Teams Guest Access

Managing Guest Access in Microsoft Teams

Guest Access in Microsoft Teams allows users outside of your organization to participate in team chats, meetings, and access shared files. This feature enables collaboration with clients, vendors, or other external partners while maintaining control over what guests can and cannot do within your Teams environment. Guest access is tightly integrated with Azure Active Directory (Azure AD), allowing you to manage permissions and security for external users effectively.

Below is a detailed guide on how to enable, configure, and manage guest access in Microsoft Teams.

---

Step-by-Step Guide to Manage Guest Access in Microsoft Teams

Step 1: Enable Guest Access in Microsoft Teams

By default, guest access may be disabled in Microsoft Teams, so you will need to enable it to allow external users to join.

1. Access the Teams Admin Center:
   • Go to the Microsoft Teams Admin Center by logging into your Microsoft 365 admin portal, and then navigate to Teams Admin Center.
2. Navigate to Guest Access Settings:
   • In the left navigation menu, go to Org-wide settings > Guest Access.
3. Enable Guest Access:
   • Toggle the switch to Allow guest access in Teams to enable guest access across your organization.
4. Configure Guest Permissions:
   • Once guest access is enabled, configure the permissions for guests. You can define whether guests can:
     • Make private calls.
     • Use IP video (for video conferencing).
     • Edit or delete messages in chat.
     • Share files within channels or chats.
   Example of guest access settings:
   • Allow guests to delete messages: Yes
   • Allow guests to use IP video: Yes
   • Allow screen sharing: Yes
5. Save Settings:
   • After configuring the settings to your needs, click Save to apply the changes.

---

Step 2: Invite Guests to Teams

Once guest access is enabled, you can invite external users to join your Teams. Here’s how:

1. Open Microsoft Teams:
   • Go to Microsoft Teams (desktop or web app).
2. Select the Team:
   • In the left navigation bar, select the Team you want to invite a guest to.
3. Add Guests:
   • Click on the three dots (⋯) next to the Team name and choose Manage team.
   • In the Members tab, click Add member.
   • Enter the guest’s email address (e.g., user@example.com). The system will detect that the email is external and prompt you to confirm inviting a guest.
4. Set Guest Role:
   • Once the guest is added, they will automatically be assigned the Guest role. You can modify the permissions within the team by choosing Owner or Member, but a guest will always have limited access compared to internal users.
5. Send Invitation:
   • Microsoft Teams will send an invitation email to the guest user. The guest must accept the invitation and sign in using their Microsoft or Office 365 account (or set up one if they don’t have one).

---

Step 3: Configure Guest Permissions for Specific Teams

In addition to the global settings in the Teams Admin Center, you can fine-tune guest access permissions for specific Teams.

1. Open the Specific Team:
   • In Teams, go to the Team where you want to manage guest permissions.
2. Team Settings:
   • Click on the three dots (⋯) next to the Team name, and select Manage team.
3. Permissions for Members and Guests:
   • Under the Settings tab, you can configure specific permissions for guests. For example, you can choose whether guests can:
     • Create or update channels.
     • Delete channels.
     • Add or remove apps.
4. Save Settings:
   • After configuring the desired permissions, the settings will automatically apply to all guest users in that Team.

---

Step 4: Audit and Manage Guest Access (Azure AD)

For greater control over guest users, you can manage guest access and security settings through Azure Active Directory (Azure AD). Azure AD allows you to audit guest accounts and configure policies for guest users, such as limiting their access or requiring multi-factor authentication.

1. Access Azure AD:
   • From the Microsoft 365 Admin Center, navigate to Azure Active Directory.
2. Manage Guest Users:
   • In Azure AD, click on Users and filter by Guest accounts. This will display all the external users that have been invited to your organization.
3. Review Guest Settings:
   • From here, you can view and manage guest user details such as:
     • Sign-in activity.
     • Assigned licenses.
     • Conditional access policies.
4. Configure Guest Access Restrictions:
   • Azure AD allows you to control guest access to sensitive data by applying Conditional Access Policies. For example, you can enforce Multi-Factor Authentication (MFA) for guest users or restrict access based on location or device.
   How to set up Conditional Access for Guests:
   • Go to Azure AD Admin Center > Conditional Access > + New Policy.
   • Name the policy and select Guest Users as the audience.
   • Define conditions (e.g., require MFA, restrict access based on location).
   • Apply the policy to Microsoft Teams by selecting Microsoft Teams under Cloud apps.

