Looking for more Microsoft Teams tips? Watch our free webinar “Beginner to Super User: Top 10 Microsoft Teams Tips” for expert insights.
There is a LOT of content about external sharing with Microsoft Teams on the internet. In fact, no less than three articles on this blog cover the topic. From webinars and deep technical guides to how third-party tools can increase your control, the topic has not been ignored.
So, why another article on external sharing?
It’s not. Sort of. I mean, external sharing is part of this, but it’s not all of it. And this, frankly, is why another article is needed.
There are two ways of sharing content with Microsoft Teams external users:
- External Access
- Guest Access
- SharePoint (I know, I said two. More below.)
This is the most commonly used phrase for sharing with outside users—and it’s the least correct. The terribly named External Access is a holdover from Skype for Business, but with no additional information. That means this is a chat feature only. It does not relate to your Teams and Channel conversations nor files. External access simply allows people from outside your organization to talk with people from inside your organization.
Capabilities and Limitations
Okay, a little more detail on External Access. This is often deemed Federated access as well. Why? Because users of another system (or tenant) are being granted access to your tenant.
GET OUR NEWSLETTER: Subscribe here for weekly content from AvePoint
In the Skype for Business days, “federated” meant you had taken specific action to connect to another domain. With Microsoft 365, however, that “plumbing” has already been taken care of; if you have External Access on, you have federation.
So, what can a federated user do?
- Chat with users within your environment
- View files shared with them in chat messages
What can’t a federated user do?
- Search the user directory (excepting for email addresses and using Direct Routing/SIP).
- Share files (remember, shared chat files go in the sharer’s OneDrive, and External Access does not enable a OneDrive, so there is nowhere to store the file).
- Access Teams and Channel resources.
- Participate in a Group chat (i.e., External Access is one to one chat ONLY so no starting a 1:1 and then adding someone).
- View or set an Out of Office message / Status message.
- Be blocked or Block someone.
One more thing: there are different stages of Microsoft Teams migration from Skype for Business. The following specific features are only allowed if your organization and the organization your External Access user belongs to is in “Teams Only” mode (more on these modes here):
- @mention people
- Share their screen
- Edit sent messages
- Delete sent messages
- Use Giphy, memes, and stickers
Types of External Access
There are three primary means of External Access (all of which are controllable in your Teams Admin Center):
- Open Federation – The default. This allows your users to search for, call, chat, and meet with people outside your organization who are also Microsoft Teams users or Skype for Business users with Open Federation enabled OR with your domain added to their allowed domain list.
- Example: One of my sales guys sent me a screen capture of chat between him and one of our customers and I commented how cool it was that he was having an instantaneous conversation with the customer rather than having to wait for the long circle that often occurs with emails. In this case, he said he hadn’t emailed her in months; he simply searched for her email in Microsoft Teams and thus the conversation history began.
- Blocked Domains – Building off the Open Federation option, your organization can block specific domains from appearing in the search. Maybe you like open federation but don’t want your staff able to talk directly with your biggest competitor, or someone from a domain with known unsavory or pirated content.
- Allowed Domains – This is a little different, as this takes a more secure approach. With allowed domains, you are forgoing the abilities of Open Federation and are instead saying “ONLY these specific domains are allowed.” In this stricter method, your users can only chat with users from your domain and the specific partners you have selected.
What about Skype for Business?
Again, check out this article on Islands Mode, Skype Only Mode, and Teams Only Mode. Then, jump over to this article on managing external access to see what scenarios need what settings to enable chat across the different technologies.
In short, there are ways to handle External Access for Teams to Teams, Teams to Skype, Skype to Teams, and Skype to Skype; but there are some specific configurations you need to enable for these, all of which are documented in the linked articles.
This is what MOST people mean when they say Microsoft Teams “external users” or “external sharing.” Guest Access enables users to access content within Teams. It expands beyond the chat, and it grants them permissions within one (or more) Teams workspace to see the channels, discussions, and shared files. Where your External Access user is outside looking to talk, your Guest Access users (“guests”) is someone you’ve invited into your home, someone who has many of the same privileges as your own family members but with some restrictions.
Capabilities and Limitations
Here’s the meat: Guest Access is where the collaboration happens. Guests get access to your Teams, to your Channels, and to the files and discussions shared within those channels. Guests can search for people (limited to people within the Teams they have access to). Guests can share files (limited to sharing within the Teams they are members of). Guests are POWERFUL.
Have a Team supporting a customer project? Guest Access can enable those customers to view the project collaboration. Have a Team for vendor collaboration? Guest Access can enable that vendor to view the conversations and files.
What guests can do is a long list, so let’s focus on what they CANNOT do (full list here):
- Cannot share a file in 1:1 chat (remember: they have no OneDrive to store it).
- Cannot search the Global Address List for users in your organization; can ONLY search for members of Teams they are members of.
- Do not have a calendar and cannot access scheduled meetings or meeting details (unless they receive an invitation to it at their email address).
- No calling (PTSN specifically, VOIP is available).
- No access to the Org Chart
- Cannot create a Team (or change an existing one).
- Cannot BROWSE Teams (only have access to the ones they’re members of).
