Teams guest access checklist
Use this checklist to help you enable and configure the guest access feature in Microsoft Teams according to the preferences of your organization.
Understand the limitations for guests
The guest experience has limitations by design. Make sure you understand the guest experience so you don't try to fix something that isn't a problem. For example, here's a list of some of the functionality that isn't available to a guest in Microsoft Teams:
- OneDrive for Business
- People search outside of Teams
- Calendar, Scheduled Meetings, or Meeting Details
- Organization chart
- Create or revise a team
- Browse for a team
- Upload files to a person-to-person chat
- Guests can still search and find users, outside their team, if they know their full email ID. To prevent this, IT admins can use patterns like scoped directory search that have the ability to restrict Guests into their own virtual GAL.
Guest access vs. external access (federation)
External access (federation) and guest access are different:
Guest access gives access permission to an individual. External access gives access permission to an entire domain.
Guest access, once granted by a team owner, allows a guest to access resources, such as channel discussions and files, for a specific team, and chat with other users in the team they have been invited to. With external access (federated chat), the external chat participants have no access to the inviting organization’s teams or team resources. They can only participate in one-on-one federated chat. Tenant admins can choose between the two communication options depending on which level of collaboration is desirable with the external party. Admins can choose either approaches or both, depending on their organizational needs, but we recommend enabling guest access for a fuller, collaborative Teams experience.
For a detailed comparison, see Manage external access.
If your guests are seeing license errors
Guest access in Microsoft Teams uses Azure Active Directory Business to Business (B2B) and its licensing model. If you’re seeing licensing errors, make sure to read the B2B licensing guidance to understand the licensing requirements your organization has so that your users are able to invite guests to your organization.
A few things to remember:
- For each paid Azure AD license that you assign to a user, your users can invite up to five guest users under the External User Allowance.
- Guests are users outside your organization. Your employees, onsite contractors, onsite agents, and so on can't be added as guests. The same applies to your affiliates.
- Guest licenses are counted against the inviting organization. Consider this when you calculate the number of licenses you need.
- Licenses are counted against your organization whether the invited guests come from another Office 365 tenant or are using their personal email addresses.
□ Step 1: Configure settings in Azure AD business-to-business
Sign in to https://portal.azure.com
Click Azure Active directory in the left pane.
Under Manage, click User settings.
Under External users, click Manage External collaboration settings.
On the External collaboration settings page make sure Members can invite is set to Yes.
To support guests, Members can invite must be set to Yes.
If you set Members can invite to No and then enable guest access in Office 365 Groups and Microsoft Teams, admins can control guest invitations to your directory. After guests are in the directory, they can be added to teams by non-admin members who are team owners.
For more information, see Authorize guest access in Microsoft Teams.
□ Step 2: Configure Office 365 Groups
In the Microsoft 365 admin center, go to Settings > Services & Add-ins > Office 365 Groups.
Make sure Let group members outside the organization access group content is set to On. If this setting is turned off, guests won't be able to access any group content.
Make sure Let group owners add people outside the organization to groups is set to On. If this setting is turned off, Team owners won't be able to add new guests. At a minimum, this setting must be On to support guest access.
□ Step 3: Enable guest access at the tenant level
At a minimum, you must turn on Guest access for Microsoft Teams under the Microsoft Teams admin center.
In the Teams admin center, select Org-Wide settings > Guest access.
Set the Allow guest access in Microsoft Teams switch to On.
On this same page, configure any other guest settings that you require.
For detailed instructions, see Turn on or off guest access to Microsoft Teams.
□ Step 4: Configure sharing in Office 365
Make sure that users can add guests. Here's how:
In the Microsoft 365 admin center, go to Settings > Security & privacy.
In Sharing, select Edit.
Set Let users add new guests to this organization to On, and then click Save.
This setting is equivalent to the Members can invite setting in User settings > External users in Azure AD.
□ Step 5: Verify sharing setting in SharePoint
Sign in to the Microsoft 365 admin center.
Click Admin center, and then select SharePoint.
In the SharePoint admin center, select Sharing.
Make sure the option for Don’t allow sharing outside your organization is not selected.
□ Step 6: Enable specific settings for channels
In the Teams application, at the individual team level, configure guest permissions so that guests can create, update, and delete channels. In addition to admins, team owners can configure this setting.
For more information, including how-to videos, see Guest access in Microsoft Teams.
If you have problems with adding guests in Microsoft Teams, see the Guest Access Troubleshooting Guide.
Send feedback about: