How to work with MS Teams in multiple organizations? Guest access in Microsoft Teams

The service was created to work within a single organization. But there are other scenarios. 

• What if someone works across many companies? 
• What if you need to allow people from other companies to work with your teams? 
• What if you are a consultant and use Microsoft Teams to work with different customers? 

The beauty and the curse of Microsoft Teams is that it allows you to do all of it… which makes things a bit complicated. 

So, let’s make it simple. Here’s the ultimate guide to working with Microsoft Teams across multiple organizations. 

Types of accounts in Azure AD 

Let’s start with a simple Microsoft Accounts 101. There are two types of accounts you can have in Microsoft services:  

• Organizational account – this is an account created for you, or by you, if you are an administrator in Office 365 (or actually, an administrator in Azure AD)  
• Personal account – the one everyone can create to get access to Xbox or OneDrive for personal use. 

Microsoft Teams works with both types of accounts, but for working across organizations, we need to use the organizational ones. 

What is a Guest in Microsoft Teams? 

Let’s assume you have an organizational account or you manage Azure AD at your business. To enable cross-organization collaboration within Teams, you need to know what a Guest is. 

Guest is an Azure AD user invited to your organization from another company. Or, if you are invited to work with another company, you are becoming a Guest in their tenant. 

Guests are managed through a mechanism called Azure AD B2B. We cover it in detail in this article. Here are some key facts in a nutshell: 

• Azure AD B2B is a function of a directory under Office 365, not a separate product 
• It allows you to grant access to people from other companies to your organization, or lets you, as a user, to access other organization services like Teams 
• You can get access without creating additional login and password – you use only a single set of credentials from your original organization
• It lets each organization handle its own security and still allows people to work together. 

No time to read? Watch the video instead!

How to create a guest account? 

There are two perspectives for getting guest access – you can either grant access or be the one getting access. 

 How can you become a guest in another organization? 

It depends on this organization’s policy. If a company has a relaxed approach to it, it can allow every person to invite others as guests. It is as easy as going into a Teams’ settings and adding a new member with an external email address. 

Adding a new member to a cross-organization project in Teams

If the policy is stricter, it requires the person inviting a guest to have the right permission set. It is done as an administrative task, by creating a Guest account in Azure AD and granting the right access for it, for example to the specific organization’s Teams. 

Creating a guest account in Azure AD

In both cases, the result is that a new object, a guest, is created in the target organization, and they are granted access to the specific Microsoft Teams. 

There was an important change this year in the default settings for Microsoft tenants. The change enabled everyone in the organization to invite external users – make sure to check the article where we explain this process in detail. 

What does it look like from an end user’s perspective? 

If you are invited to another organization, you will get an email invitation. When you redeem it, you will be guided through the process of registration. 

Here you might be asked to set up additional security options, but it will depend on the policy of the business that invited you. 

An example invitation to MS Teams

How can you switch between organizations in Microsoft Teams?  

This is quite easy. Click on the icon with your picture or a representation of an account and select an organization you want to switch to. 

Just a couple of seconds, and it is done – you can work with your peers at another company. 

Typical problems you may face while using Microsoft Teams 

What if you don’t want to do switch between accounts and have separate windows for each organization you work with? 

Here it is a bit less easy, but we still have some options. First and foremost – at the moment you can’t do this directly from the desktop app. Instead, you need to run the desktop app multiple times or use a browser extension. 

Another typical problem – what if the organization you work with doesn’t permit guest accounts and gives you a separate account to work with them? 

Here I strongly encourage you to send to them a link to this article explaining different options, such as using Guest accounts, which is a recommended way to do it. I hope it will change their minds. 

If not, you have to live with what you are given. Here are your options: 

• You can use multiple desktop windows with a workaround for a script I mentioned above, or 

• You can use Microsoft Edge browser (or another browser) to create multiple profiles. 

Go to Microsoft Edge browser and create different account profiles assigned to different Azure AD accounts. Then you can pin the browser with a specific profile to your taskbar, or switch profiles directly in the browser and get access to different organization accounts with just one click. 

It is simple and effective if you can’t have the luxury of using a guest account. 

Security of guest accounts 

As you can imagine, if many people can invite guests, it is easy to lose track of who invited whom and where a given person has access. 

What is Entitlement Management? 

Entitlement management is a feature of Azure AD where you can create access packages – a set of permissions, which might include specific Teams sites. 

Once created, you can delegate access management over this package to users, granting them the right to decide who should have this access. You can also allow people to request access and approve it using a workflow. 

This way you can achieve both flexibility and security: 

• There is an easy way to request and grant access,
• It is fully accountable who granted access and when, and what type of access was granted,
• But it is not available for all across all company’s resources. 

The drawback – this feature requires a more advanced version of Azure AD license – a P2 level (or E5 for Microsoft 365 licenses). 

For more technical details about this feature, check out the blog post of our consultant and MVP, Robert: Azure AD Identity Governance – Entitlement Management. 

What is Conditional Access? 

Another important feature from the security point of view is the ability to control access to Teams across organizations with conditional access. Conditional access is a way for you to define what is your access security policy when using specific applications like Microsoft Teams.  

When creating conditional access policies you can specifically target Guest accounts and put additional security restrictions on those accounts in your organization.  

Together, Conditional Access and Entitlement Management should allow you to create a secure way to manage Guest accounts in your organization. 

Conditional access setup in Azure Portal

Using Microsoft Teams to work with multiple organizations and multiple Teams made a lot of progress. I have to admit that some time ago it wasn’t that easy, especially from an end-user’s perspective. 

Now, as you can see, we have easy options to access the resources we need, when we need them. I hope you found this guide useful. And if you have any questions – just reach out!