---

Step 5: Monitoring and Reporting on Guest Access

Microsoft 365 provides tools to monitor and audit guest access within your Teams environment. This ensures compliance and security, especially when dealing with sensitive information.

1. Audit Logs:
   • In the Microsoft 365 Compliance Center, you can use Audit Logs to track guest user activities in Teams, such as when a guest joins a Team or accesses a file.
   Steps to view Audit Logs:
   • Go to Microsoft 365 Compliance Center > Audit Logs.
   • Filter by activity type (e.g., Guest added to a team).
   • Generate a report to see details of when and by whom guests were added, removed, or granted access to files.
2. eDiscovery:
   • Use eDiscovery in the Microsoft 365 Compliance Center to search, review, and export messages, files, or other data involving guest users. This feature is useful for legal or compliance reasons when monitoring external user interactions.
3. Teams Activity Reports:
   • In the Teams Admin Center, navigate to Analytics & reports > Usage reports. You can generate a report on guest user activity, including messages sent, files accessed, and meeting participation.

---

Managing Guest Access Security

To ensure that guest access does not introduce security vulnerabilities, it is important to apply appropriate security measures:

1. Multi-Factor Authentication (MFA):
   • Require guests to authenticate using MFA, adding an extra layer of security when they log in to your Teams environment.
2. Conditional Access Policies:
   • Create Conditional Access Policies in Azure AD to enforce conditions like requiring guests to use only trusted devices, access only from specific locations, or enforce MFA.
3. Limit Guest Permissions:
   • By default, guests have limited permissions, but you can further restrict their abilities, such as preventing them from sharing files, editing messages, or accessing certain files and folders.
4. Periodic Review of Guest Access:
   • Periodically review and audit the guest accounts that have access to your Teams environment. Remove unnecessary guest accounts to maintain security and reduce potential risks.

---

Usage Example of Guest Access

Scenario: Collaborating with a Client on a Project

• Objective: A project team in an engineering firm needs to collaborate with an external client on a product design. They want to share files, discuss timelines, and hold meetings securely using Teams.
• Solution:
  1. The project manager enables guest access in Teams and invites the client to the “Product Design” team as a guest.
  2. The client can join the team and access specific channels where they can view and collaborate on design files stored in SharePoint.
  3. Permissions are configured to restrict the guest from deleting or editing critical documents. The team can hold weekly meetings with the client using Teams, where they discuss progress and share files.
  4. The engineering firm’s IT admin enforces MFA and monitors the client’s activities via audit logs to ensure no unauthorized access occurs.

---

Managing guest access in Microsoft Teams allows organizations to collaborate securely with external users while maintaining control over permissions, security, and access to sensitive data. By following the steps outlined above, admins can enable, configure, and monitor guest access in a way that supports collaboration without compromising the security of internal resources. Leveraging tools like Azure AD, Conditional Access, and Microsoft 365 Compliance helps ensure that external users only access what they need, while enforcing security best practices like Multi-Factor Authentication and regular audits ensures a secure collaboration environment.

Auditing Guest Access in Microsoft Teams

Auditing guest access in Microsoft Teams is essential for ensuring that external users (guests) are interacting with your organization’s resources securely and appropriately. Guest users may have access to sensitive data, and it’s important to track their activities within your Teams environment to maintain control and compliance.

Microsoft 365 offers several auditing tools, primarily through the Microsoft 365 Compliance Center and Azure Active Directory (Azure AD), which allow administrators to review and audit guest user activities such as file access, message posts, and meeting participation.

Here is a step-by-step guide to auditing guest access in Microsoft Teams.

---

1. Enable Auditing for Guest Access

Before performing any audits, ensure that Unified Audit Logging is enabled in Microsoft 365. This is required to track and log guest activities across Microsoft Teams and other Microsoft 365 services.

Step-by-Step: Enable Unified Audit Logging

1. Go to the Microsoft 365 Compliance Center:
   • Visit the Microsoft 365 Compliance Center.
2. Select Audit:
   • In the left-hand navigation, click on Audit under the Solutions section.
3. Enable Audit Logging:
   • If audit logging is not enabled, you will see a prompt to Start recording user and admin activity. Click on the button to enable audit logging for your organization.
   Note: It can take up to 24 hours for auditing data to start populating.

---

2. Audit Guest Activities Using the Microsoft 365 Compliance Center

The Microsoft 365 Compliance Center offers an Audit Log Search feature that allows you to search and review activities performed by guest users in Microsoft Teams, including joining Teams, accessing files, participating in meetings, and posting messages.

