Teams Now Supports Guest Users from Non-Office 365 Domains

Teams Splash

An Open World of Guests for Teams

When Microsoft introduced the first iteration external (guest) access for Teams in September 2017, an important limitation existed. Guests could only come from Azure Active Directory domains with Office 365. Although there are some 130 million active Office 365 users, that’s still a subset of the folks that you might want to add as a guest user, including those who use other systems like Gmail or Yahoo!

The lack of support for non-Office 365 domains surprised many because Office 365 Groups support external access from these domains, and Teams uses Office 365 Groups. However, the connection between the two applications means nothing when it comes to controlling guest user access to resources. In fact, guest access to Office 365 Groups is based on an older SharePoint model that has been around for years and it only allows access to SharePoint resources. Teams is a very different application, so Microsoft needed to do extra work to make guest access safe and secure for these domains.

Now, maintaining the rapid cadence of updates Microsoft makes to Teams, you can add guest users with any email address to Teams. You can read Microsoft’s blog post on the topic to learn details of supported clients (for instance, you cannot invite guest users or redeem invitations on Teams mobile clients, while Safari is still a no-go browser for Teams). In the rest of this article, I look at how a guest user with one of the newly-supported email addresses joins a team.

The B2B Collaboration Basics

Teams is an application that uses many services drawn across Office 365, including Exchange Online (for its calendar and compliance records), SharePoint Online (for document management), and OneDrive for Business (personal sharing). External guest access uses Azure B2B Collaboration. Briefly, when you add a guest user to a team, Teams extends an invitation to that user to redeem and confirm their membership. The invitation email holds a link for the guest to enter the redemption process. When redemption is complete, a new Azure Active Directory user account (of type “Guest”) exists in the tenant directory. Access to application resources comes through this account.

Azure B2B Collaboration is also used within Office 365 to share documents from SharePoint and OneDrive sites and to allow access to Office 365 Groups (only the SharePoint resources, not conversations). Because other applications use Azure B2B Collaboration, an Azure Active Directory account might already exist for a guest user. If this happens, Teams uses that account.

Adding a new Guest User to a Team

All you need to add a new guest user to a team is their email address (Figure 1). Teams takes the address and checks whether a guest account. If not, Teams creates a prototype guest account that the user will later complete through the redemption process.

Teams add guest user
Figure 1: Adding a guest user to a team (image credit: Tony Redmond)

Notification Arrives

The next step is to issue the email invitation to the user. The user is already part of the team, and if their guest account is complete through redemption, they can click the Open Microsoft Teams link in the message (Figure 2) to go to the team.

Teams sharing invitation
Figure 2: A guest user receives an invitation to Teams (image credit: Tony Redmond)

Teams Redemption

Things are a little more complicated if the user has never been through the redemption process for the tenant before. The same link brings them into a process to prove their identity and give credentials to allow them to connect to the tenant in the future. The first step in the process is to sign-in (Figure 3). An email address already exists to use as the basis for the User Principal Name for the account, so what’s missing is a password, which the user sets up at this point. If the host tenant uses multi-factor authentication to protect accounts in general or Teams as an application (using a conditional access policy), they must also establish how they will prove their MFA credentials.

Teams redeem invitatioin
Figure 3: Redeeming the invitation (image credit: Tony Redmond)

When everything is complete, Azure Active Directory enables the guest account and the user can go through a normal sign-in (Figure 4) to connect to the link to Teams shown in Figure 3. You can see that the account name used to sign in is the guest user’s email address.

Teams sign in
Figure 4: Signing into the guest user account (image credit: Tony Redmond)

Guest Rights

When connected, a guest user shows up in the same way as any other user (Figure 5) and has much the same rights as a tenant user. Among the things a guest can’t do is to create new meetings or view organizational information in the tenant directory. These restrictions exist because of technical issues (guests can read, but not write to the group calendar in the Exchange mailbox), or to protect data within the tenant.

Teams manage membership
Figure 5: Guest users show up as normal users in a team (image credit: Tony Redmond)

Although guests cannot browse the tenant directory to find new teams to join, if they have access to Office 365 Groups and the groups are team-enabled, they automatically gain access to those teams. Therefore, a guest accessing teams for the first time in a tenant might discover that they can use many other teams than the one for which they received an invitation.

Behind the AAD Scenes

As noted earlier, Azure B2B Collaboration creates guest user accounts to enable access. If we look at guest accounts, we see that they have a special type, and created through an invitation process. Also, the email address for the guest gives the basis of the sign-on address and allows the account to be mail-enabled.

Get-AzureADUser -ObjectId 7741ac6e-30c2-40da-adcb-e54e8c4b1b54 | Format-List
ObjectId                       : 7741ac6e-30c2-40da-adcb-e54e8c4b1b54
ObjectType                     : User
AccountEnabled                 : True
AssignedLicenses               : {}
CreationType                   : Invitation
DisplayName                    : Tony's Yandex Account
Mail                           : [email protected]
MailNickName                   : tredmond_yandex.com#EXT#
OtherMails                     : {[email protected]}
ProxyAddresses                 : {SMTP:[email protected]}
UserPrincipalName              : tredmond_yandex.com#EXT#@Rmytenant.onmicrosoft.com
UserType                       : Guest

To find all guest accounts in a tenant, use this command:

 Get-AzureADUser -Filter "UserType eq 'Guest'"

Access for All

Because it allows many more potential collaborators into the Teams tent, adding guest access for non-Office 365 domains is a big thing. I’d like to see Teams progress by making the process to switch tenants smoother and to allow mobile clients to switch tenants. Meantime, Microsoft continues the push to add new calling functionality so that Teams can replace the Skype for Business Online client. At times, so much happens, it’s quite wearisome to keep track on everything.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.