Don't want surprise guests? Get ahead of MS Teams guest policy change! Microsoft Teams guest access

This is why it’s crucial to be aware of important the change, which Microsoft makes to the service, affecting who can access this information.

What is happening on February 8th?

The default guest access policy in Teams will be changed and every person in your organization will be able to invite new guests, regardless of their role. It will stay in effect for the future as well.

Unless you change it. Here are all the details you need to know to act!

As per the announcement, accessible in the Microsoft Admin center:

Shock!

Disaster!

Is it? Don’t worry – you don’t need to panic… yet. We have prepared a short Q&A to address some of the concerns this update may raise. We have also added some resources to help you get the information you need.

To find the answers, click on your relevant question below. If you haven’t found what you’re looking for, feel free to comment below or contact us with your question!

Teams guest access Q&A

What will change?

In simple terms, here is what the switch means to your current configuration if your Microsoft Teams Guest access is set to:

• Service Default – it will be set to ON
• On – nothing changes – it will remain on
• Off – nothing changes – it will remain off.

Once this switch is in place, if you use the Service Default option, everyone in your organization will be able to add external users to Microsoft Teams. Your Teams’ users will be able to invite people outside your organization on their own:

• External consultants
• Vendors and partners
• Individuals

to work together in Microsoft Teams.

How will it affect my organization?

It will not break things. It will not cause immediately that your information will leak. Things to know and remember:

• Every invited person is becoming a Guest user in your entire Azure AD tenant. They will stay there, even when removed from the Team they were originally invited to
• If you will not take steps to save it, information about who invited this guest will be lost
• Microsoft Teams Guest can be granted permissions and will see the information they have access to in the same way as your users.

Why is the switch happening?

Microsoft is changing this setting to keep it in line with the rest of the Microsoft 365 suite. This means that other Microsoft 365 services (e.g. OneDrive or SharePoint) already have Guest access enabled by default.

What does this change mean for me?

Allowing guest access means you can work with people from outside of your organization and give them access to teams or resources while retaining control over your data.

In other words, your employees can communicate with e.g. vendors, partners, or divisions operating using a different tenant (for example, following a merger) just as easily as they do with each other.

Will my custom configuration change?

The new update only affects service default settings. If you already have a specific configuration in place, it won’t be affected.

What if I don’t want Guest access enabled?

Of course, there may be a situation where you don’t want to enable Guest Access to your apps. This can be especially true for industries where data access is heavily secured or restricted.

In this case, you probably have a customized configuration in place. It will not be affected by the change. But, if this update is news to you and you haven’t defined your access policies yet, this is a good opportunity to review them.

How to change my configuration?

You need to access your Teams admin center. Under Org-wide settings, you will find Guest access section. You can allow or disable guest access in Teams by changing the settings there. For step-by-step instructions, see Microsoft documentation.

Guest access section in MS Teams org wide settings

Will blocking Guest access in Teams protect my resources?

Short answer: no. Disabling Microsoft Teams Guest access will only work for this specific service. But across the suite, you can allow Guests to access your resources via other services.

For example, you can allow Guest access to SharePoint. This way, people outside your company can still be invited to collaborate on files.

The same applies to Microsoft 365 Groups. Guest access is set at the service level, which means you could technically allow Guest access to Groups and disable it for Teams. Note that the opposite is not possible – in order to allow Guests to Teams, you have to enable this functionality in Groups as well.

How to add a Guest to your Teams right now?

If the user has an Azure AD account, it’s very simple. To add a guest, you just click “Add member” button in your Teams settings,  and enter the email address of the guest you wish to invite. Then, the Azure B2B feature takes over, sending an invite to the user which they can then accept to collaborate with your Team.

If they don’t have an Azure AD account, we would recommend creating a dedicated Azure AD tenant and create a dedicated account for this user there. Then you can use Azure B2B to facilitate their access.

Watch this video to see a demo.

Microsoft Teams – get access to multiple organizations

What is Azure B2B and how can it help?

Azure B2B is a feature of Azure Active Directory. It allows you to invite users from outside your organization to work on your resources.

They don’t need a new account or login details and can just use their existing ones. User lifecycles are managed by the organization to which the external user belongs, so you don’t need to worry about them either.

You can invite a guest user to your tenant directly from the Azure Portal. You set up their permissions just as you would for an internal user and can use the same security features you do for your organization, e.g. MFA or other Conditional Access policies.

Adding external users in Azure Portal

You can also customize your settings, so e.g. application administrators can add guest users directly from within the app.

Can I only invite guest users with corporate accounts?

Azure AD has a service called External Identities which combines all possible collaboration features. Within External Identities, you can use:

• Azure AD B2B to collaborate with corporate users
• Federated access within Azure AD B2B to collaborate with users with personal/social media accounts on business resources
• Azure AD B2C to allow consumer access with personal/social media accounts.

Isn’t there a single place to configure all this?

You can set permissions for each service individually to give you complete control of the information that you share. However, all Microsoft 365 settings will be overridden by your Azure Active Directory settings.

You can enable B2B collaboration via Azure Portal and configure guest permissions there. If you want to set a configuration that will apply to your entire environment, this is the place to start.

By adjusting your external collaboration settings, you can define guest access levels and permissions. You can also set the password policy for external users, or restrict domains allowed to your tenant. Read more in Microsoft documentation.

How to manage guest accounts in my tenant?

If you have an Azure AD Premium P2 license, you’re able to use the Access Review feature. Within Azure Portal, go to External Identities, then Access reviews. Here you can review access for your guest users – either by asking them or by asking your users to review guest access.

Azure AD also collects audit logs to help you review guests’ access history. You can access them under Monitoring -> Audit logs.

Alternatively, if you use a third-party product like Omada Identity Suite, you can perform a complete review of guest users permissions, which includes access reviews, audit logs, reporting, and notifications of new guests. Read more about some of its access governance features.

Managing and auditing external access is an extensive topic, so we will go into it in more depth soon. Keep an eye on our blog and social media, so you don’t miss out!

What else do I need to know about B2B collaboration in Azure?

You can read more on B2B collaboration in one of our previous articles. Here are some basics:

Be careful about the permission level you assign. Most of your users won’t need admin access (this applies to your internal users too). There are 3 ways you can grant access to your resources:

1. By creating a dedicated account in your Azure AD tenant – the external users would be able to access the same resources that your internal users can. For additional security, you can set up a dedicated Azure AD tenant to manage all your guest accounts. This will make managing them easier.
2. By inviting a user with an existing Azure AD account to join your tenant. This will be easier from a user’s perspective but you still need to manage that user within your Azure AD.
3. By inviting a user with a Microsoft account to join your tenant. This option only applies to consumer accounts that are not as closely managed as corporate ones, so it should only be used as a last resort.

Or, you can watch this video which summarizes external access options in Azure:

Azure AD B2B, B2C and External Identities – explained!

This is too complicated – make it simple!

No problem. We can help you secure your resources in the way you need. Just get in touch to book a free call and we’ll discuss your requirements. Access management is among our specialties, so we’ll be more than happy to help you make sure your access configuration is set up accordingly to your needs and compliance policies.

Be in control of your guest access policy

To sum up – keep an eye on your guest access configuration of all your services. Once you customize it, you don’t need to worry about the defaults changing to any option you may not want or need.

Want to stay ahead of important updates? Need more details on external users access? Follow us by subscribing to our newsletter or follow us on LinkedIn to get all the news and latest updates as they happen!