To enable and manage guest access in Teams, you must have Global Administrator or Teams Administrator privileges. Once guest access is turned on, it will take 2–24 hours for the change to take full effect across your Microsoft 365 tenant.
There are four separate configuration portals you can use to manage guest access in Teams. Each portal controls a distinct authorization level of the guest experience:
- Azure AD — Authorizes guest access at the directory, tenant and application levels.
- Microsoft 365 Groups — Authorizes guest access to Microsoft 365 groups and Teams (each team in Teams is built on an underlying Microsoft 365 group)
- Microsoft Teams — Authorizes guest access to Teams only
- SharePoint Online and OneDrive for Business: Authorizes guest access to SharePoint, OneDrive, Microsoft 365 groups, and Teams (the SharePoint configuration governs the file-sharing experience for guests in Teams)
The guest access configuration in each portal has dependencies and effects on the configuration in other portals, according to the authorization level. For example, if you disable external sharing at the Azure AD level, guest access will be disabled in Teams. If you enable sharing in Azure AD and guest access in the Teams admin center but disable external sharing in SharePoint, guests can join a team but will have limited access to shared team files.
The following diagram shows how guest access authorization dependency is granted and integrated between Azure Active Directory, Teams, and Microsoft 365.
Take the following steps to enable and set guest permissions in the Teams admin center:
- Log in to the Teams admin center using Teams Administrator privileges.
- Navigate to Org-wide settings > Guest access.
- Switch the Allow guest access in Microsoft Teams toggle to On. This setting enables guest access capabilities.
- Use the controls under the Calling, Meeting and Messaging sections to fine-tune the specific capabilities granted to guests. Configurable capabilities include:
- Private peer-to-peer calls
- Use of IP video in calls and meetings
- Screen sharing
- Meet Now (lets users start a meeting immediately from the context of a conversation)
- Editing of sent messages
- Giphy (lets users share animated GIFs of a specified content rating)
- Meme usage in conversations
- Sticker usage in conversations
- Click Save to apply the configuration.
By default, external access is fully enabled in Teams tenant-wide. The default setting of “open federation” allows Teams users in any external domain to find and contact team members in your organization using an email address.
The three external access configurations are:
- Open federation (default setting) — Permits external access from any domain
- Allow specific domains — Allows external access from the specified domains only
- Block specific domains — Blocks external access from the specified domains and allows access from all other domains
To change the external access configuration from the default setting, take these steps:
- In the Microsoft Teams admin centre, go to Org-wide settings > External access.
- Switch the Users can communicate with other Skype for Business and Teams users toggle to On.
- To allow or block specific domains, click Add domain. Specify the name of the domain and add it to the Allow or Block list.
- Save your changes. You have just configured the outgoing federation.
- Work with Teams administrators in other organizations to configure the incoming federation. For example, make sure they add your business domain to their Allow list.
- Test the configuration by using the Teams app to find and send a chat request to a federated external Teams user, and have the external user send a Teams chat request to you. If you each receive the requests, you know the federation has been configured successfully.