πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901 aws-saa-c03 aws-aif-c01
Guided MS-700 Domain 1
Domain 1 β€” Module 9 of 13 69%
9 of 27 overall

MS-700 Study Guide

Domain 1: Configure and manage a Teams environment

  • Network Planning & Readiness
  • Security Roles, Alerts & Defender
  • Retention & Sensitivity Labels
  • DLP & Conditional Access
  • Information Barriers & Insider Risk
  • Update Policies & Policy Packages
  • Group Creation, Naming & Expiration
  • Archive, Restore & Access Reviews
  • Guest Access & External Sharing
  • Shared Channels & Cross-Tenant Access
  • Teams Phone & Resource Accounts
  • Teams Rooms & Device Management
  • PowerShell & Graph Automation

Domain 2: Manage teams, channels, chats, and apps

  • Teams Rollout & Creation Free
  • Membership, Roles & Team Settings Free
  • Channel Types & Policies Free
  • App Management & Permissions Free
  • App Extensibility & Store Free

Domain 3: Manage meetings and calling

  • Meeting Types & Settings
  • Webinars & Town Halls
  • Phone Numbers & Conferencing
  • Voice Policies & Voicemail
  • Auto Attendants & Call Routing

Domain 4: Monitor, report on, and troubleshoot Teams

  • Voice & Meeting Quality
  • Usage, Alerts & Diagnostics Tools
  • Client Logs & Diagnostics
  • Copilot & Meeting Troubleshooting

MS-700 Study Guide

Domain 1: Configure and manage a Teams environment

  • Network Planning & Readiness
  • Security Roles, Alerts & Defender
  • Retention & Sensitivity Labels
  • DLP & Conditional Access
  • Information Barriers & Insider Risk
  • Update Policies & Policy Packages
  • Group Creation, Naming & Expiration
  • Archive, Restore & Access Reviews
  • Guest Access & External Sharing
  • Shared Channels & Cross-Tenant Access
  • Teams Phone & Resource Accounts
  • Teams Rooms & Device Management
  • PowerShell & Graph Automation

Domain 2: Manage teams, channels, chats, and apps

  • Teams Rollout & Creation Free
  • Membership, Roles & Team Settings Free
  • Channel Types & Policies Free
  • App Management & Permissions Free
  • App Extensibility & Store Free

Domain 3: Manage meetings and calling

  • Meeting Types & Settings
  • Webinars & Town Halls
  • Phone Numbers & Conferencing
  • Voice Policies & Voicemail
  • Auto Attendants & Call Routing

Domain 4: Monitor, report on, and troubleshoot Teams

  • Voice & Meeting Quality
  • Usage, Alerts & Diagnostics Tools
  • Client Logs & Diagnostics
  • Copilot & Meeting Troubleshooting
Domain 1: Configure and manage a Teams environment Premium ⏱ ~14 min read

Guest Access & External Sharing

Teams collaboration often extends beyond your organisation. Learn how to configure guest access, external access, SharePoint sharing, and domain-specific controls across multiple admin centers.

Working with people outside your organisation

β˜• Simple explanation

Your office building has two ways to let outsiders in.

Guest access is like giving someone a visitor badge β€” they can enter specific rooms (teams), see files, join meetings, and chat. They sign in with their own identity but appear as β€œGuest” in your directory. You control exactly what they can do.

External access (federation) is more like a phone call β€” you can chat and call someone at another company directly, but they never enter your building. They can’t see your files, channels, or team content.

Guest access uses Microsoft Entra B2B collaboration. External users are added to your Entra ID as guest accounts and granted access to specific teams. They authenticate with their own identity provider (work, school, or personal account) and access Teams content through your tenant. Guest access is configurable at multiple levels: Entra ID, M365 admin center, Teams admin center, and SharePoint admin center.

External access (federation) allows Teams users to chat and call users in other Microsoft 365 tenants without adding them as guests. No guest account is created β€” communication happens through federation. External access is domain-based (allow/block specific domains) and can now be scoped to specific users and groups.

Guest access vs. external access

Guest access vs. external access
FeatureGuest AccessExternal Access (Federation)
How it worksUser added to your Entra ID as a guest β†’ joins specific teamsDirect chat/call between tenants β€” no guest account created
What they can doSee channels, files, participate in meetings, use apps β€” within the teams they're added toChat 1:1, group chat, call β€” but can't see team channels, files, or apps
IdentityGuest account in your Entra ID (visible in your directory)No account in your tenant β€” stays in their own tenant
ControlFull control β€” CA policies, DLP, retention, sensitivity labels applyLimited control β€” your policies apply to your side only
Best forLong-term collaboration on shared projectsQuick conversations with external contacts
Admin centersEntra ID + Teams admin center + SharePoint admin center + M365 admin centerTeams admin center (External access settings)

Configuring guest access (multi-admin-center)

Guest access settings span four admin centers. Each controls a different layer:

Layer 1: Entra ID β€” who CAN be invited

Entra ID admin center β†’ External identities β†’ External collaboration settings

SettingOptionsImpact
Guest invite restrictionsAnyone can invite / Members can invite / Only admins can inviteControls who in your org can add guests
Collaboration restrictionsAllow all domains / Block specific domains / Allow only specific domainsControls which external domains guests can come from
Guest user access restrictionsSame as members / Limited / Most restrictiveWhat guests can see in your directory

Layer 2: M365 admin center β€” org-wide guest toggle

Microsoft 365 admin center β†’ Settings β†’ Org settings β†’ Microsoft 365 Groups β†’ Let group owners add people outside the organisation

This is the master switch for guest access to M365 Groups (and therefore Teams). If this is off, no guests can be added to any team.

