Updated May 2023
External collaboration options in Microsoft 365 are complex, to say the least.
Finding accurate information about adding external users to Teams and other M365 services is difficult. This is due to the various authorization checkpoints and configurations.
We have created a guide to help you configure external collaboration in Microsoft 365. We'll explore the available options and walk you through the process of adding external users to Teams and other collaboration applications.
Download our Microsoft Teams 101 Guide for more insights, best practices, and tips.
Below you can find the comparison of experiences available to Guest users and external users in Microsoft 365:
Image: External collaboration settings in M365
There are great use cases for both types of external collaborators – external users and Guest accounts. We won't go into specifics of guests here, we do suggest reading blogs on guest account permissions and learning about Orchestry's Guest User Management Features.
External sharing and collaboration policies fall under the umbrella of your Microsoft 365 governance. In this blog, we will explain the technical aspects of enabling and disabling external users and sharing in Microsoft 365. Below is a list of business applications used for external collaboration and Microsoft Teams external Guest Access:
By default, Microsoft 365 has certain external collaboration options already enabled. Our blog will show you where to find and control these settings:
Image: External collaboration permissions in M365
These settings are on by default. However, external users won't be able to access your resources or apps unless someone from your organization adds external contact to Teams or other M365 services. You can disable any of these settings if you don’t want to allow that activity in your organization.
External collaboration and sharing in Microsoft 365 are governed by the B2B external collaboration settings in Azure AD. If guest-sharing is restricted in Azure AD, it overrides any sharing settings in Microsoft 365. This setting is enabled by default but can be configured or disabled by following the steps below:
To set external collaboration settings:
Image: Microsoft Teams Guest access settings in Admin Center
Check the Collaboration Restrictions settings to make sure the domains of the Guests you want to collaborate with are not blocked. You can also add specific domains to block them.
To limit guests from seeing directory data for other guests, go to the Guest user access restrictions section and choose either:
To allow Microsoft Teams guests to access your Microsoft 365 environment, enable the appropriate global settings. Once this option is enabled, users can start working with external users. How to add someone external to Microsoft Teams and other services:
This will create a Guest account in your Azure AD, which is enabled by default in your Microsoft 365 Global Admin settings.
This setting is enabled by default, but if you are looking to disable it, or configure it, follow the steps below:
If someone has already been invited to collaborate in your Microsoft 365 environment, they can join 1:1 chats or group conversations. If they haven't been invited yet, they need to be added as a Guest to a Team first before they can communicate with Teams users.
By default, Guest access in Microsoft Teams is enabled, but if you were looking to disable it, follow the steps below:
Image: Guest access in Teams enablement
To control what Guests can and cannot do in chats and channel conversations:
Image: Guest access in Teams enablement
Note: default Guest permissions in Microsoft Teams cannot supersede the permissions set for the members of your Team. For example, if your default member permissions restrict channel creation or updating, or message deletion, your Guests also won’t be able to perform these actions.
To control what Guests can and cannot do when it comes to Teams calling:
Image: Guest access in Teams enablement for calling.
To control what Guests can and cannot do when it comes to Teams meetings:
To allow external users to access documents in SharePoint or OneDrive, you need to enable external sharing in the organization-level settings. The settings you choose will apply to all individual SharePoint sites, and the organization-level setting for OneDrive will affect the level of sharing in users' libraries.
To allow unauthenticated sharing of files and folders, choose the Anyone option. If you want people to log in using their Guest account before accessing documents or folders, choose New and existing guests.
Anyone links are the simplest way to share documents, but they don't require authentication and can be easily passed on to others. For SharePoint, choose the most permissive setting needed by any site in your organization.
Image: External collaboration sharing settings in M365 admin center
SharePoint & OneDrive advanced sharing settings
The default file and folder link settings determine the link option that will be shown to users by default when they share a file or folder. Users can change the link type to one of the other options before sharing if desired.
Keep in mind that this setting affects SharePoint sites in your organization, as well as OneDrive.
