How to optimize your cloud spending with Azure Well-Architected Framework?
As I promised you last time, here is a short guide on how to start spending smarter (notice that it's not "spending less...
This is why it’s crucial to be aware of important the change, which Microsoft makes to the service, affecting who can access this information.
What is happening on February 8th?
The default guest access policy in Teams will be changed and every person in your organization will be able to invite new guests, regardless of their role. It will stay in effect for the future as well.
Unless you change it. Here are all the details you need to know to act!
As per the announcement, accessible in the Microsoft Admin center:
How this will affect your organization:
When this change is implemented if you have not already configured Microsoft Teams guest access capability, that capability will be enabled in your tenant. With guest access enabled, you can provide access to teams and other resources to people outside your organization while maintaining control over your corporate data.
Is it? Don’t worry – you don’t need to panic… yet. We have prepared a short Q&A to address some of the concerns this update may raise. We have also added some resources to help you get the information you need.
To find the answers, click on your relevant question below. If you haven’t found what you’re looking for, feel free to comment below or contact us with your question!
In simple terms, here is what the switch means to your current configuration if your Microsoft Teams Guest access is set to:
Once this switch is in place, if you use the Service Default option, everyone in your organization will be able to add external users to Microsoft Teams. Your Teams’ users will be able to invite people outside your organization on their own:
to work together in Microsoft Teams.
It will not break things. It will not cause immediately that your information will leak. Things to know and remember:
Microsoft is changing this setting to keep it in line with the rest of the Microsoft 365 suite. This means that other Microsoft 365 services (e.g. OneDrive or SharePoint) already have Guest access enabled by default.
Allowing guest access means you can work with people from outside of your organization and give them access to teams or resources while retaining control over your data.
In other words, your employees can communicate with e.g. vendors, partners, or divisions operating using a different tenant (for example, following a merger) just as easily as they do with each other.
The new update only affects service default settings. If you already have a specific configuration in place, it won’t be affected.
Of course, there may be a situation where you don’t want to enable Guest Access to your apps. This can be especially true for industries where data access is heavily secured or restricted.
In this case, you probably have a customized configuration in place. It will not be affected by the change. But, if this update is news to you and you haven’t defined your access policies yet, this is a good opportunity to review them.
You need to access your Teams admin center. Under Org-wide settings, you will find Guest access section. You can allow or disable guest access in Teams by changing the settings there. For step-by-step instructions, see Microsoft documentation.
Short answer: no. Disabling Microsoft Teams Guest access will only work for this specific service. But across the suite, you can allow Guests to access your resources via other services.
For example, you can allow Guest access to SharePoint. This way, people outside your company can still be invited to collaborate on files.
The same applies to Microsoft 365 Groups. Guest access is set at the service level, which means you could technically allow Guest access to Groups and disable it for Teams. Note that the opposite is not possible – in order to allow Guests to Teams, you have to enable this functionality in Groups as well.
If the user has an Azure AD account, it’s very simple. To add a guest, you just click “Add member” button in your Teams settings, and enter the email address of the guest you wish to invite. Then, the Azure B2B feature takes over, sending an invite to the user which they can then accept to collaborate with your Team.
If they don’t have an Azure AD account, we would recommend creating a dedicated Azure AD tenant and create a dedicated account for this user there. Then you can use Azure B2B to facilitate their access.
Watch this video to see a demo.
Microsoft Teams – get access to multiple organizations
Azure B2B is a feature of Azure Active Directory. It allows you to invite users from outside your organization to work on your resources.
They don’t need a new account or login details and can just use their existing ones. User lifecycles are managed by the organization to which the external user belongs, so you don’t need to worry about them either.
You can invite a guest user to your tenant directly from the Azure Portal. You set up their permissions just as you would for an internal user and can use the same security features you do for your organization, e.g. MFA or other Conditional Access policies.
You can also customize your settings, so e.g. application administrators can add guest users directly from within the app.
Azure AD has a service called External Identities which combines all possible collaboration features. Within External Identities, you can use:
You can set permissions for each service individually to give you complete control of the information that you share. However, all Microsoft 365 settings will be overridden by your Azure Active Directory settings.
You can enable B2B collaboration via Azure Portal and configure guest permissions there. If you want to set a configuration that will apply to your entire environment, this is the place to start.
By adjusting your external collaboration settings, you can define guest access levels and permissions. You can also set the password policy for external users, or restrict domains allowed to your tenant. Read more in Microsoft documentation.
If you have an Azure AD Premium P2 license, you’re able to use the Access Review feature. Within Azure Portal, go to External Identities, then Access reviews. Here you can review access for your guest users – either by asking them or by asking your users to review guest access.
Alternatively, if you use a third-party product like Omada Identity Suite, you can perform a complete review of guest users permissions, which includes access reviews, audit logs, reporting, and notifications of new guests. Read more about some of its access governance features.
Managing and auditing external access is an extensive topic, so we will go into it in more depth soon. Keep an eye on our blog and social media, so you don’t miss out!
You can read more on B2B collaboration in one of our previous articles. Here are some basics:
Be careful about the permission level you assign. Most of your users won’t need admin access (this applies to your internal users too). There are 3 ways you can grant access to your resources:
Or, you can watch this video which summarizes external access options in Azure:
Azure AD B2B, B2C and External Identities – explained!
No problem. We can help you secure your resources in the way you need. Just get in touch to book a free call and we’ll discuss your requirements. Access management is among our specialties, so we’ll be more than happy to help you make sure your access configuration is set up accordingly to your needs and compliance policies.
To sum up – keep an eye on your guest access configuration of all your services. Once you customize it, you don’t need to worry about the defaults changing to any option you may not want or need.
Want to stay ahead of important updates? Need more details on external users access? Follow us by subscribing to our newsletter or follow us on LinkedIn to get all the news and latest updates as they happen!
Read similar articles