When a Team is created in Microsoft Teams, it creates a few object instances, one of them is a SharePoint Team site. This site is used to store all files, wiki’s and OneNote’s in a Team and Channel.
By default, every Microsoft Teams Team member will have “Member” rights to this SharePoint Team site.
Under normal conditions this is perfectly acceptable. However, when you add Guest users to your Microsoft Teams Team, they also get this permission.
In some conditions, you may want a Microsoft Teams Team whereby internal users should be able access and share documents within the Team to collaborate, but you may want to restrict a Guest user to just be able the chat and calling within the Team and protecting your internal data in a blanket approach.
When thinking about use cases, why would you want to do this? The answer is down to your own information security policies and review of the potential risk to data leakage within the Team. You still want them to communicate with your Team, but you don’t want them to collaborate or view documents that could potentially be sensitive to external access. Of course this can be achieved using modern management and using Azure Information Protection with Azure AD Rights Management but for companies adopting Teams today who are as a result going through massive change, sometimes it is hard to put faith into Technology the company doesn’t understand to a level they can confidently back. This may also be hampering the drive to enabling Teams for the organization at the speed the company needs.
The other use case is where guest users need to regularly chat with an internal Team. Federation today cannot be used to chat to more than one person, so multi-party chat with external users can only be done in this manner today. Again, this use case is tied to the overarching data access policy you may have to work with.
If this is the case, there is something you can do to allow Chat between external guests and internal users within a Team, but restrict access to the SharePoint Team site. This is a retrospective change, so before you can start you need to know the name of the Team you need to restrict.
Once this is known, open the SharePoint Teams Site in a browser. Modify the URL to access the hidden user permissions page
Next you will need to open the Team Members group
And delete the Office 365 Group name for the Team, in my case Test
Select the Group and from the actions menu, click to remove.
Now while in the same group add the security principle “Everyone except External Users”
Next go back to the user admin page. Now you want to explicitly remove the Office 365 group from the access permission list.
Now when the guest user tries to access the Files tab in the Team they now get this message
When trying to access the Wiki page
But you can still chat, call and see each other’s presence in the conversation tab because that is handled by Azure Data Tables / Cosmos DB and Exchange
When the internal user tries to share a file to you within the Team, the file is shared and the SharePoint link generated, but the guest user cannot access
and when accessed by the guest user
If the guest tries to share a file to the Team they get this error
Granted not the intended purpose of Teams but it provides some level of restriction for those who need it.