Teams guest access checklist
Use this checklist to help you enable and configure the guest access feature in Microsoft Teams according to the preferences of your organization.
For collaboration restrictions see Enable B2B external collaboration and manage who can invite guests.
Understand the limitations for guests
The guest experience has limitations by design. Make sure you understand the guest experience so you don't try to fix something that isn't a problem. For example, here's a list of some of the functionality that isn't available to a guest in Microsoft Teams:
- OneDrive for Business
- People search outside of Teams
- Calendar, Scheduled Meetings, or Meeting Details
- Organization chart
- Create or revise a team
- Browse for a team
- Upload files to a person-to-person chat
- Guests can still search and find users (outside their team) if they know the user's full email ID. To prevent this, IT admins can use patterns like scoped directory search that have the ability to restrict Guests into their own virtual GAL.
Guest access vs. external access (federation)
External access (federation) and guest access are different:
Guest access gives access permission to an individual. External access gives access permission to an entire domain.
Guest access, once granted by a team owner, allows a guest to access resources, such as channel discussions and files, for a specific team, and chat with other users in the team they have been invited to. With external access (federated chat), the external chat participants have no access to the inviting organization’s teams or team resources. They can only participate in one-on-one federated chat. Tenant admins can choose between the two communication options depending on which level of collaboration is desirable with the external party. Admins can choose either approaches or both, depending on their organizational needs, but we recommend enabling guest access for a fuller, collaborative Teams experience.
For a detailed comparison, see Manage external access.
Currently, Microsoft Teams does not support the guest inviter role. At a minimum the "members can invite" toggle must be set to "Yes" for guest access to work in Microsoft Teams. If you set "members can invite" to "No" and then enable guest access in Office 365 Groups and Microsoft Teams, admins can control guest invitations to your directory. After guests are in the directory, they can be added to teams by non-admin members who are team owners.
If your guests are seeing license errors
Guest access in Microsoft Teams uses Azure Active Directory (Azure AD) Business to Business (B2B) and its licensing model. If you’re seeing licensing errors, make sure to read the B2B licensing guidance to understand the licensing requirements your organization has so that your users are able to invite guests to your organization.
A few things to remember:
- Guests are users outside your organization. Your employees, onsite contractors, onsite agents, and so on can't be added as guests. The same applies to your affiliates.
- Guest licenses are counted against the inviting organization. Consider this when you calculate the number of licenses you need.
- Licenses are counted against your organization whether the invited guests come from another Office 365 tenant or are using their personal email addresses.
□ Step 1: Configure settings in Azure AD business-to-business
- Sign in to the Azure portal as a tenant administrator.
- Select Azure Active Directory > Users > User settings.
- Under External users, select Manage external collaboration settings.
The External collaboration settings are also available from the Organizational relationships page. In Azure Active Directory, under Manage, go to Organizational relationships > Settings.
- On the External collaboration settings page, choose the policies you want to enable.
Guest users permissions are limited: This policy determines permissions for guests in your directory. Select Yes to block guests from certain directory tasks, like enumerating users, groups, or other directory resources. Select No to give guests the same access to directory data as regular users in your directory.
Admins and users in the guest inviter role can invite: To allow admins and users in the "Guest Inviter" role to invite guests, set this policy to Yes.
Members can invite: To allow non-admin members of your directory to invite guests, set this policy to Yes.
If you set Members can invite to No and then enable guest access in Office 365 Groups and Microsoft Teams, admins can control guest invitations to your directory. After guests are in the directory, they can be added to teams by non-admin members who are team owners. For more information, see Authorize guest access in Microsoft Teams.
Guests can invite: To allow guests to invite other guests, set this policy to Yes.
Enable email one-time passcode for guests (Preview): For more information about the one-time passcode feature, see Email one-time passcode authentication (preview).
Collaboration restrictions: For more information about allowing or blocking invitations to specific domains, see Allow or block invitations to B2B users from specific organizations.
□ Step 2: Configure Office 365 Groups
In the Microsoft 365 admin center, go to Settings > Services & Add-ins > Office 365 Groups.
Make sure Let group members outside the organization access group content is set to On. If this setting is turned off, guests won't be able to access any group content.
Make sure Let group owners add people outside the organization to groups is set to On. If this setting is turned off, Team owners won't be able to add new guests. At a minimum, this setting must be On to support guest access.
□ Step 3: Enable guest access at the tenant level
At a minimum, you must turn on guest access for Microsoft Teams under the Microsoft Teams admin center.
In the Teams admin center, select Org-Wide settings > Guest access.
Set the Allow guest access in Microsoft Teams switch to On.
On this same page, configure any other guest settings that you require.
For detailed instructions, see Turn on or turn off guest access to Microsoft Teams.
□ Step 4: Configure sharing in Office 365
Make sure that users can add guests. Here's how:
In the Microsoft 365 admin center, go to Settings > Security & privacy.
In Sharing, select Edit.
Set Let users add new guests to this organization to On, and then click Save.
This setting is equivalent to the Members can invite setting in User settings > External users in Azure AD.
□ Step 5: Verify sharing setting in SharePoint
Sign in to the Microsoft 365 admin center.
Click Admin center, and then select SharePoint.
In the SharePoint admin center, select Sharing.
Make sure the option for Don’t allow sharing outside your organization is not selected.
□ Step 6: Enable specific settings for channels
In the Teams application, at the individual team level, configure guest permissions so that guests can create, update, and delete channels. In addition to admins, team owners can configure this setting.
For more information, including how-to videos, see Guest access in Microsoft Teams.
If you have problems with adding guests in Microsoft Teams, see the Guest Access Troubleshooting Guide.