Share via

Microsoft Teams: Enabling and Using Guest Access

  • Article

Introduction: In this blog post I will walk through how to enable guest access in Microsoft Teams, validate the guest was added to Azure Active Directory B2B, demonstrate how a guest user will access another organization's team and what the user experience is like.

Update 9/21/17: I have updated this blog post that adding the user guest account manually to Azure AD B2B is not required, as the account will automatically be added to the directory when you add the guest to Microsoft Teams.

Additional reading and support documentation:

IMPORTANT: Guest access is dependent on Azure Active Directory and more importantly it uses Azure Active Directory B2B, I highly recommend developing a good understanding of this feature prior to proceeding as it will help you as you start to roll this out and manage it within your organization and even give you ideas on how to further secure this as you move forward (such as conditional access for contractors as an example). This capability is very powerful, and can open up new ideas for how you create additional solutions for your organization in the future. In addition, I recommend testing guest access first prior to implementing in the real world to fully understand the use case scenarios of guest access (when it makes sense, when it doesn't as this may not solve for the specific business challenge you are after), and what the guest user experience is like for a guest user of Microsoft Teams so that you are prepared to help end-users within your organization.

Before we begin, about my environment:

  • I have two Office 365 tenants: m365x367101.onmicrosoft.com and m365x841591.onmicrosoft.com (I apologize in advance, both tenants are named Contoso )
  • Both organizations are already using Office 365 and Microsoft Teams.
  • Megan from the m365x367101 owns a team titled O365 Deployment Team. She needs to invite Ben from a local IT consulting company to the team that will be assisting them with their Office 365 deployment.
  • Megan's company will first enable guest access in Microsoft Teams, add Ben as a guest to the O365 Deployment Team in Microsoft Teams, then will validate Ben was added as a guest to AzureAD B2B.
  • Megan's IT Admin enabled sharing with external users already in the directory for SharePoint Online
  • Megan's IT admin enabled Let group owners add people outside the organization to groups.
  • The Sharing Option has been enabled for Megan's Office 365 tenant to allow adding of new guests.

First, enable guest access in your tenant:

First, you must enable your Office 365 Tenant to allow guests to access a Microsoft Teams team in your tenant. This is accomplished by navigating to the Microsoft Teams settings in the Office 365 admin portal. From within the admin portal navigate to Settings -> Services & add-ins -> Microsoft Teams. On the fly-out to the right, under the section Settings by user/license type click the drop-down menu and toggle from Business and Enterprise to Guest then click On next to Turn Microsoft Teams on or off for all users of this type. Then click Save:

IMPORTANT: If this step is not performed, when the user attempts to sign in as a guest they will be presented with the following error:

Add Ben as a guest to the O365 Deployment Team in Microsoft Teams:

Megan will need to now add Ben as a user to her team, O365 Deployment Team in Microsoft Teams. From within Microsoft Teams, click the ellipsis next to the team name and then select View Team

On the Members tab click the Add member button:

In the Add members to "O365 Deployment Team" dialog box, type in Ben's email address, then click Add:

Next, click Close:

Notice Ben has now been added as a guest to the team:

Optional: Validate the guest was successfully added to Azure Active Directory B2B:

Browse to https://aad.portal.azure.com . On the left pane, click Azure Active Directory. On the Azure Active Directory blade click Users and groups :

On the Manage blade click All users then click Ben's user account BenW:

Details of BenW's account, validating he was successfully added to Azure AD:

Optional: Ben's guest account can also be seen in the Office 365 Admin Portal under Users -> Guest Users:

Login as Ben to Microsoft Teams:

Ben will receive a new email message indicating he has been invited to Contoso's O365 Deployment Team. Within the email click Open Microsoft Teams:

Before Microsoft Teams launches, you will be taken to the Azure AD sign-on page, read the agreement to provide your display name and email address to the other organization and click Next:

 

Microsoft Teams will launch, and you will be prompted with a wizard walking you through the basics of guest access. Feel free to explore the wizard, or close it:

Ben is now signed in as a guest to Contoso's team in Microsoft Teams and has access to resources in the team such as conversation history, files,etc. To validate this, click the profile photo in the lower left corner and notice Contoso (guest) is selected under Your accounts:

Note: To switch back to Ben's own organization's Microsoft Teams instance, click Contoso M365x841591 above Contoso (guest) – and visa-versa as seen in the screenshot below.

What can Ben do as a guest?

The following table depicts the functionality available to a guest user of a team. More information can be found here:

Capability in Teams Teams user in the organization Guest user
Create a channel Team owners control this setting.
Participate in a private chat
Participate in a channel conversation
Post, delete, and edit messages
Share a channel file
Share a chat file
Add apps (tabs, bots, or connectors)
Create tenant-wide and teams/channels guest access policies
Invite a user outside the Office 365 tenant's domain
Create a team
Discover and join a public team
View organization chart

Matt's Tip: I like to access Microsoft Teams in a web browser. For this reason I can have one tab open for my main Microsoft account (tenant) and another tab open for any tenant I am a guest of. This way I'm not switching back and fourth. This can also be accomplished using a combination of the desktop client and web clients.

