Microsoft Teams: Enabling and Using Guest Access


Introduction: In this blog post I will walk through how to enable guest access in Microsoft Teams, validate the guest was added to Azure Active Directory B2B, demonstrate how a guest user will access another organization's team and what the user experience is like.

Update 9/21/17: I have updated this blog post that adding the user guest account manually to Azure AD B2B is not required, as the account will automatically be added to the directory when you add the guest to Microsoft Teams.

Additional reading and support documentation:

IMPORTANT: Guest access is dependent on Azure Active Directory and more importantly it uses Azure Active Directory B2B, I highly recommend developing a good understanding of this feature prior to proceeding as it will help you as you start to roll this out and manage it within your organization and even give you ideas on how to further secure this as you move forward (such as conditional access for contractors as an example). This capability is very powerful, and can open up new ideas for how you create additional solutions for your organization in the future. In addition, I recommend testing guest access first prior to implementing in the real world to fully understand the use case scenarios of guest access (when it makes sense, when it doesn't as this may not solve for the specific business challenge you are after), and what the guest user experience is like for a guest user of Microsoft Teams so that you are prepared to help end-users within your organization.

Before we begin, about my environment:

  • I have two Office 365 tenants: m365x367101.onmicrosoft.com and m365x841591.onmicrosoft.com (I apologize in advance, both tenants are named Contoso )
  • Both organizations are already using Office 365 and Microsoft Teams.
  • Megan from the m365x367101 owns a team titled O365 Deployment Team. She needs to invite Ben from a local IT consulting company to the team that will be assisting them with their Office 365 deployment.
  • Megan's company will first enable guest access in Microsoft Teams, add Ben as a guest to the O365 Deployment Team in Microsoft Teams, then will validate Ben was added as a guest to AzureAD B2B.
  • Megan's IT Admin enabled sharing with external users already in the directory for SharePoint Online
  • Megan's IT admin enabled Let group owners add people outside the organization to groups.
  • The Sharing Option has been enabled for Megan's Office 365 tenant to allow adding of new guests.

First, enable guest access in your tenant:

First, you must enable your Office 365 Tenant to allow guests to access a Microsoft Teams team in your tenant. This is accomplished by navigating to the Microsoft Teams settings in the Office 365 admin portal. From within the admin portal navigate to Settings -> Services & add-ins -> Microsoft Teams. On the fly-out to the right, under the section Settings by user/license type click the drop-down menu and toggle from Business and Enterprise to Guest then click On next to Turn Microsoft Teams on or off for all users of this type. Then click Save:


IMPORTANT: If this step is not performed, when the user attempts to sign in as a guest they will be presented with the following error:


Add Ben as a guest to the O365 Deployment Team in Microsoft Teams:

Megan will need to now add Ben as a user to her team, O365 Deployment Team in Microsoft Teams. From within Microsoft Teams, click the ellipsis next to the team name and then select View Team


On the Members tab click the Add member button:


In the Add members to "O365 Deployment Team" dialog box, type in Ben's email address, then click Add:


Next, click Close:


Notice Ben has now been added as a guest to the team:


Optional: Validate the guest was successfully added to Azure Active Directory B2B:

Browse to https://aad.portal.azure.com . On the left pane, click Azure Active Directory. On the Azure Active Directory blade click Users and groups :


On the Manage blade click All users then click Ben's user account BenW:


Details of BenW's account, validating he was successfully added to Azure AD:


Optional: Ben's guest account can also be seen in the Office 365 Admin Portal under Users -> Guest Users:


Login as Ben to Microsoft Teams:

Ben will receive a new email message indicating he has been invited to Contoso's O365 Deployment Team. Within the email click Open Microsoft Teams:


Before Microsoft Teams launches, you will be taken to the Azure AD sign-on page, read the agreement to provide your display name and email address to the other organization and click Next:

 

Microsoft Teams will launch, and you will be prompted with a wizard walking you through the basics of guest access. Feel free to explore the wizard, or close it:





Ben is now signed in as a guest to Contoso's team in Microsoft Teams and has access to resources in the team such as conversation history, files,etc. To validate this, click the profile photo in the lower left corner and notice Contoso (guest) is selected under Your accounts:

Note: To switch back to Ben's own organization's Microsoft Teams instance, click Contoso M365x841591 above Contoso (guest) – and visa-versa as seen in the screenshot below.


