Microsoft Teams Tech Blog Part 2: Guest Access

Michele Casazza
02.03.20 10:56

In part 1 we have looked at the different sharing options available to end users when sharing files in Office 365. Now will look at the backend settings available to provide different combinations of sharing. As we will learn, some of the setting at the tenant level will impact the sharing experience in Microsoft Teams.

This a three-part blog series about Microsoft Teams where I cover sharing in Office 365 and Microsoft Teams from different perspective: user, administrator and advisor.

  1. Part 1: Microsoft Office 365 Sharing options and features
  2. Part 2: Sharing Model and Guest Access
  3. Part 3: Microsoft Teams Governance

Let's start with the settings that are related to the end user options shown in Part 1. They can be found In the SharePoint Admin Centre:

  • The default sharing link when users want to share
  • The default expiration date when sharing with Anyone
  • The default permissions when sharing with Anyone

Since January 2020 the default can also be set to People with existing access via PowerShell

SharePoint and OneDrive tenant level sharing settings

The SharePoint and OneDrive settings at the tenant level are closely connected and accessible from either Admin Centre. The OneDrive setting can be more restrictive than the SharePoint setting, but not more permissive. This setting is not a default setting for new sites, it’s used to show available sharing options to users.
Each SharePoint and OneDrive site has its own sharing settings that can be set independently.


SharePoint/OneDrive settings (site level)

  • The default sharing setting for Office 365 group-connected team sites is New and existing guests
  • The default for Communication sites and classic sites is Only people in your organization

One important gotcha is that even if Anyone is configured at the tenant level, new sites are created with New and existing Users. This might not be what you'd expect, but it is probably a safety measure to avoid accidental sharing.
Similarly, if the default sharing link at tenant level is Anyone with the link, the default link in a new sites becomes People in your organisation. OneDrive sites appear to be created with Anonymous On and Anyone with the link by default.

Microsoft Teams Free Ebook

Every SharePoint site can be further configured for External sharing, default sharing link type, link permission and domains restriction (allow/block list). Each user's OneDrive settings can be configured from the Users section in the Microsoft 365 Admin centre.

To understand the behaviour of the different settings let's first understand two important concepts: Guests and Office 365 Groups. 

Who is a guest?

  • Someone who isn't an employee, student, or member of the organization
  • Someone who doesn't have a school or work account with the organization
  • There can be authenticated guests (accessing with a one-time passcode), and unauthenticated guests (access shared via Anyone link)

Guest access is included with

  • Office 365 Business Premium
  • Office 365 Enterprise
  • Office 365 Education

The total number of guests that can be added is based on the Azure AD licensing (Usually 5 guests per licensed user).

Office 365 Groups

Modern SharePoint team sites are powered by Office 365 Groups, including Microsoft Teams. These groups live technically in Azure AD, so we can also call them Azure AD groups. The security model is different than traditional security groups: in one Azure AD group we now have two permission levels, Owner and Member.

This is a major paradigm shift for two reasons: because Office 365 groups is the foundation of most Office 365 services, we can now manage one group to provide access to multiple services. By now you are probably aware that creating an Outlook group creates a SharePoint site, a shared mailbox, a shared calendar and a OneNote notebook. The same happens when you create a Team in Microsoft Teams, you get all of the above plus a Planner.

The other important consequence of this new model is that Office 365 Groups take an identity and access management function (group creation, maintenance and membership) and places it in the hands of end users without their knowledge! Because by default every user in the organisation can create a group. That's why governance becomes such an important topic and deserves attention from the very beginning.

Other properties of groups:

  • Guests cannot be owners
  • Modern Communication sites do NOT utilize Office 365 Groups
  • Members cannot add guests but can invite them (Owners must approve them)
  • Each users in the organisation can create new Groups and as owners of that group they can add guests

Guest access in Office 365 Groups

Once guests have been added to a group, they will have access to all the resources associated with that group. For example if you create a new Group in Outlook and invite guests, they will get access to the Group's shared mailbox and calendar, the OneNote notebook and the Group's files (store in SharePoint). This is because creating a group, depending on the location, will create other associated services.

