Managing External Access And Guests in Microsoft Teams

External Sharing settings in Microsoft Teams

Being able to collaborate with people outside your organisation is becoming more and more common, and so it should be, we have the tools so let’s stop emailing documents around and trying to merge changes.  It’s important though to make sure your tenant is set up to support your compliance and security goals for Guest Access, as well as your employee’s requirements. When it comes to external sharing and Microsoft Teams, the settings are applied from a few different locations across Office 365, all of which will impact what options you have available further down the line.

 

If you haven’t downloaded our external sharing guide for 365, we would suggest you start there. Complete Guide to External Sharing in Office 365.

How you manage sharing in your Microsoft 365 environment is shown below, the settings in Azure will overrule any other settings in your tenant. So if the sharing settings in Azure are stricter than the sharing settings in the Microsoft 365 admin portal, the settings in Azure will be applied throughout the tenant. This is a good thing, you know that what you lock down Azure, will push down to all the services below. This also means if you are having issues freeing up the settings, start from the top (Azure) and work your way down.

External Sharing in Azure

The external sharing settings in Azure change the sharing settings throughout the rest of your tenant. Which means if external sharing is disabled in Azure, this will override any sharing settings which are configured in Microsoft 365. In Azure you can also set the rights a guest access user has to your directory data and restrict them from seeing other guests in your environment. You can also set if guests can provide guest access for others into your environment, something to check.

External Sharing in Microsoft Office 365

The external sharing settings in Microsoft Office 365 are deceptively set in the SharePoint admin centre but will apply to your entire tenant including all SharePoint sites, OneDrive accounts and Teams. At the Microsoft 365 level, you can set the default behaviour, permission level and the expiration timeframe for sharable links. Again, there are a few gotcha’s, make sure guests aren’t able to share content they don’t own.

External Sharing in Teams

Once you’ve decided that your company is going to allow external users into your Teams environment and allow your colleagues to search and chat with external contacts, there is one more question you need to consider: Are they external users or guests?

Teams treats external users and guests quite differently, and the way they can interact with your Teams platform will differ significantly. External users are unable to participate in a Team and are instead limited to one-on-one chats with someone in your company. Guest access allows people external to your company to participate in a Team as though they were a member, including collaboration on documents and participation in group chats. The differences between the two is outlined in the table below.

So in short, Guest Users is invited into the building and treated as part of the company. External Access users have a day pass or meeting pass and need an escort to get around.

Feature

External access users

Guest access users

User can chat with someone in another company

Y

Y

User can call someone in another company

Y

Y

User can see if someone from another company is available for call or chat

Y

Y

User can search for users across external tenants

Y

N

User can share files

N

Y

User can access Teams resources

N

Y

User can be added to a group chat

N

Y

User can be invited to a meeting

Y

Y

Additional users can be added to a chat with an external user

N

N/A

User is identified as an external party

Y

Y

Presence is displayed

Y

Y

Out of office message is shown

N

Y

Individual user can be blocked

N

Y

@mentions are supported

Y

Y

Make private calls

Y

Y

View the phone number for dial-in meeting participants

N

Y

Allow IP video

Y

Y

Screen sharing mode

Y

Y

Allow meet now

N

Y

Edit sent messages

Y*

Y

Can delete sent messages

Y*

Y

Use Giphy in conversation

Y*

Y

Use memes in conversation

Y*

Y

Use stickers in conversation

Y*

Y

* Note: external users are only able to perform these actions in one-on-one chats.

Once you have decided to allow external users into your Teams environment, there are a set of guest access settings which you should review to confirm what guests can and can’t do in your environment. They can be accessed 365 Admin Center and then the Teams Admin Center and will be found under Org-wide settings.

 

Setting up your environment for External Sharing in Teams

Remember, when managing Guest Access and External sharing start from the Top. Azure AD then Admin Center and then the site specific settings. With a quick stop by the Teams Admin Center along the way.

Setting up External Sharing in Azure

The external sharing settings in Azure AD can be managed through the External Identities section of Active Directory. When you are reviewing the settings in Active Directory, take note of the Guest Invite settings as these will determine the options that are available in the Microsoft 365 admin centre.


1. Navigate to Azure Active Directory

2. In the left navigation pane, click Azure Active Directory.

3. Click External identities.

4. On the Get started screen, in the left navigation pane, click External collaboration settings.

There are a few points to note with these settings:

  • The options for Guest user access determines guests are able to access directory data. This means look up other people in your Active Directory and their properties.

  • If Admins and users in the guest inviter role can invite is set to no, guest users cannot be added to your tenant.
  • If Members can invite is set to no, then only admin members of your directory can invite guest users to SharePoint sites or Teams
  • If Guests can invite is set to no, then guests cannot invite themselves or other guests to collaborate on SharePoint or Teams
Something worth noting here. You can block specific domains or allow only certain domains. A few options to consider here, block consumer email providers (eg. Yahoo, Gmail, Hotmail etc). Alternatively, you could only allow external domains for companies you want to collaborate with, business partners or customers for example. All you need is a sample email address to get this setup.

External File Sharing settings for Microsoft Office 365

SharePoint Online and OneDrive serve as the document storage locations for Teams.

  • Documents that are shared or uploaded to a Team for all to collaborate on are stored in the Team’s supporting SharePoint site.
  • Documents that are shared in a one-on-one or group chat outside of a Team are stored in OneDrive.

The external sharing settings for both OneDrive and SharePoint can be managed through the sharing section in the SharePoint admin centre, however, these settings can only be changed by a SharePoint Admin or Global Admin (this is usually your company admin) in the 365 Admin Center.

 

In the Sharing section of the SharePoint admin centre, you will be shown the sharing settings. The main element to change external sharing settings is the slider shown below. Moving the slider for either will change the external sharing settings for your tenant. The SharePoint slider will set the external sharing settings for all SharePoint sites and Teams and the OneDrive slider will set the external sharing settings for all users and one-on-one chats in Teams.

For a full breakdown of changing the sharing settings for a tenant, get a copy of our Complete Guide to External Sharing in Office 365.

File Sharing in Teams Settings

File sharing policies for a specific Team are set by the file sharing settings for the specific SharePoint site. These settings can be altered in the SharePoint admin centre as shown below.

File Sharing in Teams Chat

File sharing policies for chat between two individuals are set by the file sharing settings for the individual user. This is the ability to send files in chat messages. If its one to one chat these files go to OneDrive, if it si part of a Teams conversation that are stored in the general library. These settings can be managed via the sharing settings on the individual’s account as shown below.

There you have it! All the places external sharing can be managed for Teams Users . It can be tricky to navigate, but by working through, step by step you can set up something that will support what your team needs to do while still protecting your company information.