Редагувати

Поділитися через


Prevent guests from being added to a specific Microsoft 365 group or Microsoft Teams team

If you want to allow guest access to most groups and teams, but have somewhere you want to prevent guest access, you can block guest access for individual groups and teams. (Blocking guest access to a team is done by blocking guest access to the associated group.) This prevents new guests from being added but does not remove guests that are already in the group or team.

If you use sensitivity labels in your organization, we recommend using them to control guest access on a per-group basis. For information about how to do this, Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites. This is the recommended approach.

Change group settings using Microsoft Graph PowerShell

You can also prevent the addition of new guests to individual groups by using PowerShell. (Remember that the team's associated SharePoint site has separate guest sharing controls.)

You must use the beta version of Microsoft Graph PowerShell to change the group-level guest access setting:

  • If you haven't installed the module before, see Installing the Microsoft Graph PowerShell module and follow the instructions.

  • If you have already installed the beta version, run Update-Module Microsoft.Graph.Beta to make sure it's the latest version of this module.

Note

You must have global admin rights to run these commands.

Run the following script, changing <GroupName> to the name of the group where you want to block guest access.

Connect-MgGraph

$GroupName = "<GroupName>"
$templateId = (Get-MgBetaDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}).Id
$groupID = (Get-MgBetaGroup -Filter "DisplayName eq '$GroupName'").Id

$params = @{
	templateId = "$templateId"
	values = @(
		@{
			name = "AllowToAddGuests"
			value = "false"
		}
	)
}

New-MgBetaGroupSetting -GroupId $groupID -BodyParameter $params

To verify your settings, run this command:

(Invoke-GraphRequest -Uri https://graph.microsoft.com/beta/Groups/$groupId/settings -Method GET) | ConvertTo-Json | ConvertFrom-Json | fl Value

The verification looks like this:

Screenshot of PowerShell window showing that guest group access has been set to false.

If you wish to toggle the setting back to allow guest access to a particular group, run the following script, changing <GroupName> to the name of the group where you want to allow guest access.

Connect-MgGraph

$GroupName = "<GroupName>"
$templateId = (Get-MgBetaDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}).Id
$groupID = (Get-MgBetaGroup -Filter "DisplayName eq '$GroupName'").Id

$params = @{
	templateId = "$templateId"
	values = @(
		@{
			name = "AllowToAddGuests"
			value = "true"
		}
	)
}

New-MgBetaGroupSetting -GroupId $groupID -BodyParameter $params

Allow or block guest access based on their domain

You can allow or block guests who are using a specific domain. For example, if your business (Contoso) has a partnership with another business (Fabrikam), you can add Fabrikam to your allowlist so your users can add those guests to their groups.

For more information, see Allow or block invitations to B2B users from specific organizations.

Add guests to the global address list

By default, guests aren't visible in the Exchange Global Address List. Use the steps listed below to make a guest visible in the global address list.

Find the guest's ObjectID by running:

Get-MgBetaUser -All | ?{$_.CreationType -eq "Invitation"}

Then run the following using the appropriate values for ObjectID, GivenName, Surname, DisplayName, and TelephoneNumber.

Update-MgBetaUser -UserId cfcbd1a0-ed18-4210-9b9d-cf0ba93cf6b2 -ShowInAddressList -GivenName 'Megan' -Surname 'Bowen' -DisplayName 'Megan Bowen' -mobilePhone '555-555-5555'

Collaboration governance planning recommendations

Create your collaboration governance plan

Manage Group membership in the Microsoft 365 admin center

Microsoft Entra access reviews

Update-MgUser