Guest access in Microsoft Teams

Guest access — Allows users from outside the organization to become nearly full-fledged team members who can make calls, participate in chats, set up meetings and access shared files. Team owners can add guests on an individual basis. Use guest access when you want to grant an external user access to the same Teams activities, channels and shared resources as native team members.

Guest access is a tenant-wide capability in Teams that is disabled by default.

When guest access is enabled, anyone outside your organization who has a business or consumer email account can become a guest. Eligible guests receive an email invitation from the team owner. Once they redeem the invitation by clicking Open Microsoft Teams, they get added to the team with guest user permissions.

Guests can chat, make calls and participate in channel conversations. They can also create channels and share files. However, guests don’t have access to other functions available to team members of the organization, like OneDrive for Business and the Teams calendar.

Team owners can add as many guests as they wish, up to the limit defined by your Azure Active Directory (Azure AD) license. Guest access is governed by service limits in Azure AD and Microsoft 365 (formerly known as Office 365).

For security, Microsoft covers Teams guest accounts with the same compliance and auditing protection used elsewhere in Microsoft 365.

To Setup Guest access.

Guest access in Teams requires configuring other settings in Microsoft 365, including settings in Azure AD, Microsoft 365 Groups, and SharePoint. If you're ready to start inviting guests to teams, read one of the following:

• To configure guest access for Teams for general use, see Collaborate with guests in a team.
• To collaborate with a partner organization that uses Azure Active Directory and allow guests to self-enroll for team access, see Create a B2B extranet with managed guests.

Guest access in Teams is an organization-wide setting and is turned off by default. You can control guest access to individual teams by using sensitivity labels.

How a guest becomes a member of a team

1. A team owner or a Microsoft 365 admin adds a guest to a team.
2. The guest receives a welcome email from the team owner, with information about the team and what to expect now that they're a member.
3. The guest accepts the invitation. Guest users who have an work or school account in Azure Active Directory can accept the invitation and authenticate directly. Other users are sent a one-time pass code to validate their identity (One-time passcode authentication required).
4. After accepting the invitation, the guest can participate in teams and channels, receive and respond to channel messages, access files in channels, participate in chats, join meetings, collaborate on documents, and more.

In Teams, guests are clearly identified. A guest user's name includes the label (Guest), and a channel includes an icon to indicate that there are guests on the team. For more details, see What the guest experience is like.

Guests can leave the team at any time from within Teams. For details, see How do I leave a team?

Note

Leaving the team doesn't remove the guest account from your organization's directory. This must be done by a Microsoft 365 global admin or an Azure AD admin.

Licensing for guest access

Guest access is included with all Microsoft 365 Business Standard, Microsoft 365 Enterprise, and Microsoft 365 Education subscriptions. No additional Microsoft 365 license is necessary. Teams doesn't restrict the number of guests you can add. However, the total number of guests that can be added to your tenant may be restricted by the paid features of Azure AD.

Search the audit log for events in Microsoft Teams

The audit log can help you investigate specific activities across Office 365 services. For Teams, here are some of the activities that are audited:

·         Team creation

·         Team deletion

·         Added channel

·         Changed setting

To see the complete list of activities that are audited in Office 365, read Search the audit log in the Office 365 Security & Compliance Center.

Turn on auditing in Teams

Before you can look at audit data, you have to first turn on auditing in the Security & Compliance Center. For help turning on auditing, read Turn Office 365 audit log search on or off. To enable the audit log in your tenant, in the Office 365 Admin Portal browse to the Security & Compliance Admin Center -> Search & investigation -> Audit log search. Click Start recording user and admin activities then click Turn On:

Important

Audit data is only available from the point at which you turned on Auditing.

Retrieve Teams data from the audit log

1.    To retrieve audit logs, go to the Security & Compliance Center. Under Search, select Audit log search.

2.    Go to https://protection.office.com.

3.    Sign in to Office 365 using your work account.

4.    In the left pane of the Security & Compliance Center, click Search, and then click Audit log search.

5.    Use Search to filter by the activities, dates, and users you want to audit.

6.    Export your results to Excel for further analysis.

Note

You have to first turn on audit logging before you can run an audit log search. If the Start recording user and admin activity link is displayed, click it to turn on auditing. If you don't see this link, auditing has already been turned on for your organization.

