These days, external collaboration is no longer a rarity but a norm. It’s very common for companies to share documents, applications, and other resources with people outside their organization.
It can sound complicated, but platforms like Microsoft Teams have made it much easier. Teams’ guest access allows you to share your information with external users.
However, this feature can quickly become a security risk if not managed properly. Worse, it can create compliance violations to industry standards like HIPAA, ISO 27001, or CMMC.
The good news is that you can configure this setting to limit your guests’ actions and data access.
In this guide, we’ll show you the various methods you can use to secure guest access in Microsoft Teams.
Enabling secure guest access in Microsoft Teams
Before you get started, it’s crucial that you ensure the following requirements are in place.
📌 Prerequisites:
- Microsoft 365 Business Premium (E3 or E5 license)
- Global Administrator, Teams Administrator, or Compliance Administrator role
- PowerShell 7+ with Microsoft Teams, AzureAD, and MSGraph modules
- Conditional Access and Microsoft Defender for Cloud Apps (Optional)
- RMM (e.g., NinjaOne) for registry or GPO auditing (Optional)
📌 Recommended deployment strategies:
| Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
|---|---|---|
| Method 1: Enable guest access in Azure AD (Microsoft Entra) | ✓ | |
| Method 2: Enable guest access in Microsoft Teams Admin Center | ✓ | |
| Method 3: Configure Teams guest access policies for security | ✓ | |
| Method 4: Monitor guest access and activity | ✓ | |
| Method 5: Set an expiry or review schedule for guest accounts | ✓ |
Method 1: Enable guest access in Azure AD (Microsoft Entra)
📌 Use Case: Configure guest access policies in Azure AD to give external collaborators access to SharePoint, Teams, or OneDrive.
A. Check or enable guest access
Connect-AzureAD
Get-AzureADPolicy | Where-Object {$_.DisplayName -eq "B2BGuest"}
B. If not configured, allow guest invitations
Set-AzureADPolicy -Id <policyId> -Definition @('{"GuestUserInvitation": "Enabled"}')
Make sure Guest user access restrictions are set to “Guest users have limited access to properties and memberships of directory objects.”
Method 2: Enable guest access in Microsoft Teams Admin Center
📌 Use Case: Allow guest users to participate in Teams channels, meetings, and chats by enabling guest access settings in the Teams Admin Center or PowerShell.
A. Via Teams Admin Center
- Go to Microsoft Teams Admin Center.
- Navigate to Org-wide settings > Guest access.
- Toggle Guest access to On.
- Configure permissions such as:
- File sharing.
- Meeting participation.
- Calling permissions.
Make sure that the Teams guest access settings align with your organization’s compliance policies.
B. Via PowerShell
Connect-MicrosoftTeams
Set-CsTeamsClientConfiguration -AllowGuestUser $true
Method 3: Configure Teams guest access policies for security
📌 Use Case: Restrict guest user capabilities like video sharing, app installation, or channel creation to maintain a safe, collaborative Microsoft Teams environment.
A. Limit risky guest capabilities
Set-CsTeamsGuestMeetingConfiguration -AllowIPAudio $false -AllowIPVideo $false
Set-CsTeamsMessagingPolicy -Identity Global -AllowUserCreateUpdateRemoveConnectors $false
B. Enforce guest user messaging policy
Grant-CsTeamsMessagingPolicy -PolicyName "GuestMessagingPolicy" -Identity [email protected]
C. Use Teams Admin Center to restrict
- Screen sharing.
- App integrations.
- Channel creation.
Method 4: Monitor guest access and activity
📌 Use Case: Track and audit guest user activity using Microsoft Purview Compliance Portal.
A. Enable auditing via Microsoft Purview Compliance Portal
- Go to Microsoft Purview > Audit.
- Enable audit logging, if not already.
- Search logs for events such as “Added user to group” or “Shared file externally“.
B. List guest accounts using PowerShell
Use the script below to list all guest accounts currently registered in your Microsoft Entra.
Get-AzureADUser -Filter "UserType eq 'Guest'" | Select DisplayName, UserPrincipalName, AccountEnabled
C. Export guest account data for documentation
Deploy the command below to save the registered guest user list to a CSV file for documentation.