Step-by-Step: Search the Audit Log for Guest Activities

1. Access the Microsoft 365 Compliance Center:
   • Go to the Compliance Center at compliance.microsoft.com and sign in with your admin credentials.
2. Navigate to the Audit Log:
   • In the left-hand navigation pane, click on Audit to open the Audit Log Search.
3. Set Search Parameters:
   • Use the search filters to define the scope of your audit. Focus on the following key parameters for guest access:
     • Activities: Select relevant activities to audit. For guest access in Teams, the following activities are important:
       • Added to a Team (when a guest user is added).
       • Viewed File (guest accessing files).
       • Shared File (guest sharing files).
       • Sent Message (guest posting in chats or channels).
       • Teams Sign-In (guest joining Teams).
     • Date Range: Set the date range to audit activities over a specific period (e.g., last 30 days).
     • Users: Enter the guest user’s email address or name to filter activities to a specific guest user.
     • File or Folder: If you’re auditing file access, specify particular files or folders accessed by guest users.
4. Run the Audit Search:
   • After configuring your search, click Search. The results will display guest activities, showing detailed information like the type of activity, the guest user’s name, date and time of the event, and other relevant data.
5. Export Audit Logs (optional):
   • You can export the search results to a CSV file for further analysis by clicking Export Results.
   Example Usage: You suspect that an external consultant accessed a sensitive file in a project team. You run an audit log search in the Compliance Center, filtering for Viewed File activities and the consultant’s email address. The results show exactly when and which files the consultant accessed during their engagement with the project team.

---

3. Monitor Guest User Access via Azure Active Directory

Azure Active Directory (Azure AD) provides additional auditing and reporting capabilities for guest users, including sign-in logs and user-specific activity.

Step-by-Step: Audit Guest Sign-In Activity in Azure AD

1. Access Azure AD:
   • From the Microsoft 365 Admin Center, go to Azure Active Directory (or visit aad.portal.azure.com).
2. Navigate to Sign-In Logs:
   • In the left-hand navigation, go to Sign-ins under the Monitoring section.
3. Filter for Guest Users:
   • Use the Add filters option to filter by User Type and select Guest. You can also filter by User and enter a specific guest user’s email address.
4. View Sign-In Data:
   • The sign-in logs display the date, time, application accessed (such as Microsoft Teams), and the IP address from which the guest signed in. You can also view whether the sign-in attempt was successful or failed.
   • Clicking on a sign-in event provides more detailed information, such as the location and device used during the sign-in.
5. Export Logs (optional):
   • You can export the sign-in logs to CSV by clicking the Download button for further analysis.
   Example Usage: A guest user was added to a sensitive project team. To monitor their activities, the IT admin reviews the guest’s Sign-In Logs in Azure AD, checking for any unusual sign-in activity such as access from unexpected locations or devices.

---

4. Use Microsoft Teams Activity Reports

In the Microsoft Teams Admin Center, you can generate Teams activity reports that provide a breakdown of guest user participation in meetings, messages sent, and file sharing within Teams.

Step-by-Step: Generate Teams Activity Reports for Guest Users

1. Access the Teams Admin Center:
   • Go to the Microsoft Teams Admin Center by logging into admin.teams.microsoft.com.
2. Navigate to Analytics & Reports:
   • In the left-hand menu, click on Analytics & reports, then select Usage reports.
3. Generate a User Activity Report:
   • Choose the Teams user activity report to view details about user activities, including messages sent, calls, and meetings attended.
4. Filter for Guest Users:
   • Filter the report by User Type to display only Guest Users.
   • Specify a date range and generate the report.
5. Review Guest Activity:
   • The report provides insights into guest activity, such as:
     • The number of messages sent by the guest in Teams channels or chats.
     • The number of meetings the guest attended.
     • Files shared by or with the guest in Teams.
6. Export the Report:
   • Click Export to download the report as a CSV file if further analysis is needed.
   Example Usage: After adding several external consultants to a project team, the project manager generates a Teams user activity report filtered for guest users. The report shows which consultants have been actively contributing to the project by participating in meetings and sending messages in the team channels.

---

5. Leverage Data Loss Prevention (DLP) for Guest Access Auditing

If Data Loss Prevention (DLP) policies are enabled, you can audit guest access for sensitive data handling within Teams. DLP logs will show when guests attempt to share or access sensitive information, and if the system took action (e.g., blocked the sharing of a sensitive file).

