Microsoft recently announced to start rolling out a much awaited feature in Microsoft Teams – Support for consumer email account as Guests or External Users. As per Microsoft official message “Users will have the ability to add anyone with a business or consumer email account (such as Outlook.com) as a guest, enabling them to participate in Teams with full access to team chats, meetings and files. Guests with email accounts such as Gmail.com or others that do not yet have a Microsoft account associated to their email will be directed to create a Microsoft account for free, as this is required to access the Teams service.”
This is big and has a lot of potential to give Microsoft Teams gain a lot of momentum with various customers who are really looking forward to it. So, I decided to explore it in a bit more detail.
Getting Started
Sometime ago I wrote an article about getting started with Microsoft Teams. If you are new to it and just started exploring, you may want to take a look at that first.
A good starting point to start exploring External/Guest Access in Microsoft Teams are these small videos posted here. As it explains, starting with External Access in Teams seems really straight forward. All you need to do is to go to Office 365 Admin Center and from under Settings –> Services & Add-Ins, Click on Microsoft Teams.
Scroll down to Settings by User/License Type. Select Guest in the field “Select the user/license type you want to configure” and Change the option “Turn Microsoft Teams on or off for all users of this type” to “On”.
Adding External Members
Now that External/Guest Access is enabled in the Teams, lets try to add an external member and see how that behaves.
Login to the Teams at https://teams.microsoft.com or using Teams Client and click on Add members from the contextual menu of one of your existing teams.
The Add Members for will popup. Let’s try to add any external user. Type in the full email address of the user you want to give access to. In this case, I chose to use a hotmail account. As soon as it identifies it as an email address, it would show a message like “Add <email ID> as guest” in a prominent blue drop down.
It is important to ensure that correct and valid email address is being entered as Teams will not validate it.
Click on that to add the user. It would be added in the text box with Guest written next to it. When First time a guest account is added, it would also show a small pencil icon next to it, clicking on which allows us to change the display name of the user for better identification going forward.
Change the display name to something more easy to identify and save it. After that click on Add button to get the account added as Guest.
It would take 2-4 seconds to get the user added there. It take a little time first time any new guest user is added since it adds the user to the Azure AD (AAD). You can also check the user added in AAD.
So, the new guest user is added now.
Non-Microsoft Email ID User
Let’s take a quick look at what happens when you try to add any other non-microsoft consumer account. I tried to add another account with mail id in rediffmail.com domain.
Gave an identifiable name and tried to add
But when Add button was clicked. I got this error message.
It took multiple retries before I could add this account successfully as guest.
Nothing fancy here, just retry a few times by typing in the entire email ID again. Clicking on Retry icon did not help.
Finally, I could add the account as guest
Let’s see what it would look like to the guest user when he/she logs in with this account.
Guest Experience
First thing that happens when an email ID is added as guest in Teams, is that an email Invitation is sent to that email address. So, the guest user needs to go to his mailbox, open the invitation and Click on “Open Microsoft Teams”.
This opens up a new tab/window in the browser and will try to open teams. Login with the guest account credentials (i.e. hotmail email ID and mail password in this case).
Invitation Acceptance
If the guest is accessing using an account which is already registered with Microsoft, he/she would get a pop-up to select whether that is a personal or work account
Click on the appropriate option and continue.
For non-microsoft registered account, it would redirect to create the account. Register that account as a Microsoft account to continue.
After successfully logging in with the Guest credentials, the first screen it shows it to accept the invitation.
Once you click on Next and you would be presented with an option to either open Teams in a browser or download the client installable. an invitation message.
Even though I already had the Microsoft Teams client, I chose to open the guest interface in the browser. So, I clicked in “Open web app”.
First Issue
Till now, all was going well. But when it tried to open Teams in browser, I got the first error message.
Fortunately, the error message was descriptive enough. So, Microsoft team relies on third party cookies and that must not be disabled. I was using Chrome browser, so I went to settings and under Content Settings, I disabled the option to Block third-party cookies.
Invitation Window
After enabling third party cookies, when refreshed the page, you would get a message showing “You were invited to… ”
Click on Continue and you you will be redirected to Microsoft Teams Landing Page.