What can Ben do as a guest?

The following table depicts the functionality available to a guest user of a team. More information can be found here:

Capability in Teams Teams user in the organization Guest user
Create a channel
Team owners control this setting.
Participate in a private chat
Participate in a channel conversation
Post, delete, and edit messages
Share a channel file
Share a chat file
Add apps (tabs, bots, or connectors)
Create tenant-wide and teams/channels guest access policies
Invite a user outside the Office 365 tenant's domain
Create a team
Discover and join a public team
View organization chart

Matt's Tip: I like to access Microsoft Teams in a web browser. For this reason I can have one tab open for my main Microsoft account (tenant) and another tab open for any tenant I am a guest of. This way I'm not switching back and fourth. This can also be accomplished using a combination of the desktop client and web clients.

Conclusion: Enabling guest access for Microsoft Teams is a simple and easy process. I hope you found this blog post valuable, if you do have feedback or input to make this post better please leave me a comment below. Enjoy!

Comments (10)

  1. Joe says:

    That was a really great, straight forward article. I was looking for something on this topic that was recent and yours was just updated yesterday so I thought I start here. We have guest access enabled and I have guests in my tenant from the old Sharepoint Team sites, but adding a new user as a guest in the new MS Teams is just not working. For an existing guest, it works fine but when i use an email address that is not already in our Azure directory, i get the message: “We couldn’t add a member. Only Office 365 work or school accounts can be added as guests.”

    Any ideas why it doesn’t just send that user the Invite email and allow them to create the MS account? Seems it only accept email address that already have a MS account.

    1. Matt Soseman says:

      Joe: Currently, the guest needs to have an Office 365 tenant and identity in order to authenticate as a guest and participate in your team.

  2. MSD says:

    Great walk through. Got me going on Teams and Guests.
    I did observer that a guest can see but can’t access a Planer plan that i added as a tab,

    1. Matt Soseman says:

      Correct, currently guest access is not enabled for Planner.

      1. Martin Gonzalez Adolfi says:

        Is there any ETA for the “guest can access planner” feature? Is it on the roadmap?

  3. Tom Draney says:

    Hello, thank you for your documentation. I am able to invite an O365 user from a different tenant. They are able to access the MS Team on my tenant. They can chat. However, when they go to the “Files” menu on the channel, they get
    “You don’t have access to these files
    Please check if the site is available and retry.
    Access denied. You do not have permission to perform this action or access this resource. Scenario ID: 9033F9F88F264A32859F2E07BE8A2D32”

    Is there a separate SharePoint setting or tenant setting that would be preventing external O365 user from access to Files?

    1. Tom Draney says:

      Hello, my error message likely occurred when I tried to customize the permissions of a Document Library associated with a channel on the MS Team. Once I restored the permissions to inherit from parent , then the issue went a way. I am struggling to find a way to configure granular permissions with MS Team. I’d like to have a channel that is restricted to a sub set of members.

  4. David C says:

    Besides using Teams internally, we’ve begun collaborating with partners. We’re invited as a GUEST by a partner, and then use teams by switching TENANTS to input data, share info, upload docs, etc. to/with multiple partners.

    Question: If the partner removes us as a guest from this Teams Collaboration thread/channel (for example they close business), do we retain all of the info we shared or does everything go away? My concern is that we spend time creating a shared repository of information between partners and then that hard work is gone & unretrievable if the “owner” or “tenant” that invited us goes away.

  5. SPX says:

    Thank you for the excellent walkthrough on the new Guest Access – there’s an obvious benefit (for consultants, for instance) to having the ability to get notifications – desktop- or mobile-based – from the multiple teams that the user may be “Guest Access”ed into. Have you or anyone else heard of if and whether this “multiple identity” enhancement is planned/in the pipeline? Thanks again! – M

  6. Jon Seddon says:

    We would like to add everyone in another organisation as guests to our Team. Do we need to do this individually or can I add everyone in their domain using these steps?

Skip to main content