External Sharing in Microsoft Teams

Microsoft Teams security considerations for mobile messaging collaboration tools

External approvals are indispensable for collaboration in most companies. Office 365 offers you very fine-tuned controls for setting up approvals. However, these are distributed across multiple Admin Centers. Therefore, setting up external shares can be a little worrisome for administrators.

There are controls at the highest level that affect everything below. But the closer you get to each group, team, and site, the finer the controls are, and you may not have been aware of them before.
It’s very likely that your users will need to collaborate with someone outside the company at some point. If you don’t have an existing system for external sharing, let your users decide when and how to share content externally. The risk may not be obvious yet, but once data leaves your system, you lose all control over where it goes. Do you really know what happens to your data once it is in the hands of external users?

External access vs. guest access

It is important to know exactly where and how to configure these functions in Azure AD, Microsoft Teams, SharePoint Online and OneDrive for Business. In the user interface of your Team Admin Center you may notice the term “External Access”. This term makes the subtle but important difference between external access and guest access:

  • External access (federated) grants access to an entire domain, which means that the participant only has access to the federated chat with one other user at a time.
  • However, the participant has no access to the Teams or team resources of the inviting company.
  • Guest access gives an individual the ability to access resources such as channel conversations and files.

Since we are dealing with external approvals here, our focus is on granting guest access.
As an Office 365 Admin you should be able to access the Azure Active Directory Portal directly via a link in your Admin Center. Here you can view your guest users, create new ones and manage the approval settings for your B2B guest users.

How to handle it

In your organizational relationship (i.e. B2B) settings, you can set these controls more precisely. Should guest users be able to search the directory? Do you want to allow members or owners to invite guests? You’ll also find settings that allow you to set up one-time access codes via email for guests and collaboration restrictions in domains.
For external sharing in Microsoft Teams, the first step is to enable this feature for Office 365.

You can enable your sharing settings in the Microsoft 365 Admin Center under Settings → Security and Privacy. You must then enable sharing at the Office 365 Groups level as well.
Go to “Services and Add-ins” in the Office 365 Group Settings. Here you will find two options.

Should guests be granted access to groups?

Are owners allowed to add these guests?

If you select the first option but not the second, your operations or AD team must add all guest users in both the directory and each group. This requires a lot of manual work, but provides more security if you are uncomfortable with the idea of allowing group owners to invite guest users.

Finally, we come to the Microsoft Teams Admin Center. From there, go to Organization-wide settings → guest access → Enable guest access in Teams. After enabling this setting, you can further fine-tune how guests can use the service (e.g.: Can they delete messages? Can they use GIFs?). Allow a few hours for the setting to take effect.

If you want SharePoint to transfer your settings for external shares to Azure B2B, proceed as follows:

  • In the Microsoft 365 Admin Center Settings →, access services and add-ins → SharePoint
  • Set the “Users can share with:” option to “Only existing guests”.

If, on the other hand, you want SharePoint to function independently of Azure B2B and have its own list of external shares, proceed as follows:

  • In the Microsoft 365 Admin Center Einstellungen→ call up services and add-ins → SharePoint
  • Set the “Users can share with:” option to “Everyone”

This allows all users, even anonymous users, to use SharePoint.
Further fine tuning can be done via the guest access settings for each site.

Want to keep control of your Teams infrastructure and prevent unchecked growth? Check out the Teams Manager!

Download Teams Manager in the Microsoft Teams Store or book a demo with one of our experts:


Leave a Reply

Your email address will not be published. Required fields are marked *