Chapter 7
IN THIS CHAPTER
Understanding how guest users and external users are different
Enabling and configuring guest access
Turning on and off guest permissions
Configuring external access
I spend most of my time working online with people from many different companies, with freelancers, and with other consultants. Rarely are we all in the same organization and on the same Microsoft 365 subscription. Microsoft has built features into Microsoft Teams that enable people to work together even if they aren’t a part of the same company or organization. Most of this functionality is built into features known as guest access, and that is the focus of this chapter.
In this chapter, you learn about guest access in Microsoft Teams and how to add people to your team who are outside of your organization and Microsoft 365 subscription. You learn how to configure the access guest users have and how to limit their access based on the level of comfort and privacy needed for your situation. You also look at the differences between a guest user and an external user and configure the permission settings for both.
Understanding How Teams Works with People Outside Your Organization
If only the world were nice and neat, and you only needed to communicate and collaborate with people inside your organization. If you are like me, that isn’t the case. You probably work with people inside and outside your organization to get your work done. The good news is that if you work with consultants or freelancers or vendors or other companies, you can add them as guests to your team in Microsoft Teams.
How guests are added to your team depends on whether or not Teams considers them members of your organization:
· When you add people to your Microsoft 365 subscription, they are considered part of your organization and you can add them as members to your teams and channels in Teams. (Yes, the wording can be awkward!)
· Anyone you add to Teams who is not part of your Microsoft 365 subscription gets added as a guest user.
There may come a time when you need to be able to communicate and collaborate with another Microsoft 365 organization. For example, suppose your organization is called Contoso, and another separate organization is called Acme. Both Contoso and Acme have different Microsoft 365 subscriptions, so their users are separate from each other. Both organizations are part of the Microsoft cloud, however, and can view each other there. Acme users see Contoso users (and vice versa) as external users. In other words, the users in each organization are still in different organizations, but both are part of the Microsoft cloud.
Microsoft has started calling these users Azure Active Directory business-to-business users, which is really a mouthful! I prefer external users even though it is easy to confuse with the term guest users.
Let’s dive into the differences and get a feel for guest users and external users in Teams.
A guest user can be anywhere in the world. All the person needs is an email address to be invited to your teams as a guest. Guest users do not need to have a Microsoft 365 subscription. An external user is someone who is part of another Microsoft 365 subscription — their subscription is separate from yours.
Working with Guest Users
For someone to be able to see your channels and chat with you in Teams, that person needs to be part of your team in Teams. The way you add people to your team as a guest is by inviting them. Once the person has joined your team, you can chat, share files, and collaborate.
Enabling guest access
Before you can add guests to your team, the subscription administrator must turn on the Guest Access feature in the Teams Admin Center. You must also be the owner of the team in order to add and remove members or guests.
An easy way to know if you have the ability to add guest users is to click the ellipsis to the right of one of your teams in the left navigation pane to open the More Options drop-down menu. Select the Add Member option. If you can add guest users, the text in the Add Members dialog box will say “Start typing a name, distribution list, or security group to add to your team. You can also add people outside your organization as guests by typing their email addresses.”
To enable guest access in the Teams Admin Center, follow these steps:
1. Open your web browser and log in to the Teams Admin Center at https://admin.teams.microsoft.com.
Note that you need to be a Teams administrator in order to access the Teams Admin Center. If you signed up for the Microsoft 365 subscription (see Chapter 1), then you are an administrator by default.
2. In the left navigation pane, select Org-Wide Settings and then Guest Access.
The Guest Access screen appears, where you can toggle this option on or off.
3. Toggle the setting to allow guest access to Teams, as shown in Figure 7-1.
Once you toggle on guest access, additional settings appear, as shown in Figure 7-2. There are settings for calls, meetings, and messaging, and you can toggle them on or off based on your preferences.
4. Click the Save button to save your changes.
Guest access is now enabled for Teams.
I have seen Teams take up to 24 hours for changes to take effect. If the changes don’t happen within 48 hours though, it’s time to open a support ticket and find out what is going on.
