Manage guest access in Office 365 Groups

By default, guest access is turned on for your organization. When it's turned on, everyone in your organization can add guest users to an Office 365 Group. The guests will have access to all Group features.

Admins can control whether to allow guest access to Groups for their whole organization or for individual groups. They can also control who can allow guests to be added to groups.

Manage guest access in the admin center

View guest users

  • In the admin center, go to the Users > Guest users page.

Add existing guests to an Office 365 Group


If you're not using the new Microsoft 365 admin center, you can turn it on by selecting the Try the new admin center toggle located at the top of the Home page.

If the guest already exists in your directory (see above), you can add them to your groups from the Office Admin Center or the Exchange Admin Center.

  1. In the admin center, go to the Groups > Groups page.

  2. Select the group you want to add the guest to, and select View all and manage members on the Members tab.

  3. Select Add members, and choose the name of the guest you want to add.

  4. Select Save.

Invite guests

You can't invite guests from the Office Admin Center or the Exchange Admin Center at this time. To invite guests centrally you might consider using the Azure Active Directory B2B collaboration preview. For more information, see About the Azure AD B2B collaboration preview.

Edit guest information

Currently you can't add or edit guests from the Office Admin Center or the Exchange Admin Center. To edit guest accounts (such as their display name or profile photo) go to your Azure Active Directory portal. For more information, see Understanding Office 365 identity and Azure Active Directory.

Manage guest access to Office 365 Groups

Turn on or off guest access to group files and OneNote

By default, guests can access group files and the group OneNote notebook. To turn off guest access, you need to turn off the SharePoint external sharing setting at the organization level. For the steps, see Turn external sharing on or off for SharePoint Online, "Manage external sharing for Office 365 Group site collections."

However, even if the SharePoint external sharing setting is turned off, the files from SharePoint sites can still be shared with new guest users based on SharePoint settings. To learn more, see Manage external sharing for your SharePoint Online environment.

Turn on or off the Sharing option

By default, the Sharing option in your organization is turned on. This option allows guests to be added to your organization. To turn it off:

  1. In the admin center, go to the Settings > Security & privacy page.

  2. Next to Sharing, select Edit.

  3. Set the On / Off toggle for Let users add new guests to the organization.

Manage who can add guest users

  1. In the admin center, go to the Settings > Services & add-ins page.

  2. Select Office 365 Groups.

  3. On the Office 365 Groups page, choose whether you want to let people outside your organization access group resources or let group owners add people outside your organization to groups.

Use PowerShell to control guest access

Install the preview version of the Azure Active Directory PowerShell for Graph

These procedures require the preview version of the Azure Active Directory PowerShell for Graph. The GA version will not work.


You cannot install both the preview and GA versions on the same computer at the same time.

As a best practice, we recommend always staying current: uninstall the old AzureADPreview or old AzureAD version and get the latest one.

  1. In your search bar, type Windows PowerShell.

  2. Right-click on Windows PowerShell and select Run as Administrator.

    Open PowerShell as "Run as administrator."

  3. Check installed module:

    Get-InstalledModule -Name "AzureAD*"
  4. To uninstall a previous version of AzureADPreview or AzureAD, run this command:

    Uninstall-Module AzureADPreview


    Uninstall-Module AzureAD
  5. To install the latest version of AzureADPreview, run this command:

    Install-Module AzureADPreview

    At the message about an untrusted repository, type Y. It will take a minute or so for the new module to install.

Leave the PowerShell window open for Step 3, below.

Configure guest Access

Copy the script below into a text editor, such as Notepad, or the Windows PowerShell ISE.

Update the script as follows:

To let group members outside the organization access group content, set $AllowGuestsToAccessGroups = "True", otherwise set $AllowGuestsToAccessGroups = "False".

To let group owners add people outside the organization to groups, set $AllowToAddGuests = "True", otherwise, set $AllowToAddGuests = "False".

Save the file as ExternalGroupAccess.ps1.

In the PowerShell window, navigate to the location where you saved the file (type "CD ").

Run the script by typing:


and sign in with your administrator account when prompted.

$AllowGuestsToAccessGroups = "True"

$AllowToAddGuests = "True"


        $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"}
        $settingsCopy = $template.CreateDirectorySetting()
        New-AzureADDirectorySetting -DirectorySetting $settingsCopy
        $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
        $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id       

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID

$settingsCopy["AllowGuestsToAccessGroups"] = $AllowGuestsToAccessGroups

$settingsCopy["AllowToAddGuests"] = $AllowToAddGuests

Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

The last line of the script will display the updated settings:

Allow or block guest users from a specific group


You must have global admin rights to run these commands.

  1. Did you install the AzureADPreview module, as instructed in the above section "Install the preview version of the Azure Active Directory Module for Windows PowerShell"? Not having the most current preview version is the #1 reason these steps don't work for people.

  2. If you haven't already, open a Windows PowerShell window on your computer (it doesn't matter if it's a normal Windows PowerShell window, or one you opened by selecting Run as administrator).