Tip

If you're using the maximum date range of 90 days, select the current time for the Start date. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.

Here's the process for searching the audit log in Office 365.

Step 1: Run an audit log search

Step 2: View the search results

Step 3: Filter the search results

Step 4: Export the search results to a file

Recover deleted Teams

Microsoft Teams, owners of teams have the capability of deleting a team, and sometimes these teams may be accidentally deleted. When the team is deleted, it is held in the "recycle bin" for 30 days until it is permanently deleted. Below is the process of restoring a deleted team in Microsoft Teams.

•       Once Team is deleted, option to recover it exists for up to 30 days

•       All of it including (Channels, files, tabs, etc.) will reappear as it was before

•       Restore can take up to 4 hours

•       To restore, from exchange admin center, select recipients, then groups

•       Locate the group (only if soft deleted)

•       Select the group and choose restore

Confirm that the recently deleted team shows on the list and select it

On the right-hand side menu, click the “Click here to restore” option

Confirm the restoration request

or

Launch PowerShell as an administrator. Note, at the time of this writing, this restore procedure requires the AzureADPreview module to be installed. To install, simply type Install-Module AzureADPreview and follow the prompts.

IMPORTANT: When a team is created in Microsoft Teams, it creates an Office 365 group. This procedure is the process for restoring an Office 365 group and is documented in more detail here.

•       PowerShell command to restore

                Get-AzureADMSDeltedGroup     (make note of Object ID)

                Restore-ADMSDeletedDirectoryObject –ID <objectID>

MS Teams Data Storage

Conversation Storage
Chat: Most chats are stored in memory. Chat uses Azure storage (blog, tables, and queues), and is moving to Cosmos DB (one-on-one chats and group chats are in Cosmos DB already).
Substrate/Exchange: All the chat and channel messages are stored in Exchange for information protection purposes.
Conversation Images & Media: Inline images and other media are stored separately (Giphys aren’t stored).

File Storage
1-1 Chats: Any files shared in these chats are stored in the OneDrive for Business of the person who posted it, and permissions are set for members of the chat to read it.
Team Conversations: These are uploaded to SharePoint, and there’s a folder associated with each channel in the appropriate Team.
Cloud Storage: Microsoft Teams supports Dropbox, Box, Citrix ShareFile, and Google Drive as cloud storage service options.

Clean the Microsoft Teams Client Cache

Clearing the Teams client cache is the first step to troubleshooting. The trouble is, the cache for Teams isn’t in one place or even a single directory. It’s split in multiple directories and even Internet Explorer and Chrome cache locations.

Fully exit the Microsoft Teams desktop client. To do this, either right click Teams from the Icon Tray and select ‘Quit’, or run Task Manager and fully kill the process.

These locations are:

• %AppData%\Microsoft\teams\application cache\cache
• %AppData%\Microsoft\teams\blob_storage
• %AppData%\Microsoft\teams\databases
• %AppData%\Microsoft\teams\cache
• %AppData%\Microsoft\teams\gpucache
• %AppData%\Microsoft\teams\Indexeddb
• %AppData%\Microsoft\teams\Local Storage
• %AppData%\Microsoft\teams\tmp
• %LocalAppData%\Google\Chrome\User Data\Default\Cache
• %LocalAppData%\Google\Chrome\User Data\Default\Web Data
• %LocalAppData%\Google\Chrome\User Data\Default\Cookies
• Internet Explorer Cookies
• Internet Explorer Temporary Internet Files

Microsoft Azure learning modules

To Learn about azure-fundamentals

 Learn the business value of Microsoft Azure

Architect migration, business continuity, and disaster recovery in Azure

Learn new Azure and discover the power of Microsoft products with step-by-step guidance.