Monday, December 7, 2020

Authorize guest access in Microsoft Teams

To enable and manage guest access in Teams, you must have Global Administrator or Teams Administrator privileges. Once guest access is turned on, it will take 2–24 hours for the change to take full effect across your Microsoft 365 tenant.

There are four separate configuration portals you can use to manage guest access in Teams. Each portal controls a distinct authorization level of the guest experience:

  • Azure AD — Authorizes guest access at the directory, tenant and application levels.
  • Microsoft 365 Groups — Authorizes guest access to Microsoft 365 groups and Teams (each team in Teams is built on an underlying Microsoft 365 group)
  • Microsoft Teams — Authorizes guest access to Teams only
  • SharePoint Online and OneDrive for Business: Authorizes guest access to SharePoint, OneDrive, Microsoft 365 groups, and Teams (the SharePoint configuration governs the file-sharing experience for guests in Teams)

The guest access configuration in each portal has dependencies and effects on the configuration in other portals, according to the authorization level. For example, if you disable external sharing at the Azure AD level, guest access will be disabled in Teams. If you enable sharing in Azure AD and guest access in the Teams admin center but disable external sharing in SharePoint, guests can join a team but will have limited access to shared team files.


Guests are subject to the service limits described in Microsoft 365 and Office 365 service descriptions and Limitations of Azure AD B2B collaboration.

The following diagram shows how guest access authorization dependency is granted and integrated between Azure Active Directory, Teams, and Microsoft 365.

How to Configure Guest Access in the Teams Admin Centre

Take the following steps to enable and set guest permissions in the Teams admin center:

  1. Log in to the Teams admin center using Teams Administrator privileges.
  2. Navigate to Org-wide settings > Guest access.
  3. Switch the Allow guest access in Microsoft Teams toggle to On. This setting enables guest access capabilities.
  4. Use the controls under the CallingMeeting and Messaging sections to fine-tune the specific capabilities granted to guests. Configurable capabilities include:
  • Private peer-to-peer calls
  • Use of IP video in calls and meetings
  • Screen sharing
  • Meet Now (lets users start a meeting immediately from the context of a conversation)
  • Editing of sent messages
  • Chat
  • Giphy (lets users share animated GIFs of a specified content rating)
  • Meme usage in conversations
  • Sticker usage in conversations
  1. Click Save to apply the configuration.

External Access in Microsoft Teams

By default, external access is fully enabled in Teams tenant-wide. The default setting of “open federation” allows Teams users in any external domain to find and contact team members in your organization using an email address.

The three external access configurations are:

  • Open federation (default setting) — Permits external access from any domain
  • Allow specific domains — Allows external access from the specified domains only
  • Block specific domains — Blocks external access from the specified domains and allows access from all other domains

To change the external access configuration from the default setting, take these steps:

  1. In the Microsoft Teams admin centre, go to Org-wide settings > External access.
  2. Switch the Users can communicate with other Skype for Business and Teams users toggle to On.
  3. To allow or block specific domains, click Add domain. Specify the name of the domain and add it to the Allow or Block list.
  4. Save your changes. You have just configured the outgoing federation.
  5. Work with Teams administrators in other organizations to configure the incoming federation. For example, make sure they add your business domain to their Allow list.
  6. Test the configuration by using the Teams app to find and send a chat request to a federated external Teams user, and have the external user send a Teams chat request to you. If you each receive the requests, you know the federation has been configured successfully.

Guest access in Microsoft Teams

Guest access — Allows users from outside the organization to become nearly full-fledged team members who can make calls, participate in chats, set up meetings and access shared files. Team owners can add guests on an individual basis. Use guest access when you want to grant an external user access to the same Teams activities, channels and shared resources as native team members.

Guest access is a tenant-wide capability in Teams that is disabled by default.

When guest access is enabled, anyone outside your organization who has a business or consumer email account can become a guest. Eligible guests receive an email invitation from the team owner. Once they redeem the invitation by clicking Open Microsoft Teams, they get added to the team with guest user permissions.

Guests can chat, make calls and participate in channel conversations. They can also create channels and share files. However, guests don’t have access to other functions available to team members of the organization, like OneDrive for Business and the Teams calendar.

Team owners can add as many guests as they wish, up to the limit defined by your Azure Active Directory (Azure AD) license. Guest access is governed by service limits in Azure AD and Microsoft 365 (formerly known as Office 365).

For security, Microsoft covers Teams guest accounts with the same compliance and auditing protection used elsewhere in Microsoft 365.

To Setup Guest access.

Guest access in Teams requires configuring other settings in Microsoft 365, including settings in Azure AD, Microsoft 365 Groups, and SharePoint. If you're ready to start inviting guests to teams, read one of the following:

Guest access in Teams is an organization-wide setting and is turned off by default. You can control guest access to individual teams by using sensitivity labels.

How a guest becomes a member of a team

  1. A team owner or a Microsoft 365 admin adds a guest to a team.
  2. The guest receives a welcome email from the team owner, with information about the team and what to expect now that they're a member.
  3. The guest accepts the invitation. Guest users who have an work or school account in Azure Active Directory can accept the invitation and authenticate directly. Other users are sent a one-time pass code to validate their identity (One-time passcode authentication required).
  4. After accepting the invitation, the guest can participate in teams and channels, receive and respond to channel messages, access files in channels, participate in chats, join meetings, collaborate on documents, and more.

