All about managing external users in Microsoft Teams

What does external access mean?  

External access in Microsoft Teams allows you to collaborate with users outside your organisation. External user or guest user usually refers to external access. There are two types of external access in Microsoft Teams (Guest Access and External Access). 

Technically, these work differently. When collaborating, external users can use your organisational accounts and participate in the collaboration.  

With the help of external access in Microsoft Teams, there is no need to create new user accounts for the external guests. This allows the organisation to save on licensing costs and gives the external users a better user experience during collaboration. They have the option of using their own company accounts. 

If you have not defined processes for working with external users and external sharing is open, this can lead to problems. 

The danger here is that you will not be able to track which of your documents that are stored in your teams are shared by external users. You lose control of your corporate data through unauthorised access outside your organisation.

External access vs. guest access 

If you do not want external users to have free access to your company data, then you need to know how to control external access and where to configure it.  

Within the Teams Admin Centre you will come across the term External Access. There is a difference between the terms external access and guest access: 

External access in this context means you grant an external user access to your domain. In this case, the external user is authorised to use the Microsoft Teams Chat with your users. Files shared outside the chat cannot be accessed by the external user. The setting to prohibit the sharing of documents in the private Teams Chat is also possible. 

Guest access, on the other hand, means that you invite an external user directly into your Microsoft Teams team and thus give them access to the data stored there.  

The goal is to ensure collaboration between your employees and external users. This is why we will be talking about guest access in the course of this blog post.

Options for external access settings 

Azure AD 

In your Active Directory portal, you have the option to manage your guest users and add new ones. In the area for organisational relationships, you can make further settings. Among other things, you can decide here whether the owners and members of your teams are allowed to invite guests on their own. 

 Microsoft Azure Overview

Microsoft Teams Admin Center 

With the Microsoft Teams Admin Center, you can manage guest access within the organisation-wide settings. If you activate the slider for guest access in teams, you can invite guest users in each of your teams. Apart from setting up which features the guest users can use within your organisation, there are no further control options in the Microsoft standard.  

Microsoft Teams Admincenter

Microsoft Teams Admincenter Guestacccess

Microsoft 365 Admin Center 

Within your Microsoft 365 Admin Center settings, you have the option to activate the external sharing function under Security and Compliance.  

Before you can allow your users to invite new guests to your organisation, another share must be enabled within Office 365 Groups. 

Within the Office 365 Groups settings, navigate to Services and Add-Ins and you will be given two setting options for your guest access.  

To give guest users full access to a team, you need to check the first box. If you set a tick for the second option, the owners of your teams will be given permission to invite external users directly to the teams. If you do not trust the owners of your teams with this permission, then you must manually add all guests to the AD and to the individual groups.

Microsoft365 Admincenter Security

Microsoft 365Admincenter 365groups

SharePoint Admin Center 

With the SharePoint Admin Center, you can transfer the external permissions to the Azure organisational relationships or create a separate list for external guests independently of Azure. 

If you want to transfer the SharePoint settings to Azure, go to Services and Add-Ins in your Microsoft 365 Admin Center and navigate to SharePoint. If you only select existing guests here, SharePoint will adopt the guests stored in AD and cannot add external users on its own. 

If you want a list for your external guests in SharePoint that is independent of Azure, select Everyone. In this way, SharePoint sites can also be shared with anonymous users and used by them.

Microsoft 365 Admincenter SharePoint

External users need to be managed carefully

If you are not actively looking after the access of external users on your Teams platform, then this can lead to unauthorised access to company data. Depending on the scenario, this could mean legal consequences for the company. 

Collaboration with external completed, now what? 

• Once collaboration with external users is complete, they should be removed from Teams as a matter of urgency.
• If external users are not removed in time, then unauthorised access to company data within the team will occur unintentionally. 
• This case occurs most often in project collaboration. Once the project is completed, usually no one cares about archiving or the whereabouts of the members. External users therefore continue to have access to the chat history within the team.  
• Such a case can have different consequences for the data protection of your company.

Access to company data without NDA  

An important task is to regularly check the non-disclosure agreements (NDA) and data protection agreements with external users or, if necessary, to conclude new ones. Otherwise, third parties can access your company data without entering into an obligation.

