Microsoft Teams Guest access and External (federation) access

Microsoft Teams Guest access and federation access

Microsoft Teams was built as a chat-based workspace in Office 365, with persistent chat, audio/video call, meeting, easy file access, customizable and extensible features and these all features are available for internal user as well external (guest/ federated) parties. For specific to allowing teams capabilities to external parties via Teams guest access and Teams external access option increase confusions like, what option do I need to choose for organization, Are these options are identical, how they vary from each other etc.

Microsoft Teams Guest access and external access (federation) are separate. Do not get confuse between guest access and external (federation) access because fundamentally both these accesses are different and offers different permissions set. Teams external access is like, Skype for Business’s federation access that allows external domain members to participate in your organization chats and calls whereas Teams guest access allows access permission to only individuals from that individuals domain. This article will help you to understand, how teams guest and external access are different and how to provision your Teams environment for these approaches.

How Teams Guest access different than External access?

Remember, both accesses have separate access permission. Once guest access granted by a team owner, it allows a guest to access resources, such as channel discussions and files, for a specific team, and chat with other members in the team they have been invited to. Means guest access is limited to individual team level.

However, with external access allows only chat and calls, the external chat participants have no access to the inviting organization’s teams or team resources. They can only participate in one-on-one federated chat or calls but they must know individual users email address whom they want to chat or call.

Here the access comparison of External access and Guest Access:

1Provided that the user has been added as a guest and is signed in as a guest to the guest tenant.

2Only by email or Session Initiation Protocol (SIP) address.

3External (federated) chat is 1:1 only.

Now that you learn, how Teams guest access different than External or federated access. Let’s enable external access and Guest access in Teams.

External (federation) Access:

Your organization or tenant admins can decide between the guest access and external access to allow for communication. This access permission options are depending on which level of collaboration is desirable with the external party. You can choose either approaches or both, depending on your organizational needs, but Microsoft recommend enabling guest access for a deeper, collaborative Teams experience.

External access works for users who are in TeamsOnly mode however it doesn’t work for users who are Island and other migration mode.

How to enable external or federation access in Teams?

You can use the modern portal that is “Microsoft Teams & Skype for Business Admin Center” to enable external access.

Note: You must have tenant admin group permission or Teams Service Administrator group permission to enable external access.

1. Login to Teams and Skype for Business modern portal by visiting (https://admin.teams.microsoft.com), In the Microsoft Teams & Skype for Business Admin Center, select Org-wide settings > External access. Click on “Add or block a domain”. Refer below figure.

• By default, external access is off, to turn ON the external access toggle the External access switch to On from Off. Refer above figure.
• Click Save.

Once you enable external access then to allow or block individual domain, to do so, follow below steps to add a domain or turn off external access for a domain.

1. In the Microsoft Teams & Skype for Business Admin Center, select Org-wide settings > External access.
2. Select “Add a domain” then the Add a domain pane appears. Like below figure.

• Under Add a domain, type the name of the domain; for example, type Microsoft.com.
• Select Allowed or Blocked. You can change this setting at any time.
• Select Done.

After you add a domain, you will see the domain name and status added to the list of domains on the External access page. Refer the above figure.

Enabling Guest access in Teams:

Guest access gives access permission to an individual to access resources, such as channel discussions and files, for a specific team, and chat with other members in the team they have been invited to. You can enable or disable guest access using graphical user interface or PowerShell.

Since Microsoft Teams collaboration tool, allows access to Office 365 group, SharePoint, OneDrive etc. When you enable guest access in teams admin center that doesn’t mean guest access enables for Azure Active Directory, Office 365 Groups, SharePoint and OneDrive. You need to make sure that guest/external access is enabled on all dependent locations to fully utilize guest access permission capabilities.

1. Login to Teams and Skype for Business modern portal by visiting (https://admin.teams.microsoft.com), In the Microsoft Teams & Skype for Business Admin Center, select Org-wide settings > Guest access.
2. To allow guest access in Microsoft Teams toggle switch to On. As showed in above figure.
3. After enabling guest access, you customize guest access permission by allowing Calling, Meeting, and Messaging capabilities:

• Make private calls – Turn this setting On to allow guests to make peer-to-peer calls.
• Allow IP video – Turn this setting On to allow guests to use video in their calls and meetings.
• Screen sharing mode – This setting controls the availability of screen sharing for guest users.
  • Turn this setting to Disabled to remove the ability for guests to share their screens in Teams.
  • Turn this setting to Single application to allow sharing of individual applications.
  • Turn this setting to Entire screen to allow complete screen sharing.

• Allow Meet Now – Turn this setting On to allow guests to use the Meet Now feature in Microsoft Teams.
• Edit sent messages – Turn this setting On to allow guests to edit messages they previously sent.
• Guests can delete sent messages – Turn this setting On to allow guests to delete messages they previously sent.
• Chat – Turn this setting On to give guests the ability to use chat in Teams.
• Use Giphys in conversations – Turn this setting On to allow guests to use Giphys in conversations. Giphy is an online database and search engine that allows users to search for and share animated GIF files. Each Giphy is assigned a content rating.
• Giphy content rating – Select a rating from the drop-down list:
  • Allow all content – Guests will be able to insert all Giphys in chats, regardless of the content rating.
  • Moderate – Guests will be able to insert Giphys in chats, but will be moderately restricted from adult content.
  • Strict – Guests will be able to insert Giphys in chats, but will be strictly restricted from inserting adult content.
• Use Memes in conversations – Turn this setting On to allow guests to use Memes in conversations.
• Use Stickers in conversations – Turn this setting On to allow guests to use stickers in conversations.
• Click Save.

Note: Organization wide setting changes may take some time to apply.

You can enable guest access globally using PowerShell as well: Refer the below command:

Checking existing policy: Get-CsTeamsClientConfiguration

Set-CsTeamsClientConfiguration -AllowGuestUser $True -Identity Global

Hope this article help you in enabling teams external access and guest access in your environment.

Thank you.