Teams to Support Federated Guest Access for Gmail Accounts

Gmail Gets Direct Pass to Teams Membership

Office 365 notification MC194386 brings the news that Teams will soon offer “native support” for guest access for people with Gmail accounts. This fulfils Office 365 roadmap 57037.

Teams has long used Azure B2B Collaboration to support guest membership for anyone with a valid email address, including Gmail users. The difference here is that Azure Active Directory has added Google as an identity provider for Azure B2B Collaboration, which means that people with a Gmail email address can use their Google account for authentication and don’t need to create a MSA account or a guest user account in tenant directories.

Do You Want Google Users as Guests?

Before getting too excited about this innovation, let’s reflect on two points: first, you must do some work to enable Google federation in Azure Active Directory (by creating an organizational relationship). Second, you might not want to allow Gmail users to be guests in some or all the teams in your tenant on the basis that you don’t want guests to use consumer accounts (the problem with such a policy is that many independent professionals use Gmail addresses).

Blocking guests from Google domains is easily done by creating a blacklist or whitelist (you can only pick one list) in the Azure B2B Collaboration policy for the tenant. With such a policy in place, team owners won’t be able to invite members from the blocked domains. In Figure 1 we see that Google.com is one of the domains on the blacklist for guest invitations.

Azure Active Directory External Collaboration settings
Figure 1: Azure Active Directory External Collaboration settings

If you want to block all guest users from specific teams (usually those containing highly confidential material), that’s easily done by editing the directory settings for the underlying Office 365 Groups. The only issue is that you must do this through PowerShell.

Why Teams and not Outlook Groups or Planner

Some were surprised that the announcement covers Teams only and doesn’t apply to all the Office 365 apps which support Azure B2B Collaboration. The answer lies in that federation works when guests sign in using a specific tenant context, or an endpoint that’s capable of processing the request to connect using the proffered credentials. Teams can do this while other applications cannot, at least for now.


Read the Office 365 for IT Pros eBook for more information about Teams, guest user access, and Azure B2B Collaboration,

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.