Step-by-Step: Review DLP Activity for Guest Users

1. Access the Compliance Center:
   • Go to the Microsoft 365 Compliance Center and click on Data Loss Prevention.
2. View DLP Alerts and Incidents:
   • Navigate to the Alerts section to view any triggered alerts based on DLP policies. You can filter for activities involving guest users.
3. Inspect DLP Policy Violations:
   • If any guest user has attempted to share sensitive information, the incident will appear in the DLP reports. You can review the details of the incident, such as what data was shared and what action (e.g., blocking) was taken.
4. Export DLP Reports:
   • Export the logs to CSV for further review if necessary.
   Example Usage: A DLP policy prevents the sharing of confidential financial data via Teams. You review the DLP logs to check if any external guest has triggered a violation by attempting to share sensitive documents in a Teams channel.

---

6. Review Access to SharePoint and OneDrive Files by Guests

Since files in Teams channels are stored in SharePoint, and files in private chats are stored in OneDrive for Business, you should also audit file access in those platforms to monitor guest activities.

Step-by-Step: Audit Guest Access to SharePoint and OneDrive Files

1. Access the SharePoint Admin Center:
   • In the Microsoft 365 Admin Center, navigate to the SharePoint Admin Center.
2. View File and Folder Access:
   • Use the Audit Log Search in the Compliance Center to track file access by guest users. Set the location filter to SharePoint and OneDrive.
3. Filter by Guest Users:
   • Specify the guest user’s email address to filter results, and set the activity to Viewed file or Downloaded file.
4. Review Access Logs:
   • The report will show all instances where the guest user accessed shared files in Teams (via SharePoint or OneDrive), including file names, access times, and actions performed (e.g., viewing, downloading, editing).

How to Revoke Guest Access in Microsoft Teams

Revoking guest access in Microsoft Teams ensures that external users no longer have access to your organization’s Teams, channels, files, and conversations. Microsoft provides several ways to remove or restrict guest access, depending on the level of control you need — from removing a guest from a specific Team to fully revoking their access across your entire Microsoft 365 tenant.

Here is a detailed step-by-step guide to revoke guest access in Microsoft Teams using various methods.

---

1. Remove a Guest from a Specific Team

This method allows you to revoke a guest’s access to a particular Team without affecting their access to other Teams where they might be a member.

Step-by-Step: Remove a Guest from a Team

1. Open Microsoft Teams:
   • Launch the Microsoft Teams app (web or desktop).
2. Select the Team:
   • In the left sidebar, go to Teams and select the Team from which you want to remove the guest.
3. Manage Team:
   • Click on the three dots (⋯) next to the Team name and select Manage team.
4. Find the Guest User:
   • Under the Members tab, find the Guest user you want to remove.
5. Remove the Guest:
   • Next to the guest’s name, click the X button to remove them from the Team. The guest will lose access to the channels, conversations, and files within that Team.
   Usage Example: You have a guest user from a partner organization who was added to a project-specific Team. Once the project is completed, you can remove them from the Team by following the steps above, revoking their access to the project files and conversations.

---

2. Revoke Guest Access from SharePoint or OneDrive Files

When guests access files through Teams, those files are stored in SharePoint (for Teams channels) or OneDrive (for private chats). You may need to revoke their access to these files even if they are no longer part of the Team.

Step-by-Step: Remove Guest Access to SharePoint or OneDrive Files

1. Access SharePoint or OneDrive Admin Center:
   • Go to the Microsoft 365 Admin Center and navigate to either the SharePoint Admin Center or OneDrive Admin Center.
2. Find the File or Folder:
   • Go to the document library (for SharePoint) or the shared folder (for OneDrive) where the files are stored. In SharePoint, navigate to the Team’s document library. In OneDrive, navigate to the shared folder.
3. Manage File or Folder Permissions:
   • Click on the three dots (⋯) next to the file or folder and select Manage access.
4. Remove Guest User Access:
   • In the Manage access pane, find the guest user in the list of users with access. Click on the X next to their name to remove their permission to access the file or folder.
   Usage Example: A guest user had access to shared files during a private chat in Teams. Even after removing them from the chat, they may still have access to the files in your OneDrive. By following the steps above, you can revoke their access to those files entirely.

