Blocking Guest Users from Office 365 Groups

Guest Access Settings in the Groups Policy

By default, Office 365 allows tenants to add guest users (people with accounts outside your tenant) to the membership of Office 365 Groups (and Teams). Control over this feature is through the Azure Active Directory policy for groups, which has two relevant settings:

  • AllowToAddGuests: Controls if group (or team) owners can add guest users to membership. The default is True.
  • AllowGuestsToAccessGroups: Controls if guest accounts can access resources through Office 365 Groups. The default is True.

Policy settings can only changed through PowerShell. For instance, to stop any group owner being able to add guests, you change the value of AllowToAddGuests to False. These command fetch the current settings, update the value, and update the policy (assuming that you have already created a tenant policy):

Guests who are members of groups can continue to use their membership. The block simply stops group owners adding new guests.

Blocking By Default

The normal course of events is to allow guest users for groups and selectively block access for specific groups that hold confidential information. As explained in this article, it is relatively easy to find and update selected groups.

Some people would like to reverse the process and block guest access to all groups except on a selective basis. This isn’t possible because the tenant-level block trumps settings at an individual group level. Once you set AllowToAddGuests to False at the tenant level, the policy stops any group owner from adding guests to group membership. Only administrators keep the ability to add guests, and they can only do so through an admin interface like running the Add-UnifiedGroupLinks cmdlet or through the Office 365 Admin Center or Azure Active Directory portal.

If you want to block access for guests to all but a small set of groups, you must leave AllowToAddGuests as True at the tenant level and then block all but the set of groups you want to allow guests to join.

This is the kind of topic we cover in Chapter 12 of the Office 365 for IT Pros eBook. You can find a lot more about managing Groups there.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.