Information Barriers, Teams, and Problems Adding New Guest Accounts

Information Barrier Policies and Organization Segments

Microsoft introduced Information Barriers earlier this year as a replacement for address book policies to segment accounts within tenant directories in a way that could be used by all Office 365 applications. The basic idea is that Information Barrier polices control who can communicate with others within an Office 365 tenant. Organization segments define sets of users and policy rules dictate how segments can communicate.

Teams Has Problems with New Guest Accounts

Exchange Online and Teams are the first applications to support Information Barriers. For Exchange Online, the switch from address book policies to Information Barriers is transparent. Most functionality works smoothly with Teams too, with the notable exception that team owners can’t create a new guest user account to the tenant by adding them to a team’s membership.

Existing guest accounts don’t cause problems because Teams can check that adding them to a team membership won’t violate a policy. Teams does this by calling the directory services API to check what organization segments the guest belongs to. When an attempt is made to add a new guest, the call fails because the account doesn’t exist in the Exchange Online directory store (EXODS). Teams can’t validate that the barrier is respected, and the attempt fails (Figure 1).

Teams can't add a new guest account to team membership
Figure 1: Teams can’t add a new guest account to team membership

Unfortunately, apart from being told that Teams ran into an issue, no clues are given to the team owner as to what went wrong. Despite being told that a problem happened, behind the scenes the guest account is created in the tenant directory and an Azure B2B Collaboration invitation goes to the guest’s email address (Figure 2).

The invitation to join the team arrives in the guest's mailbox
Figure 2: The invitation to join the team arrives in the guest’s mailbox

When the guest tries to redeem the invitation and log into Teams, Azure Active Directory validates the invitation but when Teams starts, the guest discovers that they don’t have membership of the group they were invited to join (Figure 3).

Whoops! No access to the team for the guest
Figure 3: Whoops! No access to the team for the guest

An Easy Workaround

The workaround is simple: create the guest account through the Azure Active Directory portal or by adding them to the membership of the underlying Office 365 group using Outlook or OWA. The addition of the new member will be replicated to Teams and any Information Barrier checks will then be imposed. Microsoft is aware that this situation is unsatisfactory and is working on a fix.

To learn more about Information Barriers, read Chapter 19 of the Office 365 for IT Pros eBook. The book also includes a ton of information about Teams management.

One Reply to “Information Barriers, Teams, and Problems Adding New Guest Accounts”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.