Conclusion: Enabling guest access for Microsoft Teams is a simple and easy process. I hope you found this blog post valuable, if you do have feedback or input to make this post better please leave me a comment below. Enjoy!

Comments

  • Anonymous
    September 22, 2017
    That was a really great, straight forward article. I was looking for something on this topic that was recent and yours was just updated yesterday so I thought I start here. We have guest access enabled and I have guests in my tenant from the old Sharepoint Team sites, but adding a new user as a guest in the new MS Teams is just not working. For an existing guest, it works fine but when i use an email address that is not already in our Azure directory, i get the message: "We couldn't add a member. Only Office 365 work or school accounts can be added as guests." Any ideas why it doesn't just send that user the Invite email and allow them to create the MS account? Seems it only accept email address that already have a MS account.
    • Anonymous
      September 22, 2017
      Joe: Currently, the guest needs to have an Office 365 tenant and identity in order to authenticate as a guest and participate in your team.
      • Anonymous
        December 07, 2017
        Do you have plans to allow users with non-MS account to access teams?
  • Anonymous
    September 22, 2017
    Great walk through. Got me going on Teams and Guests. I did observer that a guest can see but can't access a Planer plan that i added as a tab,
    • Anonymous
      September 22, 2017
      Correct, currently guest access is not enabled for Planner.
      • Anonymous
        October 04, 2017
        Is there any ETA for the "guest can access planner" feature? Is it on the roadmap?
  • Anonymous
    September 26, 2017
    Hello, thank you for your documentation. I am able to invite an O365 user from a different tenant. They are able to access the MS Team on my tenant. They can chat. However, when they go to the "Files" menu on the channel, they get "You don't have access to these filesPlease check if the site is available and retry.Access denied. You do not have permission to perform this action or access this resource. Scenario ID: 9033F9F88F264A32859F2E07BE8A2D32"Is there a separate SharePoint setting or tenant setting that would be preventing external O365 user from access to Files?
    • Anonymous
      September 26, 2017
      Hello, my error message likely occurred when I tried to customize the permissions of a Document Library associated with a channel on the MS Team. Once I restored the permissions to inherit from parent , then the issue went a way. I am struggling to find a way to configure granular permissions with MS Team. I'd like to have a channel that is restricted to a sub set of members.
  • Anonymous
    September 27, 2017
    Besides using Teams internally, we've begun collaborating with partners. We're invited as a GUEST by a partner, and then use teams by switching TENANTS to input data, share info, upload docs, etc. to/with multiple partners. Question: If the partner removes us as a guest from this Teams Collaboration thread/channel (for example they close business), do we retain all of the info we shared or does everything go away? My concern is that we spend time creating a shared repository of information between partners and then that hard work is gone & unretrievable if the "owner" or "tenant" that invited us goes away.
  • Anonymous
    September 27, 2017
    Thank you for the excellent walkthrough on the new Guest Access - there's an obvious benefit (for consultants, for instance) to having the ability to get notifications - desktop- or mobile-based - from the multiple teams that the user may be "Guest Access"ed into. Have you or anyone else heard of if and whether this "multiple identity" enhancement is planned/in the pipeline? Thanks again! - M
  • Anonymous
    September 29, 2017
    We would like to add everyone in another organisation as guests to our Team. Do we need to do this individually or can I add everyone in their domain using these steps?
  • Anonymous
    November 06, 2017
    Thanks Matt. Very helpful article.
  • Anonymous
    November 10, 2017
    Hi Matt, great article! Two questions though. Does the guest user needs to have a specific licence on its own tenant like E1/E3/E5 or is a K1 or the new F1 licence enough? And what happens if the Microsoft Teams licence is turned off in the guest users own tenant. Can it still use teams in the invited tenant?Thanks, Robert Schouten
  • Anonymous
    November 20, 2017
    Hi Matt,I seem to get a notification that states that "There are external users from outside my company" when I add an external guest. However when I remove the user from Teams & AAD I still keep this notification. Next to the Classification Icon on Teams I see an "Guest" icon that won't disappear either. Any idea what this could be and how I can remove the notification?Thanks.
  • Anonymous
    November 21, 2017
    I'm having the issue whereby I was already invited to a Group in another tenant. Now I was "re-"invited to a team but when following the link in the email I can't access the other tenants Team. We checked the Guest setting (ON) and waited at least 24 hours to process to no avail. It might be because the Groups invite proces ia different than the Teams AzureB2B process. Therefor my email address is already in the other tenant's and I can't seem to figure out how to work around this issue. Removing the earlier added account might give issues with file permissions. Could you test thia behaviour on your tenants and check if this might be the cause of my issues?
  • Anonymous
    February 15, 2019
    Good Article on guest access. Helpful
  • Anonymous
    May 02, 2019
    I have enabled Guest access in Tenant but somehow when guest user access the Tenant , he can see "Create group" & Join Group" options. When guest account click on "join group"... he can see some of my tenant groups,, which should be blocked, as guest.Can anyone suggest?