FIGURE 7-1: Turning on guest access for Teams.
FIGURE 7-2: Guest access settings in the Teams Admin Center.
Configuring guest settings
When you turn on guest access in Teams (see the previous section if you still need to do so), you allow users to invite guests to their teams. In the Guest Access screen shown in Figure 7-1, you can fine-tune the settings for guest users with settings for calling, meetings, and messages.
Calling settings
· Make private calls: This setting allows guests to make peer-to-peer calls using the Internet through Teams. This doesn’t mean guests can make actual phone calls; in order to have a phone number assigned and make phone calls, they must be a full member of your Microsoft subscription and have the appropriate license in place. (See Chapter 11 for more about making phone calls through Teams.)
Meeting settings
· Allow IP video: This setting lets guest users include video in team meetings, chats, and calls. I have found some companies don’t allow video with guests for compliance reasons. Perhaps they are afraid of inappropriate video communication using company resources.
· Screen sharing mode: Similar to allowing video or not, this setting allows users to screen share or not. Screen sharing is when you share your computer screen with the other members of the team during a meeting. You can configure this setting to disable screen sharing all together, allow sharing of only a single software application at a time, or allow sharing of the entire computer screen. Compliance reasons are the usual cause for turning this setting off. I can imagine someone innocently sharing their screen to a guest user when the internal company earnings email comes out. Oops!
· Allow Meet Now: The Meet Now functionality provides a quick way to create an ad hoc meeting. The alternative is that a Teams user needs to create a calendar meeting and include the guest users in the meeting. When this happens, the meeting is part of the calendar system and it is clear who is attending. The Meet Now functionality, on the other hand, is an ad hoc meeting; think of it like making a phone call. This setting gives you control over whether you will allow guest users to start Meet Now ad hoc meetings or not.
Messaging settings
· Edit sent messages: This setting turns on or off the ability for guests to edit the messages they have sent in Teams. If this setting is disabled, you have to be prepared for some random messages and mistyping or mis-sending of messages. However, often for compliance reasons, you may want a record of every message a guest has sent. This can help prevent the tricky situation when someone said he said one thing but then when you go back and look at the message, it says something different because it had been edited.
· Delete sent messages: For similar reasons you might not want to allow guests to edit their messages; you can use this setting to disallow guests from deleting messages they have sent.
· Chat: Sending messages in an official channel is a lot different than sending personal chat messages to individual users. You can use this setting to allow guests to use official Teams channels but not send private messages to individual users.
· Use Giphys in conversations: A Giphy is an animated image in the GIF format. Teams uses an online database of these animated images, and you can choose to let guest users send them in messages or not. Some of the popular Giphys I have seen include everything from lighthearted scenes from popular sitcoms to violence from the latest blockbusters. The online database Teams uses can be found at https://giphy.com.
· Giphy content rating: If you do choose to let guest users send Giphys, you can fine-tune how strict you want to be with the content they include. The online Giphy database includes content ratings, and you can decide if you want to disallow content based on those ratings.
· Use Memes in conversations: Like a Giphy, a Meme is a way to include more emotion and connection in messages. A Meme is a short comic book–type depiction of a popular theme. You can allow guests to insert Memes in messages or not with this setting.
· Use Stickers in conversations: A sticker is another way to show emotion and create connection and shared experience using messages. Just like a physical sticker, a virtual sticker might be an image or a drawing or a picture. You can choose whether to allow guests to include stickers or not with this setting.
· Allow immersive reader for viewing messages: The Windows immersive reader opens a message and reads it aloud with a line appearing under each word as it is pronounced by the computer. You can decide if you want to allow guest users to open messages in the Windows immersive reader or not.
Inviting guests to the team
To work with guest users, you need to first add them to one of your teams. It is important to remember that guest users can be anyone outside your organization.
As a best practice, I like to make sure the title of the team to which I am inviting guest users includes the wording “Internal and External Users” so that it is clear to everyone that the discussion happening in the channels is not confidential.
