Authorize guest access in Microsoft Teams

To enable and manage guest access in Teams, you must have Global Administrator or Teams Administrator privileges. Once guest access is turned on, it will take 2–24 hours for the change to take full effect across your Microsoft 365 tenant.

There are four separate configuration portals you can use to manage guest access in Teams. Each portal controls a distinct authorization level of the guest experience:

• Azure AD — Authorizes guest access at the directory, tenant and application levels.
• Microsoft 365 Groups — Authorizes guest access to Microsoft 365 groups and Teams (each team in Teams is built on an underlying Microsoft 365 group)
• Microsoft Teams — Authorizes guest access to Teams only
• SharePoint Online and OneDrive for Business: Authorizes guest access to SharePoint, OneDrive, Microsoft 365 groups, and Teams (the SharePoint configuration governs the file-sharing experience for guests in Teams)

The guest access configuration in each portal has dependencies and effects on the configuration in other portals, according to the authorization level. For example, if you disable external sharing at the Azure AD level, guest access will be disabled in Teams. If you enable sharing in Azure AD and guest access in the Teams admin center but disable external sharing in SharePoint, guests can join a team but will have limited access to shared team files.

Note

Guests are subject to the service limits described in Microsoft 365 and Office 365 service descriptions and Limitations of Azure AD B2B collaboration.

The following diagram shows how guest access authorization dependency is granted and integrated between Azure Active Directory, Teams, and Microsoft 365.

How to Configure Guest Access in the Teams Admin Centre

Take the following steps to enable and set guest permissions in the Teams admin center:

1. Log in to the Teams admin center using Teams Administrator privileges.
2. Navigate to Org-wide settings > Guest access.
3. Switch the Allow guest access in Microsoft Teams toggle to On. This setting enables guest access capabilities.
4. Use the controls under the Calling, Meeting and Messaging sections to fine-tune the specific capabilities granted to guests. Configurable capabilities include:

• Private peer-to-peer calls
• Use of IP video in calls and meetings
• Screen sharing
• Meet Now (lets users start a meeting immediately from the context of a conversation)
• Editing of sent messages
• Chat
• Giphy (lets users share animated GIFs of a specified content rating)
• Meme usage in conversations
• Sticker usage in conversations

5. Click Save to apply the configuration.

External Access in Microsoft Teams

By default, external access is fully enabled in Teams tenant-wide. The default setting of “open federation” allows Teams users in any external domain to find and contact team members in your organization using an email address.

The three external access configurations are:

• Open federation (default setting) — Permits external access from any domain
• Allow specific domains — Allows external access from the specified domains only
• Block specific domains — Blocks external access from the specified domains and allows access from all other domains

To change the external access configuration from the default setting, take these steps:

1. In the Microsoft Teams admin centre, go to Org-wide settings > External access.
2. Switch the Users can communicate with other Skype for Business and Teams users toggle to On.
3. To allow or block specific domains, click Add domain. Specify the name of the domain and add it to the Allow or Block list.
4. Save your changes. You have just configured the outgoing federation.
5. Work with Teams administrators in other organizations to configure the incoming federation. For example, make sure they add your business domain to their Allow list.
6. Test the configuration by using the Teams app to find and send a chat request to a federated external Teams user, and have the external user send a Teams chat request to you. If you each receive the requests, you know the federation has been configured successfully.

Guest access in Microsoft Teams

Guest access — Allows users from outside the organization to become nearly full-fledged team members who can make calls, participate in chats, set up meetings and access shared files. Team owners can add guests on an individual basis. Use guest access when you want to grant an external user access to the same Teams activities, channels and shared resources as native team members.

Guest access is a tenant-wide capability in Teams that is disabled by default.

When guest access is enabled, anyone outside your organization who has a business or consumer email account can become a guest. Eligible guests receive an email invitation from the team owner. Once they redeem the invitation by clicking Open Microsoft Teams, they get added to the team with guest user permissions.

Guests can chat, make calls and participate in channel conversations. They can also create channels and share files. However, guests don’t have access to other functions available to team members of the organization, like OneDrive for Business and the Teams calendar.

Team owners can add as many guests as they wish, up to the limit defined by your Azure Active Directory (Azure AD) license. Guest access is governed by service limits in Azure AD and Microsoft 365 (formerly known as Office 365).

For security, Microsoft covers Teams guest accounts with the same compliance and auditing protection used elsewhere in Microsoft 365.

To Setup Guest access.

Guest access in Teams requires configuring other settings in Microsoft 365, including settings in Azure AD, Microsoft 365 Groups, and SharePoint. If you're ready to start inviting guests to teams, read one of the following:

• To configure guest access for Teams for general use, see Collaborate with guests in a team.
• To collaborate with a partner organization that uses Azure Active Directory and allow guests to self-enroll for team access, see Create a B2B extranet with managed guests.

Guest access in Teams is an organization-wide setting and is turned off by default. You can control guest access to individual teams by using sensitivity labels.

How a guest becomes a member of a team

1. A team owner or a Microsoft 365 admin adds a guest to a team.
2. The guest receives a welcome email from the team owner, with information about the team and what to expect now that they're a member.
3. The guest accepts the invitation. Guest users who have an work or school account in Azure Active Directory can accept the invitation and authenticate directly. Other users are sent a one-time pass code to validate their identity (One-time passcode authentication required).
4. After accepting the invitation, the guest can participate in teams and channels, receive and respond to channel messages, access files in channels, participate in chats, join meetings, collaborate on documents, and more.

In Teams, guests are clearly identified. A guest user's name includes the label (Guest), and a channel includes an icon to indicate that there are guests on the team. For more details, see What the guest experience is like.

Guests can leave the team at any time from within Teams. For details, see How do I leave a team?

Note

Leaving the team doesn't remove the guest account from your organization's directory. This must be done by a Microsoft 365 global admin or an Azure AD admin.

Licensing for guest access

Guest access is included with all Microsoft 365 Business Standard, Microsoft 365 Enterprise, and Microsoft 365 Education subscriptions. No additional Microsoft 365 license is necessary. Teams doesn't restrict the number of guests you can add. However, the total number of guests that can be added to your tenant may be restricted by the paid features of Azure AD.