Collaborating with Guests using Microsoft Teams

Microsoft Teams

There’s a knock at the door. After you get the dogs to stop barking, you slowly open the door to see who it is. Everybody who should be home is already there, so clearly . . . you have guests. Maybe it’s someone you’ve invited to come over to spend some time with you, enjoy your sunny back deck, and have a meal. It could be someone delivering a package or a pizza. You may let this temporary guest take a step inside until the transaction’s over, but that’s it. Worst of all, you may have a guest that is trying to sell you something – a thing, or worse yet, an idea.

In the Microsoft Teams world, we often find the need to invite people from outside the organization to communicate and collaborate with us. That usually breaks down into three scenarios – meetings, external users, and guests. Which path we take depends on the type of guest that’s come to the door.

Meetings

Meetings allow us to invite anyone with an email address for a temporary conversation. The meeting attendees just need the link and never authenticate in our tenant if the meeting policy allows anonymous users. Each meeting then stands alone without the need to give someone who’s come to the door any real access to anything on the inside.

External Users

Our only concern with external users is private chats. If we click the chat app on the left in Teams, we can communicate one on one with those outside the organization. If we want to limit that, we can do so by managing an allow-list for a set of domains. This comes in handy for regular communication with outside vendors. This is perhaps like the pizza delivery ---brief but repeatable… and we don’t have to give anyone keys to the front door.

Guests

Guest users are a little more special. We expect guests to stay a little longer and have more chances to grab a drink from the fridge or peek inside the medicine cabinets. Guests in Teams will exist in our Azure AD. We recognize them over a longer period, and they are welcome to come and go as they please to the Teams we invite them to. Guests can chat in Teams posts and collaborate on files residing in SharePoint.

Guest access needs to be enabled at the tenant level and for Teams. You can decide whether IT admins only can add guests to Azure AD, or you can choose to allow users in a guest inviter role or team owners to add guests. Once a guest exists in your Azure AD, they can be added to multiple Teams within your tenant and outside of Teams in SharePoint, OneDrive, PowerBI, and most other Office 365 services.

Recommendations

For organizations that require a high degree of security and compliance, KiZAN has several recommendations to evaluate before enabling guest access.

1. Consider an Allow-list of authorized domains consisting of organizations that have the necessary NDA’s/MSA’s in place with your organization, rather than the default of allowing any domain. Manage guest access to Microsoft 365 groups | Microsoft Docs
1. Note that this domain list needs to be manually replicated to SharePoint Online’s allow list as well, as they don’t read from the same source currently.
2. Create a Conditional Access policy for Guest Users specific to Teams and SharePoint (where Teams’ files are stored).
1. Remove the standard Intune and/or network location requirements and instead deploy App Enforced Restrictions in SharePoint Online which prevent users from downloading files to non-managed devices. Instead, grant guests browser-only access to view and edit the files.
2. Deploy a separate CA policy to block guest users from any system beyond the original request (e.g., Outlook, Power BI, etc.). Your organization may not be ready to support guests in these systems even though they are Azure AD authenticated.
3. Consider who should be allowed to “invite” guest users into your organization.
1. The default is to allow any internal employee to invite a guest (from the allow list of domains noted in #1 above).
1. Note 1: you may also want to ensure that guests can’t invite other guests. Many organizations prefer that their employees be the guest-inviters.
2. Note 2: The “Guest Inviter” role can be assigned to specific business users in your organization.
2. Additionally, you can also block all non-administrators from direct invitations and delegate this role to an AIM requested process overseen by IT.
4. Consider a “Guest clean-up” process to remove guest accounts from your Azure AD after a period of inactivity (based on the “Last sign-in date” attribute that became available in April 2020. If you see a blank value here, it’s been a while since the guest logged in.) This would need to be scripted out but is relatively straightforward to execute.
5. Consider the “One-Time Password” configuration option. This is currently supported in SharePoint Online and OneDrive. Teams’ functionality for this feature is expected in the coming months)
   
   One-time passcode authentication for B2B guest users - Azure AD | Microsoft Docs

Advanced Recommendation

A bit more complex than the previous recommendations, but KiZAN also generally recommends enabling Sensitivity Labeling on Microsoft 365 Groups and Sites. This allows the application of more granular controls to Teams based on their label.

Maybe we’ve all been a little hesitant in letting others into our homes lately. Inviting guests over can be a great experience as long as we take the right precautions and know who we’re opening the door for in the first place.