Manage guest access in Office 365 Groups

By default, guest access is turned on for your organization. When it's turned on, everyone in your organization can add guest users to an Office 365 Group. The guests will have access to all Office 365 Group features.

Admins can control whether to allow guest access to Office 365 Groups for their whole organization or for individual Office 365 groups. They can also control who can allow guests to be added to groups.

Manage guest access in the admin portal

View guest users

  1. Sign in with your Office 365 global admin account at https://portal.office.com/adminportal/home.

  2. Go to Users > Guest users.

    Expand the Users section on the navigation pane to manage your Guest Users

Add existing guests to an Office 365 Group

If the guest already exists in your directory (see above) you can add them to your groups from the Office Admin Center or the Exchange Admin Center.

  1. Sign in with your Office 365 global admin account at https://portal.office.com/adminportal/home.

  2. Go to Groups > Groups.

    Expand the Groups section on the navigation pane to manage your groups

  3. Select the group you want to add the guest to, and choose Edit in the Members section.

    Click Edit to manage your Group's membership

  4. Select the name of the guest you want to add.

  5. Choose Save.

Invite guests

You can't invite guests from the Office Admin Center or the Exchange Admin Center at this time. To invite guests centrally you might consider using the Azure Active Directory B2B collaboration preview. For more information, see About the Azure AD B2B collaboration preview.

Edit guest information

Currently you can't add or edit guests from the Office Admin Center or the Exchange Admin Center. To edit guest accounts (such as their display name or profile photo) go to your Azure Active Directory portal. For more information, see Understanding Office 365 identity and Azure Active Directory.

Manage guest access to Office 365 Groups

Turn on or off guest access to group files and OneNote

By default, guests can access group files and the group OneNote notebook. To turn off guess access, you need to turn off the SharePoint external sharing setting at the organization level. For the steps, see Turn external sharing on or off for SharePoint Online, "Manage external sharing for Office 365 Group site collections."

However, even if the SharePoint external sharing setting is turned off, the files from SharePoint sites can still be shared with new guest users based on SharePoint settings. To learn more, see Manage external sharing for your SharePoint Online environment.

Turn on or off the Sharing option

By default, the Sharing option in your organization is turned on. This option allows guests to be added to your organization. To turn it off:

  1. Sign in with your Office 365 global admin account at https://portal.office.com/adminportal/home.

  2. In the navigation menu, choose Settings then Security & privacy.

  3. Set the On / Off toggle for Allow adding of new guests to my organization.

    Allow adding of guest users to my organization

Manage who can add guest users

  1. Sign in with your Office 365 admin account at https://portal.office.com/adminportal/home.

  2. In the navigation menu, choose Settings then Services & add-ins.

  3. Choose Office 365 Groups.

    Office 365 groups

  4. On the Office 365 Groups page, set the toggle to On or Off, depending on whether you want to let people outside your organization access Office 365 group resources.

    If you turn this toggle on, you'll see another option to control whether you want to let group owners add people outside your organization to Office 365 groups. Set this toggle to On if you want to let group owners add guest users.

    Let people outside my organization access Office 365 groups and resources

Use PowerShell to control guest access

Install the preview version of the Azure Active Directory PowerShell for Graph

IMPORTANT: You cannot install both the preview and GA versions on the same computer at the same time .

As a best practice, we recommend always staying current: uninstall the old AzureADPreview or old AzureAD version and get the latest one.

  1. Open Windows PowerShell as an administrator:

    The Windows PowerShell window will pop open. The prompt C:\Windows\system32 means you opened it as an administrator.

    What PowerShell looks like when you first open it.

  2. In your search bar, type Windows PowerShell.

  3. Right-click on Windows PowerShell and select Run as Administrator.

    Open PowerShell as "Run as administrator."

  4. Check installed module:

Get-InstalledModule -Name "AzureAD*"
  1. To uninstall a previous version of AzureADPreview or AzureAD, run this command:
   Uninstall-Module AzureADPreview

or

   Uninstall-Module AzureAD
  1. To install the latest version of AzureADPreview, run this command:
   Install-Module AzureADPreview

At the message about an untrusted repository, type Y. It will take a minute or so for the new module to install.

Allow or block guest access to all Office 365 groups

  1. Did you install the AzureADPreview module, as instructed in the above section "Install the preview version of the Azure Active Directory Module for Windows PowerShell"? Not having the most current preview version is the #1 reason these steps don't work for people.

