This Microsoft Teams Q&A is based on our webinar of the same name. Miss it the first time? Watch the full webinar here!
Though Microsoft Teams is an incredibly powerful collaboration platform, you need to know how to properly configure its controls to make it work for your environment. This is especially true when it comes to external sharing. We had so many questions during our recent webinar that we decided to answer them all together in one large Q&A post. Let’s get started.
What if the partner you want to share with isn’t in the cloud? How does that authentication work?
The guest user does not need to be another Azure Active Directory account. The account needs to be associated with the cloud at the very least, whether it be a domain account synced to AAD, a Microsoft account, Google federation, a Hotmail account, etc. However, for non-cloud accounts, there is a one-time passcode option so that every time a non-cloud user wants access, they receive a one-time password for that session.
What cleans up the guest account in Contoso?
You can either go through the directory and manually clean up dead accounts or you can employ Azure Access Review as a potential solution to this. Alternatively, AvePoint’s Cloud Governance solution can allow the review and removal of guest users from Teams and Groups but doesn’t remove the user from the directory. Look for Cloud Governance to have more functionality related to this use case in H1 2020.
Does this require an Azure AD Premium P1 or P2 license?
There is no elevated license required for AAD. You can have a ratio of 1:5 paid licenses to guest users at no additional charge. If that customer wants to use advanced AAD features like Multifactor Authentication (MFA) or Conditional Access for some or all of their guest users, they will need to be sure that the paid AAD licenses in the ratio above are licensed at a level that supports the AAD functionality they want to apply to the guest accounts.
If the guest leaves their company, how does access get revoked?
It gets revoked automatically. If you look in your AAD you can see that these guest accounts exist, but the only way they can be accessed is with the guest’s original account. So if they get kicked out of Fabrikam, they won’t have a way to log back in since the guest account is tied directly to Fabrikam.
Does your AAD need to sync both ways in hybrid environments for Guest Access to fully function? Currently, we only sync our local on-prem AD one way to the cloud.
Guest accounts only exist in AAD and do not get synced to AD on-prem.
Does this apply to SharePoint user profiles too?
Guests cannot see profile info in SharePoint.
Does the licensing change if your company is on a G3 government license?
No, it does not.
Can you please clarify the guest licensing? If our users have E3 licenses then will the guest user have an E3 license as well?
Yes. If the core user has a paid E3 they will have up to five guests with the same level of licensing. They won’t, however, have a OneDrive or an email box, so one-to-one chat is limited. Otherwise, though, they’ll have full functionality in Microsoft Teams, channels, and in SharePoint. G3 licensing follows the same model.
For companies that have started using B2B, have you seen them requiring a security verification for the other company to ensure exited employees no longer have access?
Because you don’t own the authentication of that user, you’re relying on the fact that wherever they’re coming from is using proper password policies and proper metrics for ensuring that user is who they say they are. What you can do is leverage advanced AAD security features like conditional access and multi-factor authentication if you’re looking to implement security controls on top of whatever is in use by the guest user’s identity provider.
Is there any out of the box reporting feature in Office 365 that shows what content is shared with guest users?
There are some, but for the most part, what you’ll get is a list of guest users. There isn’t a lot of out of the box functionality but there is a more complete reporting of these features in Cloud Management.
Are there any time-based revocation/deactivation settings for guests?
Nothing out of the box.
Can you grant guests access to Office apps?
No. They don’t get the ability to download and install the software.
If you turn on the whitelist/blacklist after it’s been open for a while then are external users who are already present in AAD denied access if their domain was later blacklisted?
No, these are forward settings only. You’ll have to have a process to go through and remove those users.
Can the guest users be used for SharePoint, Portals, or other add-on apps?
Yes. Guest users are a feature of AAD and can be leveraged by 1st party services like Microsoft Teams and SharePoint Online as well as 3rd party applications that are written to integrate with AAD.
When you set guest access in AAD, which platforms does that allow access to? OneDrive, Teams, etc.?
This goes back to how external sharing is like an onion. Adding a guest in AAD does not immediately give that user access to any Office 365 content. You will also need to turn on guest access for Groups and Teams and SharePoint according to your needs.
If a guest is given access to a Team then they can access the channel, conversations, files, planner – essentially all the other Microsoft Teams resources. Guests do not have access to the “chats” that are not part of defined Teams. The only way that a guest can access a OneDrive is if you have external sharing enabled for SharePoint and OneDrive and the OneDrive content has been explicitly shared with that guest.
What exactly are you granting guest access to when setting in AAD?
By granting guest access you are saying that the user is now in the directory; they have no permissions yet. All they can do is log in, and what they can log into depends. Since third-party applications can leverage Azure AD, if you want to give access to these third-party applications, you can.
Can you use Flow to automate the external sharing process?
Yes. You can use Flow, PowerApps, or Azure Logic Apps to do this.
Can we control permissions and access at the subsite level?
For SharePoint, external sharing settings are configured at the Site Collection level. This means that all settings apply to all subsites. You can leverage SharePoint’s permission inheritance features to add guests only to subsites.
Do I need to configure SharePoint sharing settings for guest users sharing in Microsoft Teams to work on files in Teams?
Team members will always have access to the SharePoint site because access is not given to individuals, but to the underlying Office 365 Group. So, if my guest access settings in Microsoft Teams and Office 365 Groups is turned on and I add an external user to my guests for that Group, there’s no work that needs to be done on the SharePoint side. External sharing in SharePoint can be off because I’m not sharing with an external person, but with that Group of which the external member is a part of.
For Azure AD, what services in Office 365 are dependent on external sharing?
Short answer: it’s always Groups and Teams and it’s sometimes SharePoint.
