Guest access in Microsoft Teams
With guest access, you can provide access to teams, documents in channels, resources, chats, and applications to people outside your organization, while maintaining control over your corporate data.
A guest is someone who isn't an employee, student, or member of your organization. They don't have a school or work account with your organization. For example, guests may include partners, vendors, suppliers, or consultants. Anyone who is not part of your organization can be added as guest in Teams. This means that anyone with a business account (that is, an Azure Active Directory account) or consumer email account (with Outlook.com, Gmail.com or others) can participate as a guest in Teams, with access to teams and channel experiences.
As the Teams admin, you control which features guests can (and can't) use in Teams. Guests in Teams are covered by the same compliance and auditing protection as the rest of Microsoft 365, and can be managed within Azure AD. Guest access is subject to Azure AD and Microsoft 365 or Office 365 service limits.
The guest experience has limitations by design. For a full list of what a guest can and can't do in Teams, see comparison of team member and guest capabilities.
Guest users follow Teams Org-wide settings for the coexistence Upgrade mode. This can't be changed.
To compare external access (federation) with guest access (and decide which one you should use), read Communicate with users from other organizations in Teams.
Set up guest access
Guest access in Teams requires configuring other settings in Microsoft 365, including settings in Azure AD, Microsoft 365 Groups, and SharePoint. If you're ready to start inviting guests to teams, read one of the following:
- To configure guest access for Teams for general use, see Collaborate with guests in a team.
- To collaborate with a partner organization that uses Azure Active Directory and allow guests to self-enroll for team access, see Create a B2B extranet with managed guests.
Guest access in Teams is an organization-wide setting and is turned off by default. You can control guest access to individual teams by using sensitivity labels.
How a guest becomes a member of a team
- A team owner or a Microsoft 365 admin adds a guest to a team.
- The guest receives a welcome email from the team owner, with information about the team and what to expect now that they're a member.
- The guest accepts the invitation. Guest users who have an work or school account in Azure Active Directory can accept the invitation and authenticate directly. Other users are sent a one-time pass code to validate their identity (One-time passcode authentication required).
- After accepting the invitation, the guest can participate in teams and channels, receive and respond to channel messages, access files in channels, participate in chats, join meetings, collaborate on documents, and more.
In Teams, guests are clearly identified. A guest user's name includes the label (Guest), and a channel includes an icon to indicate that there are guests on the team. For more details, see What the guest experience is like.
Guests can leave the team at any time from within Teams. For details, see How do I leave a team?
Leaving the team doesn't remove the guest account from your organization's directory. This must be done by a Microsoft 365 global admin or an Azure AD admin.
Licensing for guest access
Guest access is included with all Microsoft 365 Business Standard, Microsoft 365 Enterprise, and Microsoft 365 Education subscriptions. No additional Microsoft 365 license is necessary. Teams doesn't restrict the number of guests you can add. However, the total number of guests that can be added to your tenant may be restricted by the paid features of Azure AD. For more information, see Billing model for Azure AD External Identities.
Users in your organization who have standalone Microsoft 365 subscription plans only, such as Exchange Online Plan 2, cannot be invited as guests to your organization because Teams considers these users to belong to the same organization. For these users to use Teams, they must be assigned an Microsoft 365 Business Standard, Office 365 Enterprise, or Office 365 Education subscription.
Guest access reviews
You can use Azure AD to create an access review for group members or users assigned to an application. Creating recurring access reviews can save you time. If you need to routinely review users who have access to an application, a team, or are members of a group, you can define the frequency of those reviews.
You can perform a guest access review yourself, ask guests to review their own membership, or ask an application owner or business decision maker to perform the access review. Use the Azure portal to perform guest access reviews. For more information, see Manage guest access with Azure AD access reviews.