To add a guest user to your team, follow these steps:
1. Select the Teams icon in the left navigation pane to see a list of all your teams.
2. Next to the team you would like to add a guest user, click the ellipsis and select Add Member from the More Options drop-down menu, as shown in Figure 7-3.
The Add Members dialog box appears. Make sure the message at the top of the dialog says that you can also add people outside your organization. If you don’t see this, refer back to “Enabling guest access” earlier in the chapter to turn on the Guest Access feature in the Teams Admin Center.
FIGURE 7-3: Choosing Add Member from the More Options drop-down menu.
3. Type the email address of the person you would like to add to the team.
Once the email is verified as valid, you can select it from the drop-down menu that appears (see Figure 7-4).
4. Enter as many email addresses as you would like to add and then click the Add button, as shown in Figure 7-5.
5. Click the Close button to close the dialog box.
FIGURE 7-4: Choosing a valid email address to add as a guest.
FIGURE 7-5: Adding email addresses as guest users in Teams.
Once you have added guest users, you can send them chat messages in the channel. And don’t forget that you can mention them using the @ (“at”) symbol. When you @ tag someone, that person is notified, based on their notification settings, that you are trying to get his or her attention. (I cover setting your notifications in Chapter 8.)
On the guest user side, that person will receive an email message that invites them to join the team. If that person’s email address is already associated with a user in Teams, then that user can immediately start chatting with you. If the guest user is brand new to Teams, they will be guided through a setup process and can start chatting with you using the web version of Teams. The guest user experience is refreshingly straightforward. I have been sitting next to people who have never heard of Teams before get the email invitation to join a team and they are able to start chatting in minutes. Hurray for Microsoft getting this part of the process right!
In addition to adding guests using their email addresses, you can also get a URL link to the team and send that link to anyone you want to invite to join the channel. When invitees click the link, they can log in with their Microsoft accounts and they are automatically joined to the team as a guest, as shown in Figure 7-6. You can get a link to the team by going to the More Options drop-down menu next to the team and selecting the Get Link to Team option. You will find the link on the drop-down menu when you click the ellipsis next to the name of a team.
FIGURE 7-6: A guest can join a team using a special link.
When using the link to invite people to join a team or channel, make sure you keep the link a secret. Anyone with the link will be able to join the team as a guest, so treat it like a special ticket and only give it to people you want to be able to join the team.
Understanding the guest user experience
The general experience of collaborating with a guest user is almost identical to working with colleagues on the same Microsoft 365 subscription. However, there are some differences.
If you choose to allow it, you can let guest users create channels, participate in channel conversations and private chats, post and edit messages, and share channels. However, guest users cannot create teams, join public teams, view org charts, share files from a private chat, add apps, create meetings, access schedules, access OneDrive files, or invite other guests. There are also many limitations for guests regarding using voice and calling features in Teams. If you are interested in learning more about this topic, Microsoft has an excellent article titled “What the guest experience is like,” and you can search for it using your favorite search engine. It goes into all the nitty-gritty detail of working with Teams as a guest, and I refer to it and the tables it contains whenever I am working with a guest user and we are trying to figure out why something works for me but not for them.
You can fine-tune the permissions guest users have in your teams. Earlier in the chapter, I describe the settings you can configure that affect your entire Microsoft 365 subscription, which is also known as a tenant. In the next section, I cover the settings you can configure for your individual teams.
Setting permissions for guest users at the team level
Earlier in this chapter, you discover how to enable guest access in the Teams Admin Center, and how to configure the various guest settings. However, those settings affect every team in Teams in your Microsoft 365 subscription. To fine-tune settings further, you can configure guest settings for each individual team.
WHAT IS A TENANT?
When you create a new Microsoft 365 subscription, you are creating a new tenant. Think of a tenant like you would think of a tenant in an apartment complex. An individual apartment might have multiple people living in it, but each unit is a separate space and on a separate contract from the other apartments. Similarly, your Microsoft 365 subscription can include many teams that are part of your same Teams service.