For more information about what guests can do in an Office 365 Group see Adding guests to Office 365 Groups

The sharing model has different layers and it starts from Azure:table

One of the easier available option is to allow or block sharing with specific domains. You can create a deny list (more permissive) where you can add e.g., and other public domains you want to restrict; all other domains will be allowed. An allow list on the other hand is more restrictive because only the domains specified there are available for sharing.

There are different levels to apply an allow/block domain list

  • At the Azure level (overwrites any other application or service list)
  • At the Service level for SharePoint and OneDrive (Tenant or site collection level)
  • At the Groups level (PowerShell) – independent from SPO/OneDrive

At the moment it's not possible to apply an allow/block domain list to a specific Group.

Sharing Settings available in Azure:

The following settings can be found in Azure AD, in the Organisational relationships section.

  • Guest user permissions are limited: guests don't have permission for certain directory tasks, such as enumerate users, groups, or other directory resources. They can't have administrative.
  • Admins and users in the guest inviter role can invite: Admins and users in the guest inviter role will be able to invite guests to the tenant.

With the Guest Inviter role, you can give individual users the ability to invite guests without assigning them a global administrator or other admin role.

Currently, Microsoft Teams doesn't support the guest inviter role. At a minimum the Members can invite toggle must be set to Yes for guest access to work in Microsoft Teams.

  • Members can invite: non-admin members of your directory can invite guests to collaborate on resources such as SharePoint sites or Azure resources.
  • Guests can invite: allows guests in your directory to invite other guests

In the Office 365 Admin Centre, under Security and Privacy, there is a Sharing setting which is the equivalent of Members can invite in Azure, which basically allows any user in the organisation to invite guests.

There is another setting in the Admin Centre (Settings -> Services -> Office 365 Groups) and it essentially allows guests to access group resources. Without this enabled, collaboration in Office 365 services will be limited to individually shared files.

To have guest access working seamlessly in Microsoft Teams, there are many dependencies that need to be configured:

  • Azure Active Directory: Members can invite must be On
  • Office 365 Groups in the Admin Centre: Both options must be On (Settings -> Services -> Office 365 Groups)
  • Microsoft Teams: Guest access at the Teams’ org level must be On
  • SharePoint Online and OneDrive for Business tenant sharing settings: must be Anyone or New and Existing Users
  • Microsoft Teams: Individual Team's Guest permissions settings for creating, updating and deleting channels (Optional)

External Accees

In Microsoft Teams there are two type of access, External Access and Guest Access

External access (Federation) gives access permission to an entire domain

  • It doesn't provide access to a Team or its resources
  • Users can use one-to-one chat, call, meeting, presence
  • It is On by default
  • A domain allow/block list can be used to restrict access

Guest access gives access permission to an individual.

  • Guests can access resources, such as channel discussions and files

Guests, once invited in Microsoft Teams, have almost the same level of access as Members. The only difference is that they cannot share a chat file, add apps, and create a Team.


Private and Public Teams

When creating a new Team in Microsoft Teams you can choose its security level: public or private.

In Public Teams, anyone in the organisation can join without owners approval. Members can add internal users but only Teams owners can invite guests

In Private Teams only Owners can add members and guests. Members can invite internal org users, but Owners must approve.

As you can see there are a lot moving parts for governing sharing, external or guests access in Office 365. As we will see in Part 3, it's important that decisions on the various configuration are made in line with the company's policies, so that the right balance between ease of use and data protection is achieved.

Microsoft Teams Einführung Praxis Guide


Language/Sprache: German/Deutsch

Download Ebook


News, trends, insights and opinions
about the modern workplace

Subscribe to Updates

Subscribe by Email