  2. If you haven't already, open a Windows PowerShell window on your computer (it doesn't matter if it's a normal Windows PowerShell window, or one you opened by selecting Run as administrator).

  3. Run the following commands. Press Enter after each command.

Import-Module AzureADPreview
Connect-AzureAD
In the **Sign in to your Account** screen that opens, enter your Office 365 admin account and password to connect you to your service, and click **Sign in**.

![Enter your Office 365 credentials](../media/a2b4e2f3-436f-4a6c-b571-1a192698acea.png)
  1. Run the following command:

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"}

  2. See if you already have an AzureADDirectorySetting object, and if so, save the Object ID. Run this command:

    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

    IF, and ONLY if, that cmdlet displays an error saying the object doesn't exist, create one using these cmdlets:

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"}

    $settingsCopy = $template.CreateDirectorySetting()

    New-AzureADDirectorySetting -DirectorySetting $settingsCopy

    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

  3. Copy the AzureADDirectorySetting object back into the local $settingsCopy variable:

    $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID

    This is only a COPY of the settings; changes won't take effect until you copy it BACK to the AzureADDirectorySetting object.

  4. Set the option to allow guests to access O365 groups:

    $settingsCopy["AllowGuestsToAccessGroups"] = "true"

  5. Finally, (as mentioned above) for the change to take effect you must copy the settings BACK to the AzureADDirectorySetting object:

    Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

  6. To verify the change took effect, retrieve the value from the AzureADDirectorySetting object (don't just look at the local copy in $settingsCopy):

    (Get-AzureADDirectorySetting -Id $settingsObjectID).Values

    The results should look like this:

    AllowGuestsToAccessGroups should be set to True

Allow guests to be added to all Office 365 groups

  1. Did you install the AzureADPreview module, as instructed in the above section "Install the preview version of the Azure Active Directory Module for Windows PowerShell"? Not having the most current preview version is the #1 reason these steps don't work for people.

  2. If you haven't already, open a Windows PowerShell window on your computer (it doesn't matter if it's a normal Windows PowerShell window, or one you opened by selecting Run as administrator).

  3. Run the following commands. Press Enter after each command.

Import-Module AzureADPreview
Connect-AzureAD
In the **Sign in to your Account** screen that opens, enter your Office 365 admin account and password to connect you to your service, and click **Sign in**.

![Enter your Office 365 credentials](../media/a2b4e2f3-436f-4a6c-b571-1a192698acea.png)
  1. Run the following command:

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"}

  2. See if you already have an AzureADDirectorySetting object, and if so save the Object ID

    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

    IF, and ONLY if, that cmdlet displays an error saying the object doesn't exist, create one using these commands:

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"}

    $settingsCopy = $template.CreateDirectorySetting()

    New-AzureADDirectorySetting -DirectorySetting $settingsCopy

    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

  3. Copy the AzureADDirectorySetting object back into the local $settingsCopy variable:

    $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID

    This is only a COPY of the settings; changes won't take effect until you copy it BACK to the AzureADDirectorySetting object.

  4. Set the option to allow guests to be added to all O365 groups:

    $settingsCopy["AllowToAddGuests"] = "true"

  5. Finally, (as mentioned above) in order for the change to take effect you must copy the settings BACK to the AzureADDirectorySetting object:

    Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

  6. To verify the change took effect, retrieve the value from the AzureADDirectorySetting object (don't just look at the local copy in $settingsCopy):

    (Get-AzureADDirectorySetting -Id $settingsObjectID).Values

Allow or block guest users from a specific group

Note

You must have global admin rights to run these commands.

  1. Did you install the AzureADPreview module, as instructed in the above section "Install the preview version of the Azure Active Directory Module for Windows PowerShell"? Not having the most current preview version is the #1 reason these steps don't work for people.

  2. If you haven't already, open a Windows PowerShell window on your computer (it doesn't matter if it's a normal Windows PowerShell window, or one you opened by selecting Run as administrator).

  3. Run the following commands. Press Enter after each command.

Import-Module AzureADPreview
Connect-AzureAD
In the **Sign in to your Account** screen that opens, enter your Office 365 admin account and password to connect you to your service, and click **Sign in**.

![Enter your Office 365 credentials](../media/a2b4e2f3-436f-4a6c-b571-1a192698acea.png)
  1. Run this command.

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}

  2. Run this command.

    $settingsCopy = $template.CreateDirectorySetting()

  3. Run this command. Set to False to block guest access to a specific group. Set to True to allow guest access to a specific group.

