Changes are coming to Microsoft Teams Guest Access. On February 8, 2021, Microsoft is turning on Guest Access in Microsoft Teams by default for any customers who have not configured this setting. In this post, we’ll cover everything you need to know about Guest Access in Microsoft Teams and outline the steps you can take to prepare for the update.
Who will be impacted by this change?
If your organization uses Microsoft Teams, you’ll be impacted by this change if you have:
- Enabled Guest Access in Azure and Microsoft 365, but not for your Microsoft Teams sites
- Disabled Guest Access for Microsoft Teams only
Who should be aware of the change?
Information managers, security architects, tenant owners and Teams admins in affected organizations should be aware of this change.
When will these changes be rolled out?
These changes will be deployed to all Microsoft Teams tenants on February 8, 2021.
What is Guest Access in Microsoft Teams?
Guest Access allows you to add members of other organizations into your Microsoft Teams, where they have access to certain Team resources like files and conversations. It is for collaboration and sharing resources stored within a Team.
Guest access is not meant to be used for chatting with users from other organizations – that is External Access.
Where can I find the Guest Access setting?
Microsoft Teams was the odd one out as far as Guest Access default configuration setting goes. What do we mean by that? For Microsoft 365 workloads provisioned in a new tenant, the default setting is to enable Guest Access; in Microsoft Teams, Guest Access is disabled by default.
If you were a Teams admin, you were used to seeing a toggle for Guest Access under “Org-wide settings – Guest Access” in the Microsoft Teams admin center, as shown here:
A few days ago, that changed. Now in the Teams admin center, under “Org-wide settings – Guest Access,” a Microsoft Teams admin sees this:
The default set value is “Service default: Off,” unless you have Guest Access enabled, in which case it will be set to “On.”
On February 8, 2021, the “Service default: Off” option will be changed to “On” as the default option, which will enable Guest Access for Microsoft Teams.
We see four scenarios unfolding from this update. You can find out which scenario applies to your organization and follow our recommendations to prepare for the upcoming changes.Scenario 1: If you have Guest Access currently enabled, no further action is required.
Scenario 2: If you have Guest Access currently disabled and want to keep that configuration, you’ll need to complete these steps before February 8, 2021.
- Go to “Microsoft Teams admin center – Org-wide settings – Guest access.”
- Change the “Allow guest access in Teams” setting from “Service default: Off” to “Off.”
This change will confirm that Microsoft’s updates will not affect your organization.
Scenario 3: If you have Guest Access currently disabled and want to keep the tenant configuration in alignment with Microsoft default settings, no immediate action is required. However, your organization will be the most impacted by this upcoming change. After February 8, 2021, Guest Access will be enabled and your organization’s users will be able to add guests to their existing or future Team sites.
- Review the Guest Access configuration settings in the Microsoft Teams admin center to make sure the default settings for Guest Calling, Meetings and Messaging align with your organization’s governance and policies. Briefly the default settings are:
- Review your External Collaboration settings in Azure Active Directory:
- Confirm that your current configuration aligns with your organization’s security policies for Guest Access for the services where it’s currently being used and for Microsoft Teams after February 8, 2021.
- Review your Microsoft 365 Groups configuration under “Microsoft 365 admin center – Settings – Org settings – Microsoft 365 Groups”:
- Confirm these are still valid in the context of Microsoft Teams and all other Microsoft 365 services–leveraging Groups.
- Review the Sharing settings under “Microsoft 365 admin center – Settings – Org settings – Security and Privacy – Sharing”:
- Confirm who can add guest users in the organization.
- Check that these settings are still correct within the context of your organization’s current and future Microsoft Teams usage.
- If you have Guest Access enabled for other services in Microsoft 365, this is a good opportunity and reminder to review your processes around guest provisioning/invite, approval and lifecycle.
Scenario 4: If you had guest access for Microsoft Teams enabled at some point but disabled it while leaving it enabled in Azure and Microsoft 365, you might take this opportunity to re-enable it.
- Follow our recommendations under Scenario 3.
- Assess the sites that previously had guests’ users invited. If these guest accounts were never removed from Teams, when Guest Access gets re-enabled they’ll regain their old access. You’ll need to do due diligence and review the type of information created/updated in these sites between the time the Guest Access was disabled and February 8, 2021, and validate to protect against accidental dissemination of information that could put the organization data at risk.
Create your cloud governance plan
Changes like this highlight the importance of governance and tenant/Microsoft 365 service ownership.
For organizations with a mature cloud governance plan, this change will be another day in the office. The appropriate resources within the organization will have access to the Message center in the Microsoft 365 admin center or get notified through email and will be able to reach out to the correct teams that needs to get involved based on the RACI, and the correct just-in-time decision will be made.
For organizations that are still working to create a cloud governance plan and RACI, this update may create a bit of a hassle to get to the decision point and through the finish line on a tight timeline.
If you want to learn more about cloud governance and ownership, download our Microsoft Teams Governance Guide.