is configured correctly for Guest Access. If the tenant isn't configured correctly, the diagnostic will provide information on what steps to take to address issues with tenant or policy configurations.
Tracking guests in your organization
You can track guest additions in Azure AD or the Microsoft 365 security center. Adding a guest in Microsoft Teams is audited and logged as an Azure AD group administration activity "Added member to group". For more details, see Auditing and reporting a B2B collaboration user and Search the audit log in the compliance portal.
Guest access reviews
You can use Azure AD to create an access review for users who are in groups or have been assigned to an application. Creating recurring access reviews can save you time. If you need to routinely review users who have access to an application, a team, or a group, you can define the frequency of those reviews.
You can perform a guest access review yourself, ask guests to review their own access, or ask an application owner or business decision maker to perform the access review. Use the Azure portal to perform guest access reviews. For more information, see Manage guest access with Azure AD access reviews.
Collaborating with people outside your organization
Block guests from a specific Microsoft 365 group or Microsoft Teams team
Create a secure guest sharing environment
Configure Teams with three tiers of protection
Use guest access and external access to collaborate with people outside your organization
Submit and view feedback for