Guest Access & External Sharing
Teams collaboration often extends beyond your organisation. Learn how to configure guest access, external access, SharePoint sharing, and domain-specific controls across multiple admin centers.
Working with people outside your organisation
Your office building has two ways to let outsiders in.
Guest access is like giving someone a visitor badge β they can enter specific rooms (teams), see files, join meetings, and chat. They sign in with their own identity but appear as βGuestβ in your directory. You control exactly what they can do.
External access (federation) is more like a phone call β you can chat and call someone at another company directly, but they never enter your building. They canβt see your files, channels, or team content.
Guest access vs. external access
| Feature | Guest Access | External Access (Federation) |
|---|---|---|
| How it works | User added to your Entra ID as a guest β joins specific teams | Direct chat/call between tenants β no guest account created |
| What they can do | See channels, files, participate in meetings, use apps β within the teams they're added to | Chat 1:1, group chat, call β but can't see team channels, files, or apps |
| Identity | Guest account in your Entra ID (visible in your directory) | No account in your tenant β stays in their own tenant |
| Control | Full control β CA policies, DLP, retention, sensitivity labels apply | Limited control β your policies apply to your side only |
| Best for | Long-term collaboration on shared projects | Quick conversations with external contacts |
| Admin centers | Entra ID + Teams admin center + SharePoint admin center + M365 admin center | Teams admin center (External access settings) |
Configuring guest access (multi-admin-center)
Guest access settings span four admin centers. Each controls a different layer:
Layer 1: Entra ID β who CAN be invited
Entra ID admin center β External identities β External collaboration settings
| Setting | Options | Impact |
|---|---|---|
| Guest invite restrictions | Anyone can invite / Members can invite / Only admins can invite | Controls who in your org can add guests |
| Collaboration restrictions | Allow all domains / Block specific domains / Allow only specific domains | Controls which external domains guests can come from |
| Guest user access restrictions | Same as members / Limited / Most restrictive | What guests can see in your directory |
Layer 2: M365 admin center β org-wide guest toggle
Microsoft 365 admin center β Settings β Org settings β Microsoft 365 Groups β Let group owners add people outside the organisation
This is the master switch for guest access to M365 Groups (and therefore Teams). If this is off, no guests can be added to any team.
Layer 3: Teams admin center β Teams-specific guest settings
Teams admin center β Users β Guest access
| Setting | Controls |
|---|---|
| Allow guest access | Master toggle for guest access in Teams |
| Calling | Whether guests can make 1:1 calls |
| Meeting | Whether guests can use video, screen sharing |
| Messaging | Whether guests can edit/delete messages, use GIFs, memes, stickers |
Layer 4: SharePoint admin center β file sharing
SharePoint admin center β Policies β Sharing
| Level | What It Means |
|---|---|
| Anyone | Anonymous sharing links (most permissive) |
| New and existing guests | Guests must sign in (default) |
| Existing guests only | Only guests already in your directory |
| Only people in your organisation | No external sharing (most restrictive) |
Critical exam point: Guest access requires ALL four layers to be permissive enough. If Entra blocks external domains, it doesnβt matter that Teams allows guests. The most restrictive setting wins across all layers.
Scenario: Kofi enables guest lecturers at Harbour University
Harbour University invites visiting professors from partner universities to collaborate on research teams.
Kofi configures all four layers:
- Entra ID: Allow invitations from members (faculty can invite guests), restrict to partner university domains only (*.partneruni.edu, *.researchinstitute.org)
- M365 admin center: Enable βLet group owners add external peopleβ β β
- Teams admin center: Guest access ON, calling OFF (guests donβt need phone calls), meetings ON, messaging ON
- SharePoint: βNew and existing guestsβ β guests must authenticate to access files
Faculty can now add guest lecturers to specific research teams. Guest lecturers can see channel conversations and files but canβt make Teams calls or access other teams.
External access (federation)
External access is configured in the Teams admin center β Users β External access.
Domain-based controls
| Configuration | Behaviour |
|---|---|
| Allow all external domains | Users can chat/call anyone in any Teams-enabled organisation |
| Allow specific domains | Only listed domains can communicate with your users |
| Block specific domains | Listed domains are blocked; all others are allowed |
| Block all external domains | No external chat/calls (most restrictive) |
User and group scoping (new feature)
You can now scope external access to specific users and groups β not just organisation-wide:
- Allow external access with Partner Corp for the βResearch Teamβ security group only
- Block external access with Competitor Corp for all users
- This provides granular control beyond the traditional all-or-nothing approach
Controlling guest access to specific teams
Beyond tenant-wide settings, you can control guest access per team:
| Method | What It Controls | How |
|---|---|---|
| Sensitivity labels | Whether the team allows guests at all | Label with βGuest access: Noβ prevents guests for that team |
| Team settings | Per-team guest permissions | Team settings β Guest permissions β Allow/deny create/update/delete channels |
| Microsoft Purview | Guest access to sensitive content | Sensitivity labels on the teamβs SharePoint site |
| Entra CA policies | Conditions for guest access | CA policy targeting guest users with specific grant controls |
Removing guests
| Method | Scope | How |
|---|---|---|
| Remove from a team | Remove guest from one team only | Teams admin center β team β members β remove |
| Remove from tenant | Remove guest account entirely | Entra ID β Users β select guest β Delete |
| Bulk removal | Remove multiple guests | PowerShell: Remove-MgUser or Microsoft Graph API |
| Access review | Automated periodic cleanup | Entra access review (see Module 8) |
When you remove a guest from a team, their Entra guest account remains. When you delete the guest from Entra, they lose access to all teams and services. Know the difference for the exam.
π¬ Video walkthrough
π¬ Video coming soon
Guest Access & External Sharing β MS-700 Module 9
Guest Access & External Sharing β MS-700 Module 9
~12 minFlashcards
Knowledge Check
Harbour University's Entra ID allows guest invitations from partner university domains only. The Teams admin center has guest access enabled. A faculty member tries to invite a guest from a personal Gmail account. What happens?
Nadia needs to ensure that guests at Sterling Financial can collaborate in the 'External Audit' team but CANNOT be added to the 'Executive Strategy' team. What should she configure?
Next up: Shared Channels & Cross-Tenant Access β how shared channels, B2B direct connect, and multi-tenant organisations enable cross-organisation collaboration without guest accounts.