Introduction: In this blog post I will walk through how to enable guest access in Microsoft Teams, validate the guest was added to Azure Active Directory B2B, demonstrate how a guest user will access another organization's team and what the user experience is like.
Update 9/21/17: I have updated this blog post that adding the user guest account manually to Azure AD B2B is not required, as the account will automatically be added to the directory when you add the guest to Microsoft Teams.
Additional reading and support documentation:
- Expand your collaboration with guest access in Microsoft Teams (initial announcement)
- Guest access in Microsoft Teams (covers requirements, read first)
- What is Azure AD B2B collaboration?
- Conditional access for B2B collaboration users
IMPORTANT: Guest access is dependent on Azure Active Directory and more importantly it uses Azure Active Directory B2B, I highly recommend developing a good understanding of this feature prior to proceeding as it will help you as you start to roll this out and manage it within your organization and even give you ideas on how to further secure this as you move forward (such as conditional access for contractors as an example). This capability is very powerful, and can open up new ideas for how you create additional solutions for your organization in the future. In addition, I recommend testing guest access first prior to implementing in the real world to fully understand the use case scenarios of guest access (when it makes sense, when it doesn't as this may not solve for the specific business challenge you are after), and what the guest user experience is like for a guest user of Microsoft Teams so that you are prepared to help end-users within your organization.
Before we begin, about my environment:
- I have two Office 365 tenants: m365x367101.onmicrosoft.com and m365x841591.onmicrosoft.com (I apologize in advance, both tenants are named Contoso )
- Both organizations are already using Office 365 and Microsoft Teams.
- Megan from the m365x367101 owns a team titled O365 Deployment Team. She needs to invite Ben from a local IT consulting company to the team that will be assisting them with their Office 365 deployment.
- Megan's company will first enable guest access in Microsoft Teams, add Ben as a guest to the O365 Deployment Team in Microsoft Teams, then will validate Ben was added as a guest to AzureAD B2B.
- Megan's IT Admin enabled sharing with external users already in the directory for SharePoint Online
- Megan's IT admin enabled Let group owners add people outside the organization to groups.
- The Sharing Option has been enabled for Megan's Office 365 tenant to allow adding of new guests.
First, enable guest access in your tenant:
First, you must enable your Office 365 Tenant to allow guests to access a Microsoft Teams team in your tenant. This is accomplished by navigating to the Microsoft Teams settings in the Office 365 admin portal. From within the admin portal navigate to Settings -> Services & add-ins -> Microsoft Teams. On the fly-out to the right, under the section Settings by user/license type click the drop-down menu and toggle from Business and Enterprise to Guest then click On next to Turn Microsoft Teams on or off for all users of this type. Then click Save:
IMPORTANT: If this step is not performed, when the user attempts to sign in as a guest they will be presented with the following error:
Add Ben as a guest to the O365 Deployment Team in Microsoft Teams:
Megan will need to now add Ben as a user to her team, O365 Deployment Team in Microsoft Teams. From within Microsoft Teams, click the ellipsis next to the team name and then select View Team
On the Members tab click the Add member button:
In the Add members to "O365 Deployment Team" dialog box, type in Ben's email address, then click Add:
Next, click Close:
Notice Ben has now been added as a guest to the team:
Optional: Validate the guest was successfully added to Azure Active Directory B2B:
Browse to https://aad.portal.azure.com . On the left pane, click Azure Active Directory. On the Azure Active Directory blade click Users and groups :
On the Manage blade click All users then click Ben's user account BenW:
Details of BenW's account, validating he was successfully added to Azure AD:
Optional: Ben's guest account can also be seen in the Office 365 Admin Portal under Users -> Guest Users:
Login as Ben to Microsoft Teams:
Ben will receive a new email message indicating he has been invited to Contoso's O365 Deployment Team. Within the email click Open Microsoft Teams:
Before Microsoft Teams launches, you will be taken to the Azure AD sign-on page, read the agreement to provide your display name and email address to the other organization and click Next:
Microsoft Teams will launch, and you will be prompted with a wizard walking you through the basics of guest access. Feel free to explore the wizard, or close it:
Ben is now signed in as a guest to Contoso's team in Microsoft Teams and has access to resources in the team such as conversation history, files,etc. To validate this, click the profile photo in the lower left corner and notice Contoso (guest) is selected under Your accounts:
Note: To switch back to Ben's own organization's Microsoft Teams instance, click Contoso M365x841591 above Contoso (guest) – and visa-versa as seen in the screenshot below.
What can Ben do as a guest?
The following table depicts the functionality available to a guest user of a team. More information can be found here:
|Capability in Teams||Teams user in the organization||Guest user|
|Create a channel
Team owners control this setting.
|Participate in a private chat|
|Participate in a channel conversation|
|Post, delete, and edit messages|
|Share a channel file|
|Share a chat file|
|Add apps (tabs, bots, or connectors)|
|Create tenant-wide and teams/channels guest access policies|
|Invite a user outside the Office 365 tenant's domain|
|Create a team|
|Discover and join a public team|
|View organization chart|
Matt's Tip: I like to access Microsoft Teams in a web browser. For this reason I can have one tab open for my main Microsoft account (tenant) and another tab open for any tenant I am a guest of. This way I'm not switching back and fourth. This can also be accomplished using a combination of the desktop client and web clients.
Conclusion: Enabling guest access for Microsoft Teams is a simple and easy process. I hope you found this blog post valuable, if you do have feedback or input to make this post better please leave me a comment below. Enjoy!