Block Guest Members from Microsoft 365 Groups and Teams

Block Guests in Individual Groups Using Access Settings

By default, Office 365 tenants can add guest users (people with accounts outside your tenant) to the membership of Microsoft 365 Groups (and Teams). Control over this feature is through the Azure Active Directory policy for Groups, which has two relevant settings:

  • AllowToAddGuests: Controls if group (or team) owners can add guest users to membership. The default is True.
  • AllowGuestsToAccessGroups: Controls if guest accounts can access resources through Office 365 Groups. The default is True.

Settings in the Azure Active Directory policy for Groups can be changed through PowerShell. For instance, to stop any group owner being able to add guests, you change the value of AllowToAddGuests to False. These command fetch the current settings, update the value, and update the policy (assuming that you have already created a tenant policy):

$PolicySettings = Get-AzureADDirectorySetting | ? {$_.DisplayName -eq “Group.Unified”}
$PolicySettings["AllowToAddGuests"] = "False"
Set-AzureADDirectorySetting -Id $PolicySettings.Id -DirectorySetting $PolicySettings

Guests who are members of groups can continue to use their membership. The block simply stops group owners adding new guests.

Blocking By Default

The normal course of events is to allow guest users for groups and selectively block access for specific groups that hold confidential information. As explained in this article, it is relatively easy to find and update selected groups.

Some people would like to reverse the process and block guest access to all groups except on a selective basis. This isn’t possible because the tenant-level block trumps settings at an individual group level. Once you set AllowToAddGuests to False at the tenant level, the policy stops any group owner from adding guests to group membership. Only administrators keep the ability to add guests, and they can only do so through an admin interface like running the Add-UnifiedGroupLinks cmdlet or updating group membership in the Microsoft 365 Admin Center or Azure Active Directory portal.

If you want to block access for guests to all but a small set of groups, you must leave AllowToAddGuests as True at the tenant level and then block all but the set of groups you want to allow guests to join.

Note (June 2020): Now generally available, if you enable sensitivity labels for use with Groups, Teams, and Sites, the container settings in the labels can be used to block guest users. For example, you can have a label called Confidential which, when applied to a group, stops new guests being added. Existing guests aren’t removed, but you can find them as described here.

This is the kind of topic we cover in Chapter 10 of the Office 365 for IT Pros eBook. You can find a lot more about managing Groups there.

3 Replies to “Block Guest Members from Microsoft 365 Groups and Teams”

  1. This should actually be tagged as Chapter 10. I started to reread through 12, and it directs you to Chapter 10 which is where I found what I needed.

    1. The tag relates to a previous version of the book. It’s kind of hard to keep old posts updated when so much is changing…

    2. Post is now updated. You should read up on sensitivity labels as they make the process of managing guest access to individual groups much easier.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.