---

3. Revoke Guest Access from Microsoft Teams via Azure Active Directory

To completely revoke all access for a guest across your organization (not just a single Team), you can delete the guest account from Azure Active Directory (Azure AD). This removes the guest from all Teams, SharePoint, and any other Microsoft 365 services they had access to.

Step-by-Step: Remove a Guest User from Azure Active Directory

1. Access Azure AD Admin Center:
   • Go to the Azure AD Admin Center by visiting aad.portal.azure.com.
2. Navigate to Users:
   • In the left navigation panel, click on Users.
3. Filter for Guest Users:
   • In the Users list, click on the Filters drop-down and choose Guest to display all guest accounts in your directory.
4. Select the Guest User:
   • Click on the guest user you want to remove. This will open the guest user’s profile.
5. Delete the Guest User:
   • In the guest’s profile, click on Delete at the top. This will remove the guest’s account from Azure AD, revoking access to all Microsoft 365 services, including Teams, SharePoint, and OneDrive.
   Usage Example: If a guest user no longer needs access to any Teams, channels, or documents across your organization, deleting their Azure AD account ensures they are completely removed from the tenant, revoking all access.

---

4. Disable Guest Access Across the Entire Organization

You can also disable guest access entirely for Microsoft Teams. This prevents any external users from being invited as guests in the future, and revokes access for any existing guest users.

Step-by-Step: Disable Guest Access in Microsoft Teams

1. Access Microsoft Teams Admin Center:
   • Go to the Microsoft Teams Admin Center at admin.teams.microsoft.com.
2. Navigate to Org-wide Settings:
   • In the left navigation panel, go to Org-wide Settings and click on Guest Access.
3. Disable Guest Access:
   • Toggle the Allow guest access in Teams switch to Off.
4. Save Changes:
   • Click Save to apply the changes. This will disable guest access for all Teams across the organization and remove access for any existing guest users.
   Usage Example: A security-conscious organization may want to temporarily or permanently disable guest access across all of Teams. By turning off guest access, all external users will lose access, and no new guests can be added.

---

5. Revoke Guest Access to Specific Files Shared via Teams Chat

In some cases, files are shared directly with guests via Teams chats (outside of channels). These files are stored in OneDrive for Business, and you can revoke guest access directly from OneDrive.

Step-by-Step: Remove Guest Access to Files Shared in Teams Chats

1. Access OneDrive:
   • Go to OneDrive for Business via the Microsoft 365 Portal or onedrive.live.com.
2. Go to “Shared” Section:
   • In the OneDrive navigation pane, click on the Shared tab to view all files you have shared with others.
3. Find the Shared File:
   • Locate the file that was shared with the guest via the Teams chat.
4. Manage Access:
   • Click the three dots (⋯) next to the file and select Manage access.
5. Remove Guest Access:
   • In the Manage access pane, click the X next to the guest user’s name to revoke their access to the file.
   Usage Example: After a project ends, you realize that some sensitive documents were shared with a guest in a one-on-one Teams chat. You can quickly revoke their access by managing permissions directly in OneDrive.

---

6. Monitor and Audit Guest Access

After revoking guest access, it’s important to ensure that no unauthorized access remains. You can use audit logs in the Microsoft 365 Compliance Center and Azure Active Directory to track any activity from guest users before or after their access is revoked.

Step-by-Step: Monitor Guest Access via Audit Logs

1. Access Microsoft 365 Compliance Center:
   • Go to the Microsoft 365 Compliance Center at compliance.microsoft.com.
2. Navigate to Audit Log Search:
   • In the left-hand pane, click on Audit under Solutions.
3. Set Search Criteria:
   • Enter the guest user’s email address in the User filter and set the Activity filter to track specific actions (e.g., File Accessed, Team Joined).
4. Run Search:
   • Click Search to generate the audit log report. Review the guest user’s activity, ensuring that no access has been made after the revocation.
   Usage Example: After revoking access for a consultant who was part of a Teams project, the IT admin uses the Audit Log Search to verify that the consultant has not accessed any files or Teams after their removal.

Revoking guest access in Microsoft Teams can be done at multiple levels, depending on the situation and the level of access the guest had. Whether you want to remove a guest from a specific Team, revoke access to shared files, or fully remove a guest from your organization’s Azure Active Directory, Microsoft provides robust tools to ensure that you can manage and secure external access.

It’s important to regularly review and audit guest access, especially in environments where sensitive data is shared with external collaborators. By leveraging the steps outlined above, you can ensure that your organization maintains control over guest user activities and protects its data from unauthorized access.