  3. Run the following commands. Press Enter after each command.

Import-Module AzureADPreview

On the Sign in to your Account screen that opens, enter your admin account and password to connect you to your service, and select Sign in.

Enter your Office 365 credentials

  1. Run this command.

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}

  2. Run this command.

    $settingsCopy = $template.CreateDirectorySetting()

  3. Run this command. Set to False to block guest access to a specific group. Set to True to allow guest access to a specific group.


  4. Run this command.

    $groupID= (Get-AzureADGroup -SearchString "YourGroupName").ObjectId

    Where you would replace YourGroupName with something like Human Resources.

  5. Run this command.

    New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $settingsCopy

    It takes 2-3 minutes to be synced.

  6. To verify your settings, run this command:

    Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups | fl Values

    The verification looks like this:

    The verification

Allow/block guest access based on their domain

You can allow or block guest users who are using a specific domain. For example, if your business (Contoso) has a partnership with another business (Fabrikam), you can add Fabrikam to your Allow list so your users can add those guests to their groups.


If tenant Guest Access settings are set to False, individual groups cannot be set to True.

For more information, see Allow/Block guest access to Office 365 groups


Who can add guest users to a group?

  • An Office 365 Group owner can add guest users if this option has been enabled for your organization.

  • Global admins can add guest users to any groups in the organization.

How can a global admin add a new guest user to the organization?

  • Owners of an Office 365 group and global admins who are owners of the group can add guest users to groups through Outlook on Web.

  • Sharing a file with a guest from a SharePoint site or an Office 365 group. See Share group files.

  • Adding guests to your organization through Azure active directory B2B collaboration. Azure active directory B2B collaboration allows a company administrator to invite and authorize a set of external users by uploading a comma-separated values (CSV) file of no more than 2000 lines to the B2B collaboration portal. For more details, check out Azure Active Directory B2B collaboration.

Can global admin block guests in groups and still allow guests to access SharePoint sites?

Yes, global admins can use Azure active directory Powershell cmdlets to disable "AllowGuestAccessToGroups" property on Company object, assuming external sharing is turned On for SharePoint sites.

How long until the guest user settings take effect in the Office 365 organization?

The guest settings are set in Azure active directory. It takes 2 to 24 hours for the changes to be effective across your organization.

Can I share a group document library with an external user who isn't a member of the group?

No. You can only share Office 365 Group document library with guests who have been invited to join the group. But individual group files can be still shared with guests users through file sharing from SharePoint Online.

Can I manage SharePoint Online external user settings for the Group connected team site?

Yes, read Manage your group-connected team site for more details.

Is there a way to block individual guest users?

No, individual guest users can't be blocked.

Can I make guest objects visible in the global address list?

Guest objects are not visible in the Exchange Global Address List by default because guest objects can be created by end-user action (e.g. invitation to access a shared document). As a rule, the contents of the Global Address List are controlled by administrators, and many organizations do not want objects created by end-user action to become visible without administrator control.

Use the steps listed below to make the guest objects visible in the global address list. This should be used when administrators responsible for end-to-end lifecycle of external users have access to both Azure Active Directory and Exchange Online cmdlets.

For example, if a guest object for exists in Azure Active Directory, then Azure Active Directory PowerShell can be used to make visible in the global address List.

  1. Set-AzureADUser -ObjectId <<ObjectIDGuid>> -ShowInAddressList $true

  2. Set-AzureADUser -ObjectId <<ObjectIDGuid>> -GivenName 'Megan' -Surname 'Bowen' -TelephoneNumber "555-555-5555"

  3. Set-AzureADUser -ObjectId <<ObjectIDGuid>> -DisplayName "Megan Bowen"

In a hybrid Office 365 organization, do guest users who are members of an Office 365 Group sync back to on-premises Exchange servers?

No. Guest users who are members of a group aren't synched back to on-premises along with the group.

Can mail contacts be added to groups?

Yes, you can. External mail contacts are contacts listed in your company's global address list. An example of this type of contact is a vendor company who regularly provides services to your organization.

Can I add guest users to my Office 365 Connected Yammer Groups?

Office 365 Connected Yammer Groups do not currently support guest access, but you can create non-connected, external groups in your Yammer network. See Create and manage external groups in Yammer for instructions.

Is an additional Office 365 license required for guest access?

No. Guest access is included with all Office 365 Business Premium and Office 365 Enterprise subscriptions.

I just migrated my distribution lists to Office 365 groups. Can I add guests to those?

Yes. The guests won't receive a welcome email message, but they will have all the privileges of any other guest member. If you've not yet migrated your distribution lists, see Migrate distribution lists to Office 365 Groups for instructions. Distribution lists that contain guests can't be migrated.

Manage Group membership in the Microsoft 365 admin center

Allow/Deny guest access to Office 365 groups based on their domain

Azure Active Directory access reviews