Microsoft TEAMS: Guest Access
Introduction:
In this article I will be discussing more about new feature "Guest Access" which has been launched recently in Microsoft TEAMS.
Today, Teams is getting better with the rollout of guest access to all Office 365 commercial and education customers. Now Office 365 users can add people from outside their company to a team, so guests can participate in chats, join meetings, collaborate on documents, and more.
Teams is built upon Office 365 Groups and provides a new way to access shared assets for an Office 365 group. Teams is the best solution for persistent chat among group/team members. Office 365 Groups is a service that provides cross-application membership for a set of shared team assets, like a SharePoint site or a Power BI dashboard, so that the team can collaborate effectively and securely.
TEAMS is available in three principle forefronts:
- Teamwork - Based on today's requirement to easily communicate and share with others you want to work with, including people outside your organization. Anyone with an Azure Active Directory (Azure AD) account can be added as a guest in Teams. That means anyone who is present as a user in Azure AD whether being licensed or not with any service/invited user should be valid Office 365 domain user or synced from On-Premise Active Directory to Azure AD using Directory Synchronization.
- Public accessibility- We’re introducing the ability to add anyone as a guest in Microsoft Teams. This means that anyone with a business or consumer email account, such as Outlook.com, Gmail.com or others, can participate as a guest in Teams with full access to team chats, meetings and files. Previously, anyone with an Azure Active Directory (Azure AD) account could be added as a guest, and now anyone with an email address can be added to a team. All guests in Teams are covered by the same compliance and auditing protection as the rest of Office 365, and can be managed securely within Azure AD.
- Security and compliance - We have kept Teams to provide enterprise-grade security and compliance assurances. In Teams, guest accounts are added and securely managed within Azure AD. This enables enterprise-grade security, like conditional access policies for guest user access. In addition, with Azure AD, IT departments have unparalleled insight into the activities of external users in their organization through detailed sign-in and access reports. Guest user content and activities are reported under compliance and auditing reporting of Office 365.
- IT manageability - Guest access in Teams comes with the ability for IT to centrally manage how guests participate within their Office 365 environment, providing consistency across application experiences in Office 365. IT admins can quickly and easily view, add, or revoke a guest's access to the host tenant.
Guest Access Capabilities:
| Capabilities | Teams User | Guest User |
| Create channels | y | y |
| Private chat | y | y |
| Channel conversations | y | y |
| Channels Files | y | y |
| Chat Files Sharing | y | n |
| Add apps (tabs, bots, connectors) | y | n |
| Tenant wide and Teams\Channels Guest Access policies | y | y |
| Users can be invited via any email address outside the O365 tenant's domain | n | y |
| Create team | y | n |
| Discover and join public teams | y | n |
| View org chart | y | n |
How guest joins a teams group:
User have email address corresponds to Office 365 or Azure AD work or school can be added as guest user.
[**Before guest user can join, admins need to enable guest access in their respective tenant. Global administrator needs to click Settings > Services & add-ins > Microsoft Teams. Select Guest in Select the user/license type you want to configure, and select On in Turn Microsoft Teams on or off for all users of this type. It might take 1 hour to replicate across environment]
Steps:
- From your teams list, just click next to the team name, and then click Add members.
2. Enter the guest's email address.
[**For guests, you need to set the name other people will see. Click and then type their name.]
What the guest experience is like:
When guest is invited to join a team, they will receive a notification email that includes some information about teams. The guest must redeem the invitation in email messages.
When user tries to redeem using web following notification is received:
Test User 1 & User 1 are added to "Guest Testing" group:
After Guest user is added to Group, all members of group receive notification:
Experience for guest user "User1"
Note: To switch between different teams instance, user can select Microsoft and vice-versa as per requirement
Troubleshooting:
Login to https://aad.portal.azure.com to manage group and members
Manage Audit logs and activity as per below screen shot
To manage users from Azure AD PowerShell, we need to follow following steps:
Install Azure AD PowerShell modules from Azure Active Directory PowerShell Module and sign-in assistance from Microsoft Online Services Sign-In Assistant for IT Professionals RTW.
Open Windows PowerShell as Administrator
Run Import-Module MSOnline
After Step C, run Connect-MsolService
Once, prompted for User Name & Password, provide Global Administrator credentials for the tenant you want to manage Guest Accounts.
To get the list of Guest Accounts in a tenant run:
Get-MsolUser -All | where {$_.UserType -eq "Guest"}
To change display name for guest user:
Set-MsolUser -UserPrincipalName "TU1_akumase3.onmicrosoft.com#EXT#@anuagartest.onmicrosoft.com" -DisplayName "Test Guest User 1"
Verify if display name has been changed:
To disable guest user without deleting:
Set-MsolUser -UserPrincipalName "TU1_akumase3.onmicrosoft.com#EXT#@anuagartest.onmicrosoft.com" -BlockCredential $True
To remove guest user from tenant:
Remove-MsolUser -UserPrincipalName "TU1_akumase3.onmicrosoft.com#EXT#@anuagartest.onmicrosoft.com"
**Hope the above article helps you in understanding, managing and troubleshooting "Microsoft TEAMS: Guest Access".