Common Questions About Teams Guest Access
Opening Up Teams for All
Now that the fuss around Microsoft’s announcement that Teams supports guest access for any email account has subsided, it’s a good time to answer some of the questions raised. Microsoft says that the they have started to deploy the new capability, but it takes some time to upgrade software to every tenant across all Office 365 regions.
[March 11 Update] Microsoft says that the new capability is now deployed for all Office 365 commercial (enterprise) tenants. Make sure that you refresh clients (open and close) before you try to add a new guest from a non-Office 365 domain. Tenants running in the US government sovereign cloud should be able to use Teams during 2018.]
Getting the Upgrade
You might or might not be able to can add guests from consumer email domains and other services at this point. There’s no good way to check except to try to add a guest from a consumer email service. If that works, your tenant is updated. If not, you must wait a little longer.
What is “Inside Microsoft Teams”?
“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.
The good news is that you do not need to do anything more to configure Teams if you already took the steps to enable guest users from other Office 365 domains.
Number of Guests
A team can have up to 2,500 members. This is not a hard limit; it is more of a recommendation to ensure that members receive good performance when they access team resources. An Azure Active Directory group (an Office 365 group) underpins every team, and a native group scales to more than 500,000 objects, which is the limit for the number of objects in the free version of Azure Active Directory used by Office 365.
However, it is not a good idea to go past the 2,500-member limit for a team because Teams is not currently designed to support larger loads. Within the supportable limit, you need at least one team owner that must be a regular user account from the home tenant. The other 2,499 members can be guests.
Naming a Guest
Adding a guest to a team is easy as all you need is their email address, which you input into the Add member dialog. Sometimes you might want to change the display name that Teams creates for the guest from their email address to add the person’s company or transform a cryptic email address into a name that other team members will understand.
You can edit the display name of a guest when you add them to a team. In Figure 1, I entered an email address and we see that Teams constructed a guest name of “TRedmond (Guest).” The (Guest) suffix is automatically displayed by Teams, but we can click the pencil icon to change the display name to whatever text we want.
If you forget to edit the display name for a guest when you add them to a team, you can do it later by selecting the guest account in the Users section of the Office 365 Admin Center or the Users blade of the Azure Portal. In the case of the Office 365 Admin Center, you update the display name through the Contact Information for the account (Figure 2).
Office 365 writes the changed display name into Azure Active Directory. Later, Teams will synchronize the update to its directory to make the new display name visible.
Guests Have the Same Rights
Teams uses Office 365 Groups to manage membership. Under this model, guests have the same rights as tenant users. In other words, you cannot assign restricted rights to guests. If you have confidential information within a team that you do not want external members to see, don’t add them as guests. Instead, set up a special team to hold the information you are happy to share with guests.
Microsoft is working on a feature known as “private channels” to restrict access within a channel to a subset of team members. As private channels are not yet available, it is hard to say how they work in detail. For now, the recommendation is to only store information in a guest-accessible team that you are truly happy to share outside the company.
Planner and Other Apps
Guest access only gives external people the ability to work with resources under the control of Teams and other applications which support guests. SharePoint and OneDrive come within this category; Planner and other applications, including third-party apps, bots, and tabs configured within a team might not. Microsoft has committed to support guest access for Planner, but so far it is unavailable.
Guests can connect to Teams in your tenant using desktop (Windows and Mac), browser (Edge, Chrome, Firefox, and IE, but not Safari), and mobile clients. The caveat here is that guests that do not have an account in another Office 365 domain cannot use the desktop client. At least, I have not had any success in logging into the Teams desktop client using a guest account from a non-Office 365 domain. I have reported the issue to Microsoft, who say this should work. We shall see what happens.
You can add new guests to a team using the web and desktop clients – and you can add a guest to a team with a mobile client too, if that guest already exists in the tenant. However, you cannot (yet) add a new guest to the tenant using the mobile client.
When a Guest Connects
Guests connect to your tenant to access Teams, a process known as “switching.” Switching means that the Teams client sign out of the guest’s home tenant (if they have one) and into your tenant, a process that involves resetting the context and caches used by the client to make sure that the guest can only see data in teams that they belong to in the tenant. Guests cannot browse to join other teams in your tenant – a team owner must explicitly add them to a team. In addition, guests cannot see organizational information about your tenant.
You do not need to assign Office 365 licenses to guests. You control whether guests can use Teams through the Teams settings in the Office 365 Admin Center. Go to Settings by user/license type and turn Teams on for Guests as shown in Figure 3.
Teams supports multi-factor authentication (MFA), and it is the home tenant for a team that sets the rules about when MFA is needed. If you switch to a tenant that requires MFA, you need to authenticate with more than a password even if MFA is not used in your tenant.
Inevitably, more questions about guest access to Teams will arise as people dive into the detail of implementation in their own tenant. If you meet something that you can’t figure out, ask about it in the Teams space in the Microsoft Technical Community.
Follow Tony on Twitter @12Knocksinna.
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.