Layer 3: Teams admin center β€” Teams-specific guest settings

Teams admin center β†’ Users β†’ Guest access

SettingControls
Allow guest accessMaster toggle for guest access in Teams
CallingWhether guests can make 1:1 calls
MeetingWhether guests can use video, screen sharing
MessagingWhether guests can edit/delete messages, use GIFs, memes, stickers

Layer 4: SharePoint admin center β€” file sharing

SharePoint admin center β†’ Policies β†’ Sharing

LevelWhat It Means
AnyoneAnonymous sharing links (most permissive)
New and existing guestsGuests must sign in (default)
Existing guests onlyOnly guests already in your directory
Only people in your organisationNo external sharing (most restrictive)

Critical exam point: Guest access requires ALL four layers to be permissive enough. If Entra blocks external domains, it doesn’t matter that Teams allows guests. The most restrictive setting wins across all layers.

Scenario: Kofi enables guest lecturers at Harbour University

Harbour University invites visiting professors from partner universities to collaborate on research teams.

Kofi configures all four layers:

  1. Entra ID: Allow invitations from members (faculty can invite guests), restrict to partner university domains only (*.partneruni.edu, *.researchinstitute.org)
  2. M365 admin center: Enable β€œLet group owners add external people” β†’ βœ…
  3. Teams admin center: Guest access ON, calling OFF (guests don’t need phone calls), meetings ON, messaging ON
  4. SharePoint: β€œNew and existing guests” β€” guests must authenticate to access files

Faculty can now add guest lecturers to specific research teams. Guest lecturers can see channel conversations and files but can’t make Teams calls or access other teams.

External access (federation)

External access is configured in the Teams admin center β†’ Users β†’ External access.

Domain-based controls

ConfigurationBehaviour
Allow all external domainsUsers can chat/call anyone in any Teams-enabled organisation
Allow specific domainsOnly listed domains can communicate with your users
Block specific domainsListed domains are blocked; all others are allowed
Block all external domainsNo external chat/calls (most restrictive)

User and group scoping (new feature)

You can now scope external access to specific users and groups β€” not just organisation-wide:

  • Allow external access with Partner Corp for the β€œResearch Team” security group only
  • Block external access with Competitor Corp for all users
  • This provides granular control beyond the traditional all-or-nothing approach

Controlling guest access to specific teams

Beyond tenant-wide settings, you can control guest access per team:

MethodWhat It ControlsHow
Sensitivity labelsWhether the team allows guests at allLabel with β€œGuest access: No” prevents guests for that team
Team settingsPer-team guest permissionsTeam settings β†’ Guest permissions β†’ Allow/deny create/update/delete channels
Microsoft PurviewGuest access to sensitive contentSensitivity labels on the team’s SharePoint site
Entra CA policiesConditions for guest accessCA policy targeting guest users with specific grant controls

Removing guests

MethodScopeHow
Remove from a teamRemove guest from one team onlyTeams admin center β†’ team β†’ members β†’ remove
Remove from tenantRemove guest account entirelyEntra ID β†’ Users β†’ select guest β†’ Delete
Bulk removalRemove multiple guestsPowerShell: Remove-MgUser or Microsoft Graph API
Access reviewAutomated periodic cleanupEntra access review (see Module 8)

When you remove a guest from a team, their Entra guest account remains. When you delete the guest from Entra, they lose access to all teams and services. Know the difference for the exam.

🎬 Video walkthrough

🎬 Video coming soon

Guest Access & External Sharing β€” MS-700 Module 9

Guest Access & External Sharing β€” MS-700 Module 9

~12 min

Flashcards

Question

What's the difference between guest access and external access in Teams?

Click or press Enter to reveal answer

Answer

Guest access: user gets a guest account in your Entra ID and joins specific teams (sees channels, files, apps). External access (federation): user stays in their own tenant, can only chat/call 1:1 β€” no access to team content.

Click to flip back

Question

Which four admin centers control guest access settings?

Click or press Enter to reveal answer

Answer

1. Entra ID (who can be invited, domain restrictions), 2. M365 admin center (group guest toggle), 3. Teams admin center (Teams-specific guest features), 4. SharePoint admin center (file sharing levels). The most restrictive setting wins.

Click to flip back

Question

What happens when you remove a guest from a team vs. deleting their Entra guest account?

Click or press Enter to reveal answer

Answer

Removing from a team: they lose access to that team only, guest account remains in Entra. Deleting from Entra: they lose access to ALL teams and services in your tenant.

Click to flip back

Knowledge Check

Knowledge Check

Harbour University's Entra ID allows guest invitations from partner university domains only. The Teams admin center has guest access enabled. A faculty member tries to invite a guest from a personal Gmail account. What happens?

Knowledge Check

Nadia needs to ensure that guests at Sterling Financial can collaborate in the 'External Audit' team but CANNOT be added to the 'Executive Strategy' team. What should she configure?


Next up: Shared Channels & Cross-Tenant Access β€” how shared channels, B2B direct connect, and multi-tenant organisations enable cross-organisation collaboration without guest accounts.

← Previous

Archive, Restore & Access Reviews

Next β†’

Shared Channels & Cross-Tenant Access

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.