Success
This is how the teams landing page will look like with a guest login. At this point guest can start posting conversations and see messages posted by other team members.
If an organizational account is used, which also have Microsoft Teams access, then such guests can switch between his own Team and the team in which he/she is a guest (in another tenant) by clicking top right corner of the page.
Issue: Access to Files and Wiki
By default, you could see three tabs Conversations, Files and Wiki. When I clicked on Files Tab, I got this message.
Now, this was new. I could not find much information about this online. So, I digged deeper and this is what came up. Teams external access configuration is dependent on External access configuration of SharePoint Online Tenant.
External Access in SharePoint
Since, the Files stored in teams are stored in a special SharePoint site collection which is created based on “Groups” template, it follows the External Access configuration in SharePoint Online Tenant. Even though, by default, all SharePoint site collections that are part of an Office 365 Group have the sharing setting set to Allow external users who accept sharing invitations and sign in as authenticated users, if external access is disabled at site collection level, it will be disabled in all site collections and Groups.
In my case, External access was disabled from SharePoint Online Admin Center and that explains the above error message.
So, I went ahead and enabled this at SharePoint Online Tenant level.
It takes a few minutes, before this change is reflected in Groups and after that when you refresh your teams interface and go to files tab, you could see and upload files.
Now, this essentially mean, all new Teams and Groups created will have external access enabled by default. You can restrict access to files by disabling it in selected groups using this PowerShell command.
[code]
Connect-SPOService -Url "https://anupam-admin.sharepoint.com"
Set-SPOSite -Identity https://anupam.sharepoint.com/sites/Externals -SharingCapability Disabled
[/code]
I will not cover rest of the SharePoint Online External Access related Configurations here as this article is primarily about Microsoft Teams. But you can take a look at this article to know more about external access in SharePoint online, specially at site collection level.
What About OneDrive
I will just cover this a bit since we ended up enabling External Access in SharePoint Online Tenant and that might have some effect in OneDrive sites as well.
OneDrive sites are also special types of SharePoint site collections only and are dependent on External Sharing configurations done at SharePoint online level.
You need to go to OneDrive admin center and verify that OneDrive external sharing is configured as per the organization’s requirements.
And that’s it. Enjoy using Microsoft Teams with extended teams 🙂
Enjoy,
Anupam
4 comments
Hi Anupam, I wonder if you can help. I have guest status in Teams as it’s provided by another organisation.
Do you know if I can sync it with onedrive?
Thanks!
If you are using your personal account (gmail, hotmail etc) then it won’t work. If you have a work or school account added as a guest in another organization, it may still work, except some conditions. Take a look at this article – B2B Sync
Hello. Thank you for this comprehensive article. Can I ask if you have tips for helping an external user to understand the login process? Our external guests find the login process confusing.
When presented with the “choose account” option, they are unsure which to choose. I suppose the answer is that they should pick the account type that corresponds to the email address of the invite. Is there an easy way to communicate this to the user?
If their employer uses Teams and we, who not their employer, invite them to our Team, how does their Microsoft account reconcile the 2 organizations. Within the external users Teams app, will both their organization Teams display along side of external Teams they are invited to?
Thanks in advance for any experience you can share about this.
When we add an external guest to an MS Team, the user gets 2 emails. one related to Teams and one related to Sharepoint. Do you know if the Sharepoint email can be prevented from sending?
Hi Sue, some of the screenshots in this article are not up-to-date anymore. However, you are right, it might be confusing for end users at times.
When presented with the “choose account” option: They should use Microsoft account, if they were invited using their personal mail ID and Work or school account, if they were invited using their company ID (this should work in most scenarios).
How does their Microsoft account reconcile the 2 organizations: They will see a drop down option on top right corner of their teams client to switch to respective tenant using “Accounts and Orgs”. i.e. If the same account is a memmer in tenant 1 and a guest in tenant 2, he/she needs to switch the tenant by clicking on the tenant they want to work with.
When we add an external guest to an MS Team, the user gets 2 emails: Strangely, I don’t remember to have encountered this.