    $settingsCopy["AllowToAddGuests"]=$False

  4. Run this command.

    $groupID= (Get-AzureADGroup -SearchString "YourGroupName").ObjectId

    Where you would replace YourGroupName with something like Human Resources.

  5. Run this command.

    New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $settingsCopy

    It takes 2-3 minutes to be synced.

  6. To verify your settings, run this command:

    Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups | fl Values

    The verification looks like this:

    The verification

Allow/block guest access based on their domain

You can allow or block guest users who are using a specific domain. For example, if your business (Contoso) has a partnership with another business (Fabrikam), you can add Fabrikam to your Allow list so your users can add those guests to their groups.

For more information, see Allow/Block guest access to Office 365 groups

FAQ

Who can add guest users to a group?

  • An Office 365 Group owner can add guest users if this option has been enabled for your organization.

  • Global admins can add guest users to any Office 365 groups in the organization.

How can a global admin add a new guest user to the organization?

  • Owners of an Office 365 group and global admins who are owners of the group can add guest users to Office 365 groups through Outlook on Web.

  • Sharing a file with a guest from a SharePoint site or an Office 365 group. See Share group files.

  • Adding guests to your organization through Azure active directory B2B collaboration. Azure active directory B2B collaboration allows a company administrator to invite and authorize a set of external users by uploading a comma-separated values (CSV) file of no more than 2000 lines to the B2B collaboration portal. For more details, check out Azure Active Directory B2B collaboration.

Can global admin block guests in groups and still allow guests to access SharePoint sites?

Yes, global admins can use Azure active directory Powershell cmdlets to disable "AllowGuestAccessToGroups" property on Company object, assuming external sharing is turned On for SharePoint sites.

How long until the guest user settings take effect in the Office 365 organization?

The guest settings are set in Azure active directory. It takes 2 to 24 hours for the changes to be effective across your Office 365 organization.

Can I share a group document library with an external user who isn't a member of the group?

No. You can only share Office 365 Group document library with guests who have been invited to join the group. But individual group files can be still shared with guests users through file sharing from SharePoint Online.

Can I manage SharePoint Online external user settings for the Group connected team site?

Yes, read Manage your group-connected team site for more details.

Is there a way to block individual guest users?

No, individual guest users can't be blocked.

Can I make guest objects visible in the global address list?

Guest objects are not visible in the Exchange Global Address List by default because guest objects can be created by end-user action (e.g. invitation to access a shared document). As a rule, the contents of the Global Address List are controlled by administrators, and many organizations do not want objects created by end-user action to become visible without administrator control.

Use the steps listed below to make the guest objects visible in the global address list. This should be used when administrators responsible for end-to-end lifecycle of external users have access to both Azure Active Directory and Exchange Online cmdlets.

For example, if a guest object for meganb@contoso.com exists in Azure Active Directory, then Azure Active Directory PowerShell can be used to make meganb@contoso.com visible in the global address List.

  1. Set-AzureADUser -ObjectId <<ObjectIDGuid>> -ShowInAddressList $true

  2. Set-AzureADUser -ObjectId <<ObjectIDGuid>> -GivenName 'Megan' -Surname 'Bowen' -TelephoneNumber "555-555-5555"

  3. Set-AzureADUser -ObjectId <<ObjectIDGuid>> -DisplayName "Megan Bowen"

In a hybrid Office 365 organization, do guest users who are members of an Office 365 Group sync back to on-premises Exchange servers?

No guest users who are members of a group aren't synched back to on-premises along with the group.

Can mail contacts be added to groups?

Yes, you can. External mail contacts are contacts listed in your company's global address list. An example of this type of contact is a vendor company who regularly provides services to your organization.

Can I add guest users to my Office 365 Connected Yammer Groups?

Office 365 Connected Yammer Groups do not currently support guest access, but you can create non-connected, external groups in your Yammer network. See Create and manage external groups in Yammer for instructions.

Is an additional Office 365 license required for guest access?

No. Guest access is included with all Office 365 Business Premium and Office 365 Enterprise subscriptions.

I just migrated my distribution lists to Office 365 groups. Can I add guests to those?

Yes. The guests won't receive a welcome email message, but they will have all the privileges of any other guest member. If you've not yet migrated your distribution lists, see Migrate distribution lists to Office 365 Groups for instructions. Distribution lists that contain guests can't be migrated.

See Also

Manage Group membership in the Office 365 admin center

Allow/Deny guest access to Office 365 groups based on their domain

Azure Active Directory access reviews