Study Guide Series: Exam MS-700 – Configure and Manage External and Guest Users (Part 2)

This post is part of the overall MS-700 Exam Study Guide. Links to each topic as they are posted can be found here.

In this section I will go through the following topics relating to configuring and managing external and Guest Users in Microsoft Teams.

  • Manage guest users for Microsoft Teams from the Microsoft Teams Admin Center
  • Configure guest access to Microsoft Teams from Azure AD admin center
  • Allow or prevent owners from adding guests
  • Configure guest access to a specific team
  • Remove guests

In the previous section of the exam guide I detailed options around external user sharing and federation. Here I move on to Azure AD B2B Guest users and how they can be managed in Microsoft Team. A guest user is distinct from an external user as they have a guest account in the destination tenant. This allows them to be added to resources such as groups or Teams and also be targeted by conditional access policies. For organizations with Azure AD Premium P1 or Azure AD Premium P2 licenses, the first 50,000 guest user accounts (combined between B2B and B2C tenants) invited to to tenant are free. After that they are charged monthly.


Manage guest users for Microsoft Teams from the Microsoft Teams Admin Center

Guest users in the tenant are largely controlled by Azure AD configuration where we limit the users who can invite guests and the domains they can invite. Once a guest account is in place however, it can be added to any resource including Teams if there are no restrictions in place. Guest access in Microsoft Teams is controlled from the Teams Admin Center (TAC). From here guests limitations are applied either tenant wide.

To control guest access to Teams in General, navigate to Users -> Guest Access in the TAC to review and update the settings. The settings available are and impact of each shown in Table 1.

SettingDetails
Allow guest access in TeamsDefines if guests should be allowed in Teams. Turning this off doesn’t impact existing Teams Guests
Make Private CallsDefines if guests should be allowed to make calls
IP videoDefines if guests should be allowed make video calls
Screen sharing modeDefines how guests can share their screen, can be set to Entire Screen (most permissive), Single application or Not enabled
Meet nowDefines if guests can use Meet now in Teams
Edit sent messagesDefines if guests can edit their own messages
Delete sent messagesDefines if guests can delete their own messages
Delete chatDefines if guests can delete chat with Teams
Giphy in conversationsDefines if guests can use Giphy in conversations
Giphy content ratingDefines the content rating of Giphys guests can use
Memes in conversationsDefines if guests can use Memes in conversations
Stickers in conversationsDefines if guests can use stickers in conversations
Immersive reader for messagesDefines if guests can use immersive reader
Table 1: Teams Guest settings

The settings here apply globally and can’t be limited to specific guests or Teams. They control how guests can operate within Teams.


Configure guest access to Microsoft Teams from Azure AD admin center

As I mentioned above, tenant-wide guest access is controlled from the Azure AD Admin Center. Options are available for who can invite guests, what domains those guests can come from and the level of permissions they have in the directory. The settings shown in Figure 1 control each of these items.

Figure 1: Guest user Azure AD settings

These settings are available from the Azure AD portal under Users -> User Settings -> External Collaboration Settings. The available configurations here are:

Guest user access restrictions

  • Guest users have the same access as members (most inclusive) – Guest users can enumerate the AAD structure to the same level as regular users
  • Guest users have limited access to properties and memberships of directory objects – Guest users can only enumerate the membership of non-hidden groups
  • Guest user access is restricted to properties and memberships of their own directory objects (most restrictive) – Guest users can’t see membership of any groups or users and can only view their own profile

Guest invite restrictions

  • Anyone in the organization can invite guest users including guests and non-admins (most inclusive) – All users and guests can invite new guest users
  • Member users and users assigned to specific admin roles can invite guest users including guests with member permissions – All internal users and any guest assigned the guest user inviter AAD role can invite new guest users
  • Only users assigned to specific admin roles can invite guest users – Only admins and users assigned the guest user inviter AAD role can invite new guest users
  • No one in the organization can invite guest users including admins (most restrictive) – No users, including admins can invite new guest users

Enable guest self-service sign up via user flows

  • On/Off – Controls the ability for users to sign up as guests using an existing supported IdP

Collaboration restrictions

  • Allow invitations to be sent to any domain (most inclusive) – Guest can be invited from any domain
  • Deny invitations to the specified domains – Guest from specific domains cannot be invited. The domain list is detailed in Target domains
  • Allow invitations only to the specified domains (most restrictive) – Only guests from specific domains can be invited. The domain list is detailed in Target domains

Allow or prevent owners from adding guests / Configure guest access to a specific team

The two previous sections deal with how guests can be invited to the tenant and added in Teams. Once guests are present in the tenant though, it may be required to prevent them from accessing specific groups or Teams. This can be achieved using Sensitivity Labels for Microsoft 365 Groups. I detailed this previously in my article about using Sensitivity Labels with Office 365 Groups and Teams. I recommend checking out that article for a full breakdown but at a high level, the setting “Let Office 365 groups owners add people outside the organization to the group” controls if guests can be added to specific groups or Teams.

Figure 2: Sensitivity labels can control guest access to specific groups

This can also be done without Sensitivity labels albeit a bit more cumbersome as it requires some PowerShell to set the directory setting on the group object through Azure AD PowerShell:

$ObjectId = (Get-UnifiedGroup -Identity <Group Name>).ExternalDirectoryObjectId
$Template = Get-AzureADDirectorySettingTemplate | ? {$_.DisplayName -eq "Group.Unified.Guest"}
$Setting = $Template.CreateDirectorySetting()
$Setting["AllowToAddGuests"] = $False
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $Objectid -DirectorySetting $Setting

Remove guests

Once guests are provisioned in the tenant, the Guest accounts can be removed by admins from the tenant or by owners of specific Teams / groups as required however this process is manual. For organizations with Azure Active Directory Premium P2 licenses, Azure AD Access Reviews can be used to automatically expire guest access.


Summary

This finishes the external and Guest user section of the exam guide. We’ve gone through external sharing, guest user invitations, guest user policies and expiration. Up next I will look at Teams device configuration and management.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s