Microsoft is adding features to Teams at a feverish pace, and additional guest settings are added to Teams all the time. So, you might see more settings than I discuss here depending on when your Microsoft 365 tenant receives them.
To configure guest settings for a team, follow these steps:
1. Select the Teams icon from the left navigation pane to see a list of all your teams.
2. Click the ellipsis next to the name of the team you want to manage to open the More Option drop-down menu.
3. Select Manage Team.
4. Select the Settings tab at the top of the screen (see Figure 7-7) and then expand the Guest Permissions option.
FIGURE 7-7: Configuring guest permissions in a team.
5. Select the options to allow guests to create or update channels or to delete channels.
· Allow creating and updating channels: This setting is used to allow guests to create new channels or update existing channels. If you have a team with a lot of guests, you might want to allow them to create new channels within the team. The number of channels in a team can quickly grow out of control, though, so I recommend coaching your guest users on your preferences if you let them create their own channels. I have seen teams with guest users that have more channels created than I ever thought possible. In the end, I suppose it depends on how well-behaved your guests are.
· Allow guests to delete channels: With this setting, you can allow or not allow guests to delete channels they created. This setting is often used as a compliance measure when you don’t mind guests creating new channels and sending messages in them, but you don’t want them to delete any of those channels.
After you make your selections, your changes are saved automatically.
Interacting with External Users
As you have seen in this chapter, you can collaborate and interact with guest users in much the same way you work with people within your organization. However, there is one more case to consider.
Suppose you work with people at Acme frequently. You need to be able to chat with them, and they need to be able to chat with your organization. However, you don’t want to add every single user as a guest user for every team. You can use a feature in the Teams Admin Center called external access.
External access gives you the ability to approve users based on the domain in their email address. Let’s say Acme has the Internet domain acme.com. You can add the domain to the external access list so that anyone with an email address @acme.com can chat with members of your organization. External access is flexible, too. You can allow all domains on the Internet and block specific domains, or you can block all domains on the Internet and allow only specific domains.
Some of the key differences between guest user access and external user access are outlined in Table 7-1 and available in the Microsoft Teams documentation at https://docs.microsoft.com/en-us/microsoftteams.
TABLE 7-1 Key differences between guest user access and external user access in Teams
|
Feature |
External user access |
Guest user access |
|
User can chat with someone in another company |
Yes |
Yes |
|
User can call someone in another company |
Yes |
Yes |
|
User can see if someone from another company is available for call or chat |
Yes |
Yes |
|
User can search for users across external tenants |
Yes |
No |
|
User can share files |
No |
Yes |
|
User can access Teams resources |
No |
Yes |
|
User can be added to a group chat |
No |
Yes |
|
User can be invited to a meeting |
Yes |
Yes |
|
Additional users can be added to a chat with an external user |
No |
N/A |
|
User is identified as an external party |
Yes |
Yes |
|
Presence is displayed |
Yes |
Yes |
|
Out of office message is shown |
No |
Yes |
|
Individual user can be blocked |
No |
Yes |
|
@mentions are supported |
Yes |
Yes |
|
Make private calls |
Yes |
Yes |
|
Allow IP video |
Yes |
Yes |
|
Screen sharing mode |
Yes |
Yes |
|
Allow Meet Now |
No |
Yes |
|
Edit sent messages |
Yes |
Yes |
|
Can delete sent messages |
Yes |
Yes |
|
Use Giphy in conversation |
Yes |
Yes |
|
Use memes in conversation |
Yes |
Yes |
|
Use stickers in conversation |
Yes |
Yes |
Source: https://docs.microsoft.com/en-us/microsoftteams/communicate-with-users-from-other-organizations
You will find the external access settings in the Teams Admin Center listed under Org-Wide Settings, as shown in Figure 7-8. I cover the Teams Admin Center in depth in Chapter 13.
FIGURE 7-8: Configuring external access in the Teams Admin Center.