Change in Guest Access for Teams: No Effect on Tenants Already Using Teams

Service Default Changes on February 8

In Office 365 notification MC228482 posted on December 3, Microsoft gives early warning of a change in the default tenant configuration for Teams. Up to now, the “service default” for guest access to Teams is Off, meaning that Teams doesn’t allow guest access unless an administrator updates the value to On. From February 8, 2021, the service default changes to On. In effect, Microsoft will then assume that tenants want to allow guest access to Teams.

Tenant control over guest access is set through the Org-wide settings section of the Teams admin center. Here you can define if guest access is allowed or not. As you can see in Figure 1, the option is set to On in my tenant.

The change in service default won’t affect tenants who have already opted to allow guest access to Teams, which is probably most of the tenants which now support over 115 million daily Teams users. It also won’t affect organizations which choose to disable guest access for Teams. However, organizations that have not yet started to use Teams should review if they wish to use guest access and if not, set the option to Off.

Teams depends on the Azure B2B Collaboration integration for Microsoft 365 Groups. Turning guest access on for Teams as the default doesn’t remove the need to enable the guest settings for Microsoft 365 Groups in the Org settings section of the Microsoft 365 admin center.

Limiting Guest Access at a Granular Level

Before disabling guest access, remember that other controls exist to limit guest access on a more granular level.

First, you can use sensitivity labels to control guest access for individual teams. If the container setting for the sensitivity label assigned to a team blocks guest access, team owners won’t be able to add new guests. However, existing guests in the team membership are not removed and tenant administrators can always add guests to team membership if necessary. The script described in this post creates a report of guests belonging to Microsoft 365 groups assigned a specific sensitivity label.

Second, you can block guest access from specific domains using an Azure B2B collaboration policy. For instance, you could include the domains for competitor companies in a blocklist to prevent team owners adding people from those domains as guests. Again, existing guests are not affected.

Tracking Down Unwanted Guests

If you need to scan the entire tenant for the presence of unwanted guest accounts, you can use the PowerShell script described in this post to create a report of guests in a tenant and the Microsoft 365 groups they belong to. The script can be adjusted to report guests based on the number of days since their account was created, so you can focus on all guests or guests created since a specific point in time.

Some guest accounts might have been created for a long-gone purpose. It’s a good idea to review guest accounts from time to time to figure out if any are no longer required and can be removed. This script helps by creating a report of guest user activity.

Teams Owners Can Restrict Guests Too

Within a team, you can restrict guest access by creating a private channel and limiting its membership to tenant accounts. This is a good way to create a barrier within a team for information which should remain confidential. If you want to be even more secure, apply a sensitivity label with encryption to any documents stored in the private channel and make sure that the label settings restrict access to tenant accounts.

---

The ins and outs of Azure B2B collaboration and guest account access to resources is explained in depth in the Office 365 for IT Pros eBook. Subscribe today to keep abreast of changes as they appear inside Microsoft 365.