Tutorial / Cram Notes
Guest access in Microsoft 365 allows individuals outside of your organization to access your teams and resources. External access, on the other hand, pertains to individuals who can find, call, chat, and set up meetings with your users.
Managing Guest Access in Microsoft Teams
When planning for guest access in Teams, consider what type of access the guests should have. For instance, should they be able to initiate a call or just participate in chats and channels? Here are the steps to configure guest access:
- Open the Microsoft 365 admin center, navigate to Settings > Org Settings > Microsoft Teams.
- Under External access, click on Manage external access.
- Select the Users can communicate with external users option if required.
- Under Guest access, toggle on the option for Allow guest access in Teams and configure what features will be available for guests (such as making calls or sharing files).
Implementing Guest Access in Azure Active Directory
Azure Active Directory (Azure AD) provides the underlying services to manage guest access across Microsoft 365, not just Teams:
- Navigate to the Azure Active Directory admin center.
- Select User settings and then click on Manage external collaboration settings.
- Here you’ll have options for which external users can be invited into your organization, how they are invited, and what permissions they’ll obtain.
- Set up collaboration restrictions, if necessary, such as only allowing guests from specific domains.
- Review and adjust default permissions for guests to ensure limited access to organizational data.
Examples of Guest Access Permissions in Azure AD
Let’s consider a scenario where Contoso Ltd wants to collaborate with external vendors on projects:
- Under Guest user permissions are limited, switch to Yes to ensure these users cannot enumerate other users or groups within your organization.
- In Admins and users in the guest inviter role can invite, select Yes to allow certain roles to invite guests.
- To restrict the collaboration only to certain domains, use the Guests can be invited only by approval feature and add approved domains or block specific domains under Collaboration restrictions.
SharePoint Online and OneDrive for Business External Sharing
For SharePoint Online and OneDrive, the external sharing features are similar yet specifically tailored for document and file collaboration:
- Access the SharePoint admin center and go to the Policies section.
- Click on Sharing and decide the level of external sharing available for SharePoint and OneDrive – from Anyone to Only existing guests.
- For critical sites or libraries, you can customize sharing more granularly at the site collection level.
- Ensure that permission levels for shared documents are appropriate; do not simply grant edit permissions when read is sufficient.
Controlling Access with Conditional Access Policies
For enhanced security, Conditional Access Policies can be utilized:
- Within the Azure AD admin center, navigate to Security, then Conditional Access.
- Create a new policy targeting specific users and groups, cloud apps, and conditions like location or device state.
- Define the access controls such as require multi-factor authentication (MFA) or block access from unmanaged devices.
Monitoring and Reporting
Once external sharing is enabled, monitoring is critical to ensure continued compliance and security:
- Regularly audit the Azure AD audit logs and sign-ins to review guest activities.
- Use SharePoint Online’s access control reports to track who is accessing what in your organization’s SharePoint and OneDrive.
- If unusual activity is detected, respond with risk-based policies or revoke access temporarily while investigating.
Conclusion
Planning, implementing, and managing guest and external access requires a strategic approach that balances the need for collaboration with security considerations. By leveraging Azure AD, Teams, SharePoint, and Conditional Access policies, organizations can maintain control while enabling productive external engagements. Continuously monitoring and adjusting these settings as needed will ensure that your Microsoft 365 environment remains secure and compliant.
Practice Test with Explanation
True or False: You can only add guest users to your Microsoft 365 tenant through the Azure AD portal.
- False
Explanation: In addition to the Azure AD portal, you can add guest users through the Microsoft 365 admin center, via PowerShell, or through direct invitation to Microsoft Teams or other Microsoft 365 services.
When configuring external sharing in SharePoint Online, which of the following options can you choose? (Select all that apply)
- A) Anyone
- B) New and existing guests
- C) Existing guests only
- D) Only people in your organization
Answer: A, B, C, D
Explanation: SharePoint Online external sharing settings offer the options to share with anyone, new and existing guests, existing guests only, or only people within your organization.
True or False: Guests must have a Microsoft 365 account to access resources in your organization.
- False
Explanation: Guests can access resources with any type of email account; they are not required to have a Microsoft 365 account. They will, however, need to create a Microsoft account if they don’t have one tied to their email address.
What feature is used to manage guest access in Microsoft Teams at a granular level?
- A) SharePoint sharing settings
- B) Microsoft 365 Groups
- C) Azure AD B2B collaboration policies
- D) Conditional Access policies
Answer: C
Explanation: Azure AD B2B collaboration policies are used to manage guest access in Microsoft Teams and other Microsoft 365 services at a granular level.
True or False: External users can be given the same level of access as full-fledged employees in your Microsoft 365 tenant.
- False
Explanation: External users can be granted access to certain resources and collaborate closely with the team, but they generally have more limited permissions than employees to maintain security.
Which feature allows you to control how and when guests can be invited into your Microsoft 365 environment?
