Microsoft released Guest Access for Microsoft Teams last week, annoyingly whilst I was on holiday, so I got to miss out on all the early action! Anyway, I am back now and have been taking a look at the feature. The normal process to add a guest to a Team is for one of the Team Owners to invite the Guest to the Team using the Teams app or web client (wow! 4 Teams in a sentence – this is going to be hard!).
Giving the power to end users to add external parties to a Team is quite a privilege and I can’t wait for the post on ZDNET or The Register that is titled “Massive Data leak at Mega Corp Due to Rogue Employee adding a Competitor to a Teams Team in Microsoft Teams!” but anyway, I promised myself I would not be cynical anymore and look at the positive!
On a serious note, now that there is guest access, you should really plan your groups and channels to ensure that guest can only be added to Teams that hold non-sensitive data, but maybe that’s another blog post!
So back to the point of this post, what if you get end users that seem incapable of following a simple 3 step process guide to add a guest to the Team and want you the IT guru of mega corp to add them on their behalf? You can just imagine the service ticket; Title: “Please add Guest to My Team” Description: “Please cam you add the attached list of users to my Team”. When you open the JPEG screen capture containing the list of email addresses (yes its always a screen shot, never a nice easy excel sheet) and you have sent 5 emails, an IM conversation and a phone call to find out which Team they should be added to, how do you do it?
Well I guess the official way is to add yourself into the group and add them one by one. #Lame
However, I have been doing some testing and figured out that this can be done using Azure AD and Office 365 Groups.
First you need to invite the guest into your Azure AD instance using the Azure AD portal. You can do this by clicking Azure Active Directory > All Users > New guest user
Then add the email address (must be a valid Office 365 account). Include an optional message if you want and then press Invite
The user will get an email inviting them to your Azure AD
Now we need to add the user to the Teams Office 365 Group. After a lot of testing I have figured out that adding the user to the Group in Azure AD using this feature
DOES NOT work with Teams. However, if you do add them to the Group in the Office 365 Portal then it will work just fine. I am not sure why this is the case, I figure there must be some overlaying function that kicks off when the user is added via Office 365 portal that is missed when adding directly into Azure AD.
Next find the guest user’s account in Office 365 admin portal, it will be email_address.com#EXTemail@example.com
Select the User and edit their Group Membership
Click on Add Membership and then select the group you wish to add them to and press save.
Once this is done, the guest will be able to access the Team via Guest Access after about 30 minutes. There is a lag doing it this way for Teams to catch up, but they will be notified in their client that they have been added, like so
If you added the user to the group using Azure AD, then when they access the Teams link they’ll authenticate with the guest tenant, but will have a blank Teams experience. What you’ll need to do is remove them using the Azure portal from the Group and re-add them to the Group in Office 365, and wait 30 mins. This is also the case if you follow the below method and the guest signs in before 30 minutes. So it isn’t fool proof by any means. Perhaps delaying the invitation email would be advised!
Performing this by using Powershell gives you some more options to customise, specifically the redirect URL for the Invitation sent and the display name of the user. One of the problems with Guest Access is by using the Teams app to invite Guests the display name of the person is set by their UPN you added in. This means that you can have several “Jane” and “John” users and you have no way to figure out which Jane or John you are conversing with.
By inviting them into Teams using Azure AD PowerShell allows you to customise the display name as you add, rather than a remediation task later on.
By default, the standard invitation will redirect the guest to their Azure apps portal, which will be blank. We want to customise the redirect url to go to the Teams Team the Guest has been added to. We can do this by copying the Teams link and using it in the PowerShell command as follows:
Connect-AzureAD New-AzureADMSInvitation -InvitedUserDisplayName "Mark Vale (GUEST)" -InvitedUserEmailAddress "firstname.lastname@example.org" -SendInvitationMessage $true -InviteRedirectUrl "https://teams.microsoft.com/l/team/19%3acf952980e3cc49de882743d1f0f4d721%40thread.skype/conversations?tenantId=<tenant-id>" -InvitedUserType member
Next we need to add the user to the Office 365 Group. As the group is mail enabled, we cannot use the MSOL commands to manage it, we need to connect to Exchange Online PowerShell to do that. For the links you’ll need to add the user account as its displayed as the UPN e.g. email@example.com which signifies it’s an external account.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential (Get-Credential) -Authentication Basic –AllowRedirection Import-PsSession $Session Add-UnifiedGroupLinks -Identity "Skype&TeamsProfessionals" -Links "firstname.lastname@example.org" -LinkType Members
Now wait for 30 minutes for Teams to catch up.
When the Guest user signs for the first time you can see the redirection that will take place:
Although this seems to work, as I said before the recommended approach is to use the Teams app to grant guest access. However, it may be useful to you in some circumstances, especially bulk enablement.