Choose a link from any of the following types which are then selected by default when users share files and folders:
To set the SharePoint and OneDrive organization-level default link settings
To set the permission for the sharing link, under Choose the permission that’s selected by default for sharing links:
To set permissions for links that allow sharing with anyone:
These links can give these permissions: sub-pane,
From the Files drop-down list:
From the Folders drop-down list:
Image: SharePoint external sharing and collaboration settings for files and folders
To edit the file and folder-sharing settings specific to each SharePoint site, you also need to check the site-level sharing settings for that site.
To set site-level sharing settings navigate to Share Point Admin Center:
Image: SharePoint external sharing and collaboration settings
Note: You can set defaults for link type and permissions and expiration settings for Anyone links for each site. When set at the site level, these settings override the organization-level settings. If Anyone links are disabled at the organization level, Anyone will not be an available link type at the site level.
Image: SharePoint online external sharing advanced options for external collaboration
If your organization is in need of sharing more than just a file or a folder within OneDrive or SharePoint, you may choose to allow external collaboration with Guests within entire SharePoint sites.
The default site-sharing options are listed below:
Image: SharePoint online site sharing options
SharePoint site sharing is affected by the organization-wide SharePoint settings. If the organization-wide settings change, the practical sharing setting for the site may also change. So, if you select a less restrictive setting for the site, and later the organization-level setting is changed to a more restrictive one, the site will operate at the new, more restrictive level.
For instance, if you select Anyone, but the organization-level setting is later changed to New and existing guests, the site will only allow new and existing guests. But if the organization-level setting is set back to Anyone again, the site will allow Anyone links again.
These settings described below apply to both site sharing and file and folder sharing. (Anyone sharing is not available for site sharing. If you choose Anyone, users will be able to share files and folders by using Anyone links, and the site itself with new and existing guests.) If the site has a sensitivity label applied, that label may control the external sharing settings.
Note: Only SharePoint administrator roles can edit these settings. Sharing settings for channel sites can only be changed by using the Set-SPOSite PowerShell cmdlet.
Guest access in Microsoft 365 Groups allows external partners, suppliers, vendors, and consultants to collaborate with your team by accessing group conversations, files, calendar invitations, and the group notebook.
To effectively collaborate with Guests, it's recommended to use Microsoft Teams, which offers a unified experience for both internal and external collaboration. However, before inviting guests to Teams, Guest access must be enabled and configured in the admin center, as Teams membership is governed by Microsoft Groups.
Navigate to Microsoft 365 admin center > Settings > Org settings > Microsoft 365 Groups
Image: SharePoint online external collaboration and site-sharing options
It's important to know that organizations with certain licenses like E3 or higher can use Azure Dynamic Security Groups. This means Azure creates an All Users group that automatically updates as new members join the tenant, including Guest accounts. This feature is included with Azure Premium P1.
Image: SharePoint online external collaboration external sharing configuration
Organizations may be concerned that Guests can view the entire group's membership, including names and emails, by being a member of the All Users Security Group generated by Azure. If you do not want this to happen, follow the steps below to remove Guests from the group.
Below is what a Guest may see with the default settings:
Image: What a guest may see with the default settings.
Edit the Rule syntax to follow the pattern below (see here for more on rules)
Image: Microsoft 365 group external sharing
Once the Dynamic Group refreshes its membership, the number will update to reflect only accounts from within your organization.
Following this change, Guests will only be able to see and find Groups they are explicitly added to (assuming there are no other non-standard dynamic groups granting them access). Below is the updated view for a Guest:
To allow Guests Access to Microsoft Teams and its associated SharePoint site, and view files in the Files tab, you need to enable Guest access in Azure AD Admin Center and permit adding external users to Teams in Microsoft 365 Admin Center.
Configure Guest sharing in organization-wide and site-specific settings via SharePoint Admin Center. Microsoft Teams membership is governed by Microsoft Groups settings, so ensure Guest access is enabled and configured via Microsoft 365 Groups in the Microsoft Admin center.
You can control Microsoft Teams Guest Access limitations once these settings are enabled.
Most organizations are not using Microsoft 365 to its full potential.
Orchestry makes Microsoft 365 simple for all users.
Orchestry is an adoption and governance platform that allows End Users, Workspace Owners, IT admins, and organizations to take full advantage of Microsoft 365.
To see Orchestry in action, request a demo and download our Features Sheet to learn more!