- A) Guest access settings in Microsoft Teams
- B) External sharing in SharePoint Online
- C) Azure AD B2B collaboration
- D) Security & Compliance Center
Answer: C
Explanation: Azure AD B2B collaboration allows you to control the process of inviting guests, including who can invite guests and the permissions those guests have.
True or False: A Microsoft 365 admin can require Multi-Factor Authentication (MFA) for guest users.
- True
Explanation: An admin can enforce MFA for guest users through Azure AD conditional access policies to increase security for external access.
Which PowerShell cmdlet can you use to view the external sharing settings for your SharePoint Online environment?
- A) Get-SPOExternalSharingSettings
- B) Get-SPOTenant
- C) Get-SPExternalUser
- D) Get-SPOSite
Answer: B
Explanation: The Get-SPOTenant cmdlet can be used to view and update tenant-level settings for SharePoint Online, including external sharing configurations.
True or False: When external users accept an invitation, they don’t need to go through any authentication process to access shared resources.
- False
Explanation: External users must authenticate, which might include setting up a Microsoft account if they don’t have one or signing in with an existing account to access shared resources.
Which role must a user have to manage guest access in Microsoft 365 Groups through the Microsoft 365 admin center?
- A) Groups administrator
- B) SharePoint administrator
- C) Global administrator
- D) Guest inviter role
Answer: C
Explanation: The Global administrator role has the necessary permissions to manage guest access across Microsoft 365 services, including Microsoft 365 Groups, through the admin center.
True or False: You can set a company-wide default sharing policy for file sharing in OneDrive for Business and SharePoint Online.
- True
Explanation: Yes, as an admin, you can configure organization-wide sharing settings for OneDrive for Business and SharePoint Online that set the default sharing behavior for all users.
External sharing in SharePoint Online and OneDrive for Business is turned on by default.
- A) True but can be restricted at a site-level.
- B) False, it must be enabled by an administrator.
- C) True and cannot be changed.
- D) False, it is controlled by Azure AD external collaboration settings.
Answer: A
Explanation: External sharing in SharePoint Online and OneDrive for Business is enabled by default, but administrators can restrict or modify these settings at both the tenant-level and site-level.
Interview Questions
What is external access in Microsoft Teams?
External access in Microsoft Teams allows users in your organization to collaborate and communicate with people outside your organization.
What is guest access in Microsoft Teams?
Guest access in Microsoft Teams allows users outside your organization to collaborate and communicate with your team while still maintaining control over your corporate data.
How can you manage external access in Microsoft Teams?
You can manage external access in Microsoft Teams by controlling who can communicate with users outside of your organization and by managing the guest access settings for each team.
What is the difference between guest access and external access in Microsoft Teams?
Guest access is designed for individuals outside your organization to access a specific team or channel, whereas external access is designed to allow entire domains to communicate with your organization.
How can you add guest users to your Azure AD tenant?
You can add guest users to your Azure AD tenant through the Azure portal or by using PowerShell.
What is the Azure AD B2B collaboration feature?
The Azure AD B2B collaboration feature is a way to invite external users to access your organization’s resources using Azure AD.
What is the Azure AD B2B quickstart feature?
The Azure AD B2B quickstart feature is a way to quickly and easily invite guest users to your Azure AD tenant.
How can you add external users to a specific team in Microsoft Teams?
You can add external users to a specific team in Microsoft Teams by inviting them as a guest to the team.
What is the role of an Azure AD administrator in managing guest access to Microsoft Teams?
The Azure AD administrator has the authority to manage guest access to Microsoft Teams, including controlling which domains are allowed to communicate with your organization and managing the guest access settings for each team.
How can you ensure security when allowing external access in Microsoft Teams?
You can ensure security when allowing external access in Microsoft Teams by implementing security policies and practices, such as multi-factor authentication and conditional access policies.
What is the difference between a Microsoft account and a work or school account?
A Microsoft account is a personal account used for personal services, while a work or school account is used for organizational services and is managed by an administrator.
How can you restrict external access to specific teams or channels in Microsoft Teams?
You can restrict external access to specific teams or channels in Microsoft Teams by changing the guest access settings for each team or channel.
How can you remove guest users from a specific team in Microsoft Teams?
You can remove guest users from a specific team in Microsoft Teams by removing their guest access to the team.
How can you configure external access for specific users in Microsoft Teams?
You can configure external access for specific users in Microsoft Teams by changing their external access settings in the Teams admin center.
What is the difference between an external user and a guest user in Microsoft Teams?
An external user is someone who has a user account in a different organization, while a guest user is someone who is invited to a specific team or channel in Microsoft Teams.
Great article on managing guest and external access in Microsoft 365. Really helped me to understand the basics!
Can anyone share best practices for implementing guest access in Microsoft Teams?
Thanks for the helpful post!
I’m struggling with managing SharePoint external access. Any tips?
This article just rehashes basic documentation. Not very useful for advanced users.
What are the security considerations I need to keep in mind for guest access?
I appreciate the detailed guide on setting up guest access!
How do you manage external user lifecycle in Microsoft 365?