Teams to Support Federated Guest Access for Gmail Accounts

Gmail Gets Direct Pass to Teams Membership

Office 365 notification MC194386 brings the news that Teams will soon offer “native support” for guest access for people with Gmail accounts. This fulfils Office 365 roadmap 57037.

Teams has long used Azure B2B Collaboration to support guest membership for anyone with a valid email address, including Gmail users. The difference here is that Azure Active Directory has added Google as an identity provider for Azure B2B Collaboration, which means that people with a Gmail email address can use their Google account for authentication and don’t need to create a MSA account or a guest user account in tenant directories.

Do You Want Google Users as Guests?

Before getting too excited about this innovation, let’s reflect on two points: first, you must do some work to enable Google federation in Azure Active Directory (by creating an organizational relationship). Second, you might not want to allow Gmail users to be guests in some or all the teams in your tenant on the basis that you don’t want guests to use consumer accounts (the problem with such a policy is that many independent professionals use Gmail addresses).

Blocking guests from Google domains is easily done by creating a blacklist or whitelist (you can only pick one list) in the Azure B2B Collaboration policy for the tenant. With such a policy in place, team owners won’t be able to invite members from the blocked domains. In Figure 1 we see that Google.com is one of the domains on the blacklist for guest invitations.

Azure Active Directory External Collaboration settings
Figure 1: Azure Active Directory External Collaboration settings

If you want to block all guest users from specific teams (usually those containing highly confidential material), that’s easily done by editing the directory settings for the underlying Office 365 Groups. The only issue is that you must do this through PowerShell.

Why Teams and not Outlook Groups or Planner

Some were surprised that the announcement covers Teams only and doesn’t apply to all the Office 365 apps which support Azure B2B Collaboration. The answer lies in that federation works when guests sign in using a specific tenant context, or an endpoint that’s capable of processing the request to connect using the proffered credentials. Teams can do this while other applications cannot, at least for now.


Read the Office 365 for IT Pros eBook for more information about Teams, guest user access, and Azure B2B Collaboration,

Advertisements

5 Replies to “Teams to Support Federated Guest Access for Gmail Accounts”

  1. I have a Support request with Microsoft about this. It seems the link that is end to a Gmail user in the invitation is not working and you get an error.
    (Account is unknown)

    If you create a link yourself like described in the documentation :

    https://docs.microsoft.com/nl-nl/azure/active-directory/b2b/google-federation#limitations like so:

    https://myapps.microsoft.com/?tenantid=

    Then it is working. Still working with Microsoft to get this link in the invitation working.

    1. Congratulations on being a trailblazer. The links in Azure B2B collaboration invitations are really important because they bring a guest back to an endpoint that can handle the redemption of an invitation. Getting them right is critical. As you have found out…

      1. Thanks for the compliments. It is weird that something like this is not tested.
        This is the link in the Invitation e-mail:

        https://teams.microsoft.com/l/team/19:4fb1XXXXX09fd40d62ed@thread.skype/0

        (The XXX i added to make it anonymous)

        This will give an error. And also wil not give me the Gmail login option.

        The link:
        https://myapps.microsoft.com/?tenantid=XXX etc

        works just fine.

        Microsoft helpdesk lets me try all other options to login and all other hoops i needed to jump through.
        I even made them a camtasia video to explain myself.
        But after i wrote: “This is getting irritating” and explained it one more time, it moved to Teams Technical support.
        I hope it will be resolved soon.

  2. An update from me. I have received a lot of questions from Microsoft. They let me try al kinds of ways to login. Now i just have send the Edge Har files of the failing login process. In my view all they need to do is to change the link that is send in the invitation mail. How it needs to look is in their own documentation. Am i thinking to simple?

    1. No you’re not. Sometimes problems exist to stop things being simple, but seeing that the documentation is out of sync with the software, you wonder why this situation arose. After all, the writers work with the developers to document the code as it is written…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.