Guest access in Microsoft Teams
With guest access, you can provide access to teams, documents in channels, resources, chats, and applications to people outside your organization, while maintaining control over your corporate data. See Set up secure collaboration with Microsoft 365 and Microsoft Teams.
If you just want to find, call, chat, and set up meetings with people in other organizations, use external access.
A guest is someone who isn't an employee, student, or member of your organization. They don't have a school or work account with your organization. For example, guests may include partners, vendors, suppliers, or consultants. Anyone who is not part of your organization can be added as guest in Teams. This means that anyone with a business account (that is, an Azure Active Directory account) or consumer email account (with Outlook.com, Gmail.com or others) can participate as a guest in Teams, with access to teams and channel experiences.
Guests in Teams are covered by the same compliance and auditing protection as the rest of Microsoft 365, and can be managed within Azure AD. Guest access is subject to Azure AD and Microsoft 365 or Office 365 service limits.
The guest experience has limitations by design. For a full list of what a guest can and can't do in Teams, see comparison of team member and guest capabilities.
Guests follow Teams Org-wide settings for the coexistence Upgrade mode. This can't be changed.
To set up guest access, see Collaborate with guests in a team.
To compare external access (federation) with guest access (and decide which one you should use), read Communicate with users from other organizations in Teams.
Set up guest access
Guest access in Teams requires configuring other settings in Microsoft 365, including settings in Azure AD, Microsoft 365 Groups, and SharePoint. If you're ready to start inviting guests to teams, read one of the following:
- To configure guest access for Teams for general use, see Collaborate with guests in a team.
- To collaborate with a partner organization that uses Azure Active Directory and allow guests to self-enroll for team access, see Create a B2B extranet with managed guests.
Guest access in Teams is an organization-wide setting and is turned on by default. You can control guest access to individual teams by using sensitivity labels.
Turning guest access off
If you turn guest access off in Teams, existing guests lose access to their team. However, they are not removed from the team. They are still visible to the team members and can be @mentioned. If you turn Teams guest access on again, they will regain access.
If you plan to leave guest access off, you may want to advise your team owners to manually remove the guest accounts from their teams. While these guests won't have access, having their accounts visible in the team could lead to confusion for other team members.
How a guest becomes a member of a team
- A team owner or a Microsoft 365 admin adds a guest to a team.
- The guest receives a welcome email from the team owner, with information about the team and what to expect now that they're a member.
- The guest accepts the invitation. Guests who have a work or school account in Azure Active Directory can accept the invitation and authenticate directly. Other users are sent a one-time pass code to validate their identity (One-time passcode authentication required).
- After accepting the invitation, the guest can participate in teams and channels, receive and respond to channel messages, access files in channels, participate in chats, join meetings, collaborate on documents, and more.
In Teams, guests are clearly identified. A guest's name includes the label (Guest), and a channel includes an icon to indicate that there are guests on the team. For more details, see What the guest experience is like.
Guests can leave the team at any time from within Teams. For details, see How do I leave a team?
Leaving the team doesn't remove the guest account from your organization's directory. This must be done by a Microsoft 365 global admin or an Azure AD admin.
Licensing for guest access
Guest access can be used with all Microsoft 365 Business Standard, Microsoft 365 Enterprise, and Microsoft 365 Education subscriptions. No additional Microsoft 365 license is necessary. The billing model for Azure AD External Identities applies to guests in Microsoft 365. Only people from outside your organization can be invited as guests.
Guest access reviews
You can use Azure AD to create an access review for group members or users assigned to an application. Creating recurring access reviews can save you time. If you need to routinely review users who have access to an application, a team, or are members of a group, you can define the frequency of those reviews.
You can perform a guest access review yourself, ask guests to review their own membership, or ask an application owner or business decision maker to perform the access review. Use the Azure portal to perform guest access reviews. For more information, see Manage guest access with Azure AD access reviews.