Things You Should Know About External Access for Teams

Teams Splash

Microsoft Gets Its Numbers Wrong

Lots of excitement occurred last week after Microsoft released the first version of external access for Teams. The thrill was only slightly lessened by the realization that Teams currently limits external access to accounts belonging to other Office 365 tenants.

Microsoft’s post announcing external access for Teams was just plain wrong when it said: “That means anyone with one of the more than 870 million user accounts—across Microsoft commercial cloud services and third-party Azure AD integrated apps—can be added as a guest in Teams.” Oh well, it was a marketing post after all, so hyperbole is the expected norm. Because external access is limited for now, the real number is about an eighth of what Microsoft claimed.

In any case, after a week in the wild, it is good to look at some of the issues that people have with external access for Teams.

The Need for Licenses

The first point is that guest users need licenses before they can gain external access to Teams in a tenant. Administrators grant licenses to tenant users (“Business and Enterprise”) and guests through the Services & Add-ins section of the Office 365 Admin Center. If you do not enable guest access for Teams in your tenant by licensing them (it’s really just a control mechanism and no licenses are involved), guests will never be able to access a team in your tenant, even if they receive an invitation to join the team.

Generating Invitations

Teams generates invitations to external users to join specific teams. You can only invite people who have accounts in another Office 365 tenant. The invitations go via email to the recipient, who redeems the invitation to prove their identity to Azure AD. The invitation has a URL pointing to the team that the guest user will join. After the redemption process is complete, the URL switches (via the desktop or web client) to the target tenant and access the group. It is at this point that people run into the need for licenses – if the target tenant does not allow external access, the user cannot access the team they received an invitation to join.

Switching Tenants

Possibly the biggest complaint heard is about the requirement to switch tenants to gain access to an external term. Other products, notably Yammer, use switching to reset context, and Teams implements tenant switching as well as it can probably happen. However, users complain that switching (Figure 1) is a clunky, outdated approach, wastes time, and say that they would prefer to work with all the networks they can access through the Teams client.

Teams Switch
Figure 1: Teams cheerfully switches to a different tenant (image credit: Tony Redmond)

you force a user to sign-out of their own tenant and into a target tenant. Microsoft says that they will work to improve the switching performance, but people complain that when they sign-out of their own tenant, they no longer receive notifications about new activity that occurs in that tenant. If they belong to several networks and need to switch from one to the other to keep up to date, the danger exists that they might miss an important post.

The Teams mobile client does not yet support switching between different tenants, but Microsoft says that an update is coming.

Auditing Guest Users

Once you allow external people to access information within your tenant, it is natural to consider if you can understand what teams have guest users and when those users access the tenant. Unfortunately, Teams does not support PowerShell, so it is impossible to whip up a quick script to report what team-enabled Office 365 Groups have external users. However, we can start the process rolling by looking at what groups have external members with some quick and dirty PowerShell:

$Groups = (Get-UnifiedGroup | ? {$_.GroupExternalMemberCount -gt 0})

If ($Groups.Count -gt 0) {
    ForEach ($G in $Groups)
   { Write-Host "Members in" $G.DisplayName
     $Members = (Get-UnifiedGroupLinks -Identity $G.Alias -LinkType Members)
     ForEach ($M in $Members)
     { If ($M.Name -Like "*#Ext#*")
       { Write-Host "External member:" $M.Name }
       }
    }
}

Now you know what groups include guest users, you can apply your own filter to:

  1. Remove groups that do not have an associated team.
  2. Remove guest users that do not belong to another Office 365 tenant. Office 365 Groups support access from domains such as Outlook.com. These accounts can therefore appear in the output for group membership (for example, “SomeAccount_Outlook.com#EXT#”). Because these users do not have access to Teams, they do not appear in the membership list when viewed through Teams.

Teams captures details of users as they sign-on to the application in the Office 365 audit log, so you can use the Search Audit Log feature in the Security and Compliance Center to check who has connected to your tenant. Two points are worth noting. First, it can take some hours before the Teams data is available in the audit log. Second, an audit record (Figure 2) tells you when someone signs into Teams but does not tell you what they do when inside Teams.

Teams Audit Record
Figure 2: An audit record captured when an external user signs into Teams (image credit: Tony Redmond)

Securing Channels

Settings at the tenant and team level control many of the actions that members can take within a team. To change the settings, select View team and then Settings (Figure 3). I am not worried about people editing or deleting their messages, but I am concerned about guest members creating or removing channels.

Teams Settings
Figure 3: What team members can do (image credit: Tony Redmond)

A team can have up to 100 channels, so apart from possibly creating some confusion within a team if too many channels are in use, it is probably OK to allow members to create channels. The situation is very different for channel deletion because no one can recover a deleted channel. The possibility therefore exists that someone might delete a channel in error – or even that a disgruntled employee or guest might do so deliberately. Play safe, and disable the ability of members to remove channels.

Compliance Issues

In April, I reported how Teams supported the Office 365 data governance framework by copying items to group mailboxes (for channel conversations) or user mailboxes (for personal chats). Unfortunately, Teams does not capture messages contributed by guest users. I reported this oversight to Microsoft and am sure that they will fix the problem soon. In the meantime, be aware that Teams only captures partial conversations for eDiscovery and compliance purposes.

It is important to record audit events when people remove a channel from a team. Although Teams lists this event as one of those captured in the Office 365 audit log, my tests show that the events do not turn up. Again, this is likely due to a bug that Microsoft will quickly fix, but it is yet another reason to stop members deleting channels.

Blocking Guest Users

External access for Teams is in its early days and some problems were always likely. You might prefer to impose some controls through an allow list for the domains you allow guest users to come from. A recent AAD policy introduced by Microsoft for Teams and Groups helps here. You can block domains whose users you do not want to see in Teams or create an allow list – but not both.

Creating an allow or block list stops team owners adding guests from the specified domains you but does nothing to remove guests belonging to those domains if they already exist in team memberships. To ensure compliance with the policy, you might decide to remove all the guest accounts for the blocked domains. The script above will tell you whether any groups have guests from the domains you want to exclude, but some added code is necessary to remove the accounts.

Let’s assume that you decide to remove all accounts for the “BadGuys.com” domain. Something like this PowerShell snippet does the trick:

$Users = (Get-AzureADUser -Filter "UserType eq 'Guest'")
Foreach ($U in $Users)
  { If ($U.UserPrincipalName -Like "*BadGuys.com*") {
    Write-Host "Removing"$U.DisplayName
    Remove-AzureADUser -ObjectId $U.ObjectId }
}

Of course, it is a bad idea to run any code that removes objects without testing.

More to Come

We are obviously at the start of the story around external access for Teams. No doubt Microsoft will expand support for accounts other than from other Office 365 tenants, fix some compliance issues, and upgrade functionality in areas such as federation with Skype for Business so that users of both platforms enjoy smooth interoperability.

With the Ignite conference happening next week, we expect to hear more from Microsoft about their plans for Teams and how functionality like external access will evolve. It should make for some interesting sessions. They’re on my list to attend.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.