What should you avoid from an IT perspective for the administration of external users?

If you want to ensure continued collaboration with external users, you can create new user accounts in the company Active Directory for the respective external users.  

Afterwards, you can add the external users back into the corresponding team rooms with their company accounts. This way, external guest access can be completely switched off, as only internal company accounts are used. 

If you only work with external users sporadically, this will be a simple and quick solution, but it is not recommended as it will result in additional licensing costs for your company. 

If you also have an active change of many external users in your company, this will quickly lead to high costs due to the additional licences.  

You can read about the problems this causes in the following sections.

Why external user management in Microsoft Teams is awkward 

If external access is not actively controlled, this represents an enormous security risk for your company. External users should therefore only be in a Teams team as long as they are needed. 

The external users are usually added directly by the owners of a team. To remove them, the external users must then again be removed manually. This process must be done for each individual team, as membership is permanent and not time-limited.  

While adding external team users is simple, their continued management comes at a significant cost. An external user with whom collaboration has already been terminated must be found in the respective team and removed. The effort increases linearly with the number of external users. 

Issues with corporate accounts for external users and alternatives for collaboration with external users 

If you create extra new company accounts for the external users, you will have to actively check, remove and add them to the respective team rooms. In addition to the administrative time spent by the internal IT department, they will also have to talk and coordinate with the respective departments to check the External Users. 

Furthermore, there are additional licensing costs for the newly created users. Furthermore, in our experience, external users tend to be reluctant to use corporate accounts. This has a negative impact on response times during collaboration. (External users are often more accessible with their own accounts).  

As soon as employees see the need to collaborate with external service providers or customers in a team room, an increased effort from the IT department follows. This also means that appropriate licensing and access rights have to be assigned.  

It may also happen that company accounts are created for external users and these are never removed from the team rooms. This results in permanent access to the team and the data it contains.

Manage external users on the basis of standard Microsoft tools

One solution is the Access Review feature of Azure AD, which can analyse the current access rights or automatically remove external users from the rooms. However, this can only be set manually by Azure AD administrators and the duration cannot be specified, e.g. based on teams. The feature also requires an Azure AD P2 licence, which is often not used by medium-sized companies. 

Azure AD P2Advantages and Disadvantages 

Advantages: 

Azure AD Premium P2 is very commonly used to gain visibility into user activity within Azure infrastructure, Office 365 and web applications.  

The feature set of Azure AD Premium P2 provides administrators with the ability to comprehensively manage all users and their SSO access. 

By leveraging Azure AD's identity protection and privileged identity management, AAD Premium P2 provides administrators with much more data than previous versions and alerts organisations in a way that helps them achieve compliance and troubleshoot issues with AAD or Azure.  

Disadvantages: 

At all pricing levels, Azure AD is designed to work with a separate directory service.  

Organisations looking to move to a cloud infrastructure may struggle to use AAD Premium P2 all on its own. This means you will not be able to manage users' access to their networks via RADIUS. Additionally, the system management features are limited.    

Recommended approaches to managing external users 

To prevent uncontrolled access by external users, there are some best practices you can follow. 

Our recommendation is to define approved domains (whitelisting) and do not create new users in the corporate environment. The external users can then be invited into the Teams teams with their own user accounts.  

Make sure that the membership of the external users can be given a time limit of e.g. 7, 30, 90, 180 days, after which it is automatically deleted.  

Give your users the possibility to extend, shorten or remove this period by request. This approach cannot be mapped with standard Microsoft board tools, which is why a separate solution is necessary at this point. 

Type of external users 

Define which external users may be invited to your teams. Here you must define whether only existing external users (users who have already been created in your Active Directory or whose domain has been approved) or also new external users with an unknown mail address may be invited. 

The procedure can be different for each team. It is important here not to define everything across the board, but to categorise your teams and define your own security levels.  

Define your security level according to the purpose of use. Decide when external users may be invited and what type of external users are considered. 

Setting up guest permissions for a team 

To protect your company data from unauthorised access, it is valuable to use document classification. Use sensitivity labels to define which documents external users are allowed to access. 

Identify the external users in your team workspaces. By default, you should perform an analysis and then remove the external users from the Teams teams.