Microsoft Teams Guest access - important change in 2021

Videoconferences and Teams chats are now an irreplaceable part of the working life for many of us. But Microsoft Teams are more than chats – it is where work is happening right now. It also means that is has files, data, access to tools integrated with it. This is why it's crucial to be aware of important the change, which Microsoft makes to the service, affecting who can access this information. What is happening on February 8th? The default guest access policy in Teams will be changed and every person in your organisation will be able to invite new guests, regardless of their role. It will stay in effect for the future as well. Unless you change it. Here are all the details you need to know to act! As per the announcement, accessible in the Microsoft Admin center:

• Timing: February 8th, 2021
• Admin control: Admin center UI
• Action: Review and set appropriate configuration

How this will affect your organization: When this change is implemented if you have not already configured Microsoft Teams guest access capability, that capability will be enabled in your tenant. With guest access enabled, you can provide access to teams and other resources to people outside your organization while maintaining control over your corporate data. Shock! Disaster! Is it? Don't worry – you don't need to panic... yet. We have prepared a short Q&A to address some of the concerns this update may raise. We have also added some resources to help you get the information you need. To find the answers, click on your relevant question below. If you haven't found what you're looking for, feel free to contact us with your question! Choose your question:

1. What will change?
2. How will it affect my organisation?
3. Why is the switch happening?
4. What does this change mean for me?
5. Will my custom configuration change?
6. What if I don't want Guest access enabled?
7. How to change my configuration?
8. Will blocking Guest access on Teams protect my resources?
9. How to add Guests to your Teams right now?
10. What is Azure B2B and how can it help?
11. Can I only invite guest users with corporate accounts?
12. Isn't there a single place to configure all this?
13. How to manage guest accounts in my tenant?
14. What else do I need to know about B2B collaboration in Azure?
15. This is too complicated – make it simple!

Teams guest access Q&A

What will change?

In simple terms, here is what the switch means to your current configuration if your Microsoft Teams Guest access is set to:

• Service Default – it will be set to ON
• On – nothing changes – it will remain on
• Off – nothing changes – it will remain off.

Once this switch is in place, if you use the Service Default option, everyone in your organisation will be able to add external users to Microsoft Teams. Your Teams' users will be able to invite people outside your organisation on their own:

• External consultants
• Vendors and partners
• Individuals

to work together in Microsoft Teams.

How will it affect my organisation?

It will not break things. It will not cause immediately that your information will leak. Things to know and remember:

• Every invited person is becoming a Guest user in your entire Azure AD tenant. They will stay there, even when removed from the Team they were originally invited to
• If you do not take steps to save it, information about who invited this guest will be lost
• Microsoft Teams Guest can be granted permissions and will see the information they have access to in the same way as your users.

Why is the switch happening?

Microsoft is changing this setting to keep it in line with the rest of the Microsoft 365 suite. This means that other Microsoft 365 services (e.g. OneDrive or SharePoint) already have Guest access enabled by default.

What does this change mean for me?

Allowing guest access means you can work with people from outside of your organisation and give them access to teams or resources while retaining control over your data. In other words, your employees can communicate with e.g. vendors, partners, or divisions operating using a different tenant (for example, following a merger) just as easily as they do with each other.

Will my custom configuration change?

The new update only affects service default settings. If you already have a specific configuration in place, it won't be affected.

What if I don't want Guest access enabled?

Of course, there may be a situation where you don't want to enable Guest Access to your apps. This can be especially true for industries where data access is heavily secured or restricted. In this case, you probably have a customised configuration in place. It will not be affected by the change. But, if this update is news to you and you haven't defined your access policies yet, this is a good opportunity to review them.

How to change my configuration?

You need to access your Teams admin center. Under Org-wide settings, you will find Guest access section. You can allow or disable guest access in Teams by changing the settings there. For step-by-step instructions, see Microsoft documentation.

Will blocking Guest access in Teams protect my resources?

