Microsoft Teams: Enabling and Using Guest Access

Introduction: In this blog post I will walk through how to enable guest access in Microsoft Teams, add a guest user to Azure Active Directory B2B, demonstrate how a guest user will access another organization's team and what the user experience is like.

Additional reading and support documentation:

• Expand your collaboration with guest access in Microsoft Teams (initial announcement)
  
• Guest access in Microsoft Teams (covers requirements, read first)
  
• What is Azure AD B2B collaboration?
  
• Conditional access for B2B collaboration users
  

IMPORTANT: Guest access is dependent on Azure Active Directory and more importantly it uses Azure Active Directory B2B, I highly recommend developing a good understanding of this feature prior to proceeding as it will help you as you start to roll this out and manage it within your organization and even give you ideas on how to further secure this as you move forward (such as conditional access for contractors as an example). This capability is very powerful, and can open up new ideas for how you create additional solutions for your organization in the future. In addition, I recommend testing guest access first prior to implementing in the real world to fully understand the use case scenarios of guest access (when it makes sense, when it doesn't as this may not solve for the specific business challenge you are after), and what the guest user experience is like for a guest user of Microsoft Teams so that you are prepared to help end-users within your organization.

Before we begin, about my environment:

• I have two Office 365 tenants: m365x367101.onmicrosoft.com and m365x841591.onmicrosoft.com (I apologize in advance, both tenants are named Contoso )
  
• Both organizations are already using Office 365 and Microsoft Teams.
  
• Megan from the m365x367101 owns a team titled O365 Deployment Team. She needs to invite Ben from a local IT consulting company to the team that will be assisting them with their Office 365 deployment.
  
• Megan's company will first enable guest access in Microsoft Teams, then will add Ben as a guest to AzureAD B2B, and finally add Ben as a guest to the O365 Deployment Team in Microsoft Teams.
  
• Megan's IT Admin enabled sharing with external users already in the directory for SharePoint Online
  
• Megan's IT admin enabled Let group owners add people outside the organization to groups.
  
• The Sharing Option has been enabled for Megan's Office 365 tenant to allow adding of new guests.
  

First, enable guest access in your tenant:

First, you must enable your Office 365 Tenant to allow guests to access a Microsoft Teams team in your tenant. This is accomplished by navigating to the Microsoft Teams settings in the Office 365 admin portal. From within the admin portal navigate to Settings -> Services & add-ins -> Microsoft Teams. On the fly-out to the right, under the section Settings by user/license type click the drop-down menu and toggle from Business and Enterprise to Guest then click On next to Turn Microsoft Teams on or off for all users of this type. Then click Save:

IMPORTANT: If this step is not performed, when the user attempts to sign in as a guest they will be presented with the following error:

Add the guest to Azure Active Directory B2B:

Browse to https://aad.portal.azure.com . On the left pane, click Azure Active Directory. On the Azure Active Directory blade click Users and groups :

On the Manage blade click All users then click New guest user

On the Invite a guest blade, in the enter email address of the external user field type I will type Ben's email address then click Invite:

Note: Once the user is added to Azure Active Directory the addition of the account will also be reflected as a Guest User in the Office 365 Admin Portal under Users -> Guest Users :

Ben will receive an email invitation to Azure B2B, no action is required for Microsoft Teams at this point (i.e you do not need to click Get Started in the email invitation), however if you do click Get Started you will be taken to the B2B portal where applications may be published for Ben to access. More on this in a future blog post.

Add Ben as a guest to the O365 Deployment Team in Microsoft Teams:

Megan will need to now add Ben as a user to her team, O365 Deployment Team in Microsoft Teams. From within Microsoft Teams, click the ellipsis next to the team name and then select View Team

On the Members tab click the Add member button:

In the Add members to "O365 Deployment Team" dialog box, type in Ben's email address, then click Add:

Next, click Close:

Notice Ben has now been added as a guest to the team:

Fourth, login as Ben to Microsoft Teams:

Ben will receive a new email message indicating he has been invited to Contoso's O365 Deployment Team. Within the email click Open Microsoft Teams:

Before Microsoft Teams launches, you will be taken to the Azure AD sign-on page, read the agreement to provide your display name and email address to the other organization and click Next:

Microsoft Teams will launch, and you will be prompted with a wizard walking you through the basics of guest access. Feel free to explore the wizard, or close it:

Ben is now signed in as a guest to Contoso's team in Microsoft Teams and has access to resources in the team such as conversation history, files,etc. To validate this, click the profile photo in the lower left corner and notice Contoso (guest) is selected under Your accounts:

Note: To switch back to Ben's own organization's Microsoft Teams instance, click Contoso M365x841591 above Contoso (guest) – and visa-versa as seen in the screenshot below.

What can Ben do as a guest?

The following table depicts the functionality available to a guest user of a team. More information can be found here:

Conclusion: Enabling guest access for Microsoft Teams is a simple and easy process. I hope you found this blog post valuable, if you do have feedback or input to make this post better please leave me a comment below. Enjoy!