In Teams, guests are clearly identified. A guest user's name includes the label (Guest), and a channel includes an icon to indicate that there are guests on the team. For more details, see What the guest experience is like.

Guests can leave the team at any time from within Teams. For details, see How do I leave a team?


Leaving the team doesn't remove the guest account from your organization's directory. This must be done by a Microsoft 365 global admin or an Azure AD admin.

Licensing for guest access

Guest access is included with all Microsoft 365 Business Standard, Microsoft 365 Enterprise, and Microsoft 365 Education subscriptions. No additional Microsoft 365 license is necessary. Teams doesn't restrict the number of guests you can add. However, the total number of guests that can be added to your tenant may be restricted by the paid features of Azure AD.

Wednesday, January 1, 2020

Search the audit log for events in Microsoft Teams

The audit log can help you investigate specific activities across Office 365 services. For Teams, here are some of the activities that are audited:
·         Team creation
·         Team deletion
·         Added channel
·         Changed setting

To see the complete list of activities that are audited in Office 365, read Search the audit log in the Office 365 Security & Compliance Center.

Turn on auditing in Teams

Before you can look at audit data, you have to first turn on auditing in the Security & Compliance Center. For help turning on auditing, read Turn Office 365 audit log search on or off. To enable the audit log in your tenant, in the Office 365 Admin Portal browse to the Security & Compliance Admin Center -> Search & investigation -> Audit log search. Click Start recording user and admin activities then click Turn On:

Audit data is only available from the point at which you turned on Auditing.

Retrieve Teams data from the audit log
1.    To retrieve audit logs, go to the Security & Compliance Center. Under Search, select Audit log search.
3.    Sign in to Office 365 using your work account.
4.    In the left pane of the Security & Compliance Center, click Search, and then click Audit log search.
5.    Use Search to filter by the activities, dates, and users you want to audit.

6.    Export your results to Excel for further analysis.

You have to first turn on audit logging before you can run an audit log search. If the Start recording user and admin activity link is displayed, click it to turn on auditing. If you don't see this link, auditing has already been turned on for your organization.
If you're using the maximum date range of 90 days, select the current time for the Start date. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.

Here's the process for searching the audit log in Office 365.

Recover deleted Teams

Microsoft Teams, owners of teams have the capability of deleting a team, and sometimes these teams may be accidentally deleted. When the team is deleted, it is held in the "recycle bin" for 30 days until it is permanently deleted. Below is the process of restoring a deleted team in Microsoft Teams.

       Once Team is deleted, option to recover it exists for up to 30 days
       All of it including (Channels, files, tabs, etc.) will reappear as it was before
       Restore can take up to 4 hours
       To restore, from exchange admin center, select recipients, then groups
       Locate the group (only if soft deleted)
       Select the group and choose restore

Confirm that the recently deleted team shows on the list and select it

On the right-hand side menu, click the “Click here to restore” option

Confirm the restoration request

Launch PowerShell as an administratorNote, at the time of this writing, this restore procedure requires the AzureADPreview module to be installed. To install, simply type Install-Module AzureADPreview and follow the prompts.
IMPORTANT: When a team is created in Microsoft Teams, it creates an Office 365 group. This procedure is the process for restoring an Office 365 group and is documented in more detail here.

       PowerShell command to restore
                Get-AzureADMSDeltedGroup     (make note of Object ID)
                Restore-ADMSDeletedDirectoryObject –ID <objectID>

MS Teams Data Storage

Conversation Storage
Chat: Most chats are stored in memory. Chat uses Azure storage (blog, tables, and queues), and is moving to Cosmos DB (one-on-one chats and group chats are in Cosmos DB already).
Substrate/Exchange: All the chat and channel messages are stored in Exchange for information protection purposes.
Conversation Images & Media: Inline images and other media are stored separately (Giphys aren’t stored).

File Storage
1-1 Chats: Any files shared in these chats are stored in the OneDrive for Business of the person who posted it, and permissions are set for members of the chat to read it.
Team Conversations: These are uploaded to SharePoint, and there’s a folder associated with each channel in the appropriate Team.
Cloud Storage: Microsoft Teams supports Dropbox, Box, Citrix ShareFile, and Google Drive as cloud storage service options.

Clean the Microsoft Teams Client Cache

Clearing the Teams client cache is the first step to troubleshooting. The trouble is, the cache for Teams isn’t in one place or even a single directory. It’s split in multiple directories and even Internet Explorer and Chrome cache locations.

Fully exit the Microsoft Teams desktop client. To do this, either right click Teams from the Icon Tray and select ‘Quit’, or run Task Manager and fully kill the process.

These locations are:
  • %AppData%\Microsoft\teams\application cache\cache
  • %AppData%\Microsoft\teams\blob_storage
  • %AppData%\Microsoft\teams\databases
  • %AppData%\Microsoft\teams\cache
  • %AppData%\Microsoft\teams\gpucache
  • %AppData%\Microsoft\teams\Indexeddb
  • %AppData%\Microsoft\teams\Local Storage
  • %AppData%\Microsoft\teams\tmp
  • %LocalAppData%\Google\Chrome\User Data\Default\Cache
  • %LocalAppData%\Google\Chrome\User Data\Default\Web Data
  • %LocalAppData%\Google\Chrome\User Data\Default\Cookies
  • Internet Explorer Cookies
  • Internet Explorer Temporary Internet Files