Short answer: no. Disabling Microsoft Teams Guest access will only work for this specific service. But across the suite, you can allow Guests to access your resources via other services. For example, you can allow Guest access to SharePoint. This way, people outside your company can still be invited to collaborate on files. The same applies to Microsoft 365 Groups. Guest access is set at the service level, which means you could technically allow Guest access to Groups and disable it for Teams. Note that the opposite is not possible – in order to allow Guests to Teams, you have to enable this functionality in Groups as well.

How to add a Guest to your Teams right now?

If the user has an Azure AD account, it's very simple. To add a guest, you just click "Add member" button in your Teams settings, and enter the email address of the guest you wish to invite. Then, the Azure B2B feature takes over, sending an invite to the user which they can then accept to collaborate with your Team.If they don't have an Azure AD account, we would recommend creating a dedicated Azure AD tenant and create a dedicated account for this user there. Then you can use Azure B2B to facilitate their access.

What is Azure B2B (Microsoft Entra External ID) and how can it help?

Azure B2B is a feature of Azure Active Directory. It allows you to invite users from outside your organisation to work on your resources. They don't need a new account or login details and can just use their existing ones. User lifecycles are managed by the organisation to which the external user belongs, so you don't need to worry about them either. You can invite a guest user to your tenant directly from the Azure Portal. You set up their permissions just as you would for an internal user and can use the same security features you do for your organisation, e.g. MFA or other Conditional Access policies. You can also customise your settings, so e.g. application administrators can add guest users directly from within the app.

Can I only invite guest users with corporate accounts?

Azure AD has a service called External Identities which combines all possible collaboration features. Within External Identities, you can use:

• Azure AD B2B to collaborate with corporate users
• Federated access within Azure AD B2B to collaborate with users with personal/social media accounts on business resources
• Azure AD B2C to allow consumer access with personal/social media accounts.

Isn't there a single place to configure all this?

You can set permissions for each service individually to give you complete control of the information that you share. However, all Microsoft 365 settings will be overridden by your Azure Active Directory settings. You can enable B2B collaboration via Azure Portal and configure guest permissions there. If you want to set a configuration that will apply to your entire environment, this is the place to start. By adjusting your external collaboration settings, you can define guest access levels and permissions. You can also set the password policy for external users, or restrict domains allowed to your tenant. Read more in Microsoft documentation.

How to manage guest accounts in my tenant?

If you have an Azure AD Premium P2 license, you're able to use the Access Review feature. Within Azure Portal, go to External Identities, then Access reviews. Here you can review access for your guest users – either by asking them or by asking your users to review guest access. Azure AD also collects audit logs to help you review guests' access history. You can access them under Monitoring -> Audit logs. Alternatively, if you use a third-party product like Omada Identity Suite, you can perform a complete review of guest users permissions, which includes access reviews, audit logs, reporting, and notifications of new guests. Read more about some of its access governance features.

What else do I need to know about B2B collaboration in Azure?

You can read more on B2B collaboration in one of our previous articles. Here are some basics: Be careful about the permission level you assign. Most of your users won't need admin access (this applies to your internal users too). There are 3 ways you can grant access to your resources:

1. By creating a dedicated account in your Azure AD tenant – the external users would be able to access the same resources that your internal users can. For additional security, you can set up a dedicated Azure AD tenant to manage all your guest accounts. This will make managing them easier.
2. By inviting a user with an existing Azure AD account to join your tenant. This will be easier from a user's perspective but you still need to manage that user within your Azure AD.
3. By inviting a user with a Microsoft account to join your tenant. This option only applies to consumer accounts that are not as closely managed as corporate ones, so it should only be used as a last resort. 

This is too complicated – make it simple!

No problem. We can help you secure your resources in the way you need. Just get in touch to book a free call and we'll discuss your requirements. Access management is among our specialties, so we'll be more than happy to help you make sure your access configuration is set up accordingly to your needs and compliance policies.

Be in control of your guest access policy

To sum up – keep an eye on your guest access configuration of all your services. Once you customise it, you don't need to worry about the defaults changing to any option you may not want or need.