Like External Access, Guest Access is a tenant-wide setting turned on by your global or service administrator. Once turned on, Team Owners can determine if guests can be added to their specific Team and have some say in what guests can do within. There is some stacking involved here:
- Azure B2B Settings – The Business to Business (B2B) platform built on Azure Active Directory (AAD) is the primary point of entry. B2B allows someone to have their own Office 365 license and authorization. In brief: B2B means when a user is granted access to another tenant, their credentials are authorized in their tenant before Azure grants them access to content shared with them from your tenant. Note: Azure B2B is not yet available in GCC-H or DOD.
- Teams Admin Center – This controls the guest experience across the Microsoft Teams service.
- Office 365 Groups Admin Center – Since Groups are the basis for security within Teams, this has some level of control for how Groups and Teams allow Guest Access.
- SharePoint & OneDrive – Again, more to come below.
Microsoft has a great diagram of how these authorizations stack as well as what the experience looks like when trying to send an invitation. Check it out here.
Also answered in that article by Microsoft is the question of who can invite guests. Set in AAD are a few service admin-driven options:
- Guest user permissions are limited
- Admins and users in the “guest inviter” role can invite
- Members can invite
- Guests can invite (buuuut this is not supported in Teams, only Groups)
As a service owner (not Team owner) this gives you some very strong variation but remember that this is across the entire tenant.
Licensing your Guests
Guest licensing is part of your AAD licensing, and Microsoft has made a great, simple guide talking about the number of guests you’d like to have and what features you would like them to have (e.g., Multi-factor Authentication). Long story short, you have a 5:1 ration of guests to users. If you have 1000 user licenses, you can have 5000 guests. But, if you want 10 guests to have MFA you must have two licensed users with MFA.
Again, think a simple 5:1 ratio.
External Sharing with SharePoint
There is one more way to share Teams content and share SharePoint sites with external users–just not from inside Microsoft Teams. It’s in SharePoint (and OneDrive for Business).
Before Azure B2B existed, SharePoint had the ability to externally share. And today, at least, Microsoft has not disabled it in SharePoint Online.
By the way: External Sharing. How SharePoint has traditionally enabled “guest” users into your content. See how that naming suggests External Access would be the “share all the content” control, and not Guest Access? I see it. But I digress.
External Sharing allows for:
- Who can share to external users (Everyone, Specific People, No One)
- Which external users can be shared with (Anyone, authenticated users, authenticated users excluding specific domains, only authenticated users from specific domains)
- What can be shared (anything, specific libraries, only files without sensitive content), and
- How shareable links can be used (by default, enabled opt-in, mandatory expiration dates, enabled but only for internal users, disabled).
WARNING: SECURED OBJECTS MAY NOT BE SECURED
Keep in mind: even if you have Guest Access turned off in Teams, if External Sharing is enabled in SharePoint, your content can still be shared. Your Team “Owner” is a SharePoint Site Collection Administrator. That means if External Sharing is turned on, they can enable it at the site collection level. Though people sharing content in Teams may think their content is only available to internal users, on the SharePoint backend, those files may still be shared with others outside your organization.
There are two three ways to share outside your organization with Microsoft Teams:
- External Access (your friendly neighbor, talking over the fence)
- Guest Access (the neighbor you give a key to, who can come in your home)
- External Sharing (the neighbor with a backdoor entrance into your files but only those with inside knowledge of SharePoint permissions are aware of)
And with that, you should have a good knowledge base on what you need to know about Microsoft Teams and external sharing. Again, be sure to reference our webinars, deep technical guides to how third-party tools can increase your control for more insight and guidance. And if you have any specific questions that weren’t covered here, feel free to ask them in the comment section below!
Great article! We’ve been wading through these concepts and this really helped clarify. The naming conventions are a little confusing.
Question: If you turn off the ability to share documents through Sharepoint (the “backdoor” access) will that impact sharing with a Guest in a Team?
The SharePoint setting applies to all site types, including those connected to Microsoft 365 groups. That means it would impact sharing with a Guest in a Team
If you are looking to get better control over your external sharing you should consider requesting a demo for Cloud Governance which can help you make the external sharing settings more granular and help with the provisoning, management and expiration of a guest. Also consider Policies and Insights which can prevent the sharing of sensitive information with external parties.
Reallyu nice post. I get the feeling that SharePoint Extrenal Sharing in the model we know from last years will be transformed to more Azure B2B relates solution.
Thank you for this great simple article. Unfortunately I’ve read many conflicting articles / posts regarding the 5:1 ratio for guests in Teams. Even though Microsoft has told me that a license isn’t required for a Guest in a Team unless they are using “Azure AD Premium” features, such as MFA, I don’t feel comfortable telling our users to invite all the guest they want. We have 300 E3 licenses, we have our Admins using MFA, and expect to have all 300 using MFA shortly, but I don’t think this matters. I’m concerned that we would go over 1,500 guests despite being told that I shouldn’t be concerned. It would be nice if we could at least get a report or have a dashboard that told us of the guest licenses in use. Does anyone have an opinions or insight?
@Michael Mastronardi, I would make it an “Exclusive Event” limited to the first 1,500 guests to RSVP 🙂