Get-AzureADUser -Filter "UserType eq 'Guest'" |
Export-Csv "C:\Reports\TeamsGuestAccounts.csv" -NoTypeInformation
Method 5: Set an expiry or review schedule for guest accounts
📌 Use Case: Create expiration policies and automated reviews for guest accounts to restrict access by inactive users.
A. Use Microsoft Entra Access Reviews or custom scripting to track inactive guests
Filter out the inactive guest accounts registered in Azure AD.
Get-AzureADUser -Filter "UserType eq 'Guest'" |
Where-Object { $_.AccountEnabled -eq $true -and $_.CreationType -eq "Invitation" } |
ForEach-Object {
# Custom logic for review or expiration tagging
}
B. Log to registry on hybrid endpoints (Optional)
Log the results locally in the registry.
New-Item -Path "HKLM:\SOFTWARE\Org\GuestAudit" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Org\GuestAudit" -Name "LastAudit" -Value (Get-Date).ToString("u")
Set-ItemProperty -Path "HKLM:\SOFTWARE\Org\GuestAudit" -Name "GuestCount" -Value 12
C. Check via CMD
Verify the registry entries using the command below:
reg query HKLM\SOFTWARE\Org\GuestAudit
⚠️ Things to look out for
Keep these pitfalls in mind when following our guide:
| Risks | Potential consequences | Reversal |
| Enabling guest access in Teams via PowerShell without enabling it in the Admin Center | Guests will still be blocked from accessing Teams features. | Verify if the setting has been enabled in both PowerShell and Teams Admin Center. |
| Not communicating propagation delays after making changes in PowerShell | Users may accidentally report issues. | Let stakeholders know that PowerShell may take up to 24 hours to take effect across services. |
| Applying restrictive policies globally without testing | Internal users may lose access to features unintentionally. | Test policies on a pilot group before applying them at the enterprise level. |
| Exporting guest data to an unsecured location | Sensitive guest information could be exposed. | Save reports to encrypted folders or secure cloud storage with restricted access. |
| Running guest account review scripts without filtering active users | May include disabled or irrelevant accounts in the review. | Use filters like AccountEnabled -eq $true to target only active guest users. |
| Logging audit data to the registry without checking permissions | Script may fail or cause errors on endpoints without admin rights. | Ensure you run scripts with elevated privileges and validate registry access beforehand. |
Advanced tips on making Microsoft Teams guest access safer and smarter
Here are a few more tips on how to build a secure and collaborative Microsoft 365 environment:
Use Conditional Access to control how guests sign in.
Conditional Access allows you to set rules around guest sign-ins. For example, it lets you implement additional security measures like multi-factor authentication (MFA) so that users need more than a password to access your resources.
You can also use it to block access from risky locations or devices by setting conditions to evaluate where a login is coming from.
Implement Data Loss Prevention (DLP) policies to prevent unauthorized information sharing.
To prevent guest users from sharing sensitive data with outsiders, create DLP policies that scan guest messages, files, and emails for sensitive content. You can also configure these policies to block or alert you to such actions.
Create information barriers to prevent guest users from interacting with specific groups.
Information barriers segment group communication, preventing two parties from messaging or seeing one another’s profiles. This feature is perfect if you’re working with two competing vendors for different projects.
You can set up information barriers so your first vendor can’t interact or see your second vendor, even if they’re both logged into your Microsoft environment.
Track guest access on local machines using GPO or Registry settings.
Tracking guest access activity on local machines can be challenging when managing multiple domain-joined systems.
The good news is you can use Group Policy Objects (GPOs) or registry settings to log guest activity locally, trigger audits, and count guest accounts registered on a single machine.
Common Microsoft Teams guest access issues and how to fix them
The guest can’t access Microsoft Teams
If a guest user can’t access Microsoft Teams despite being invited, it means the Azure AD B2B setting or Teams guest access hasn’t been configured properly.
When this happens, go to Azure AD and check if its B2B collaboration settings allow guest invitations. You should also ensure that the Teams guest access is enabled in both PowerShell and the Teams Admin Center.
Finally, verify that the guest is part of the right Teams group and that their Azure AD account is active. Sometimes this issue is caused by a missing group membership or a disabled account.
Missing audit logs
If you’re looking for a specific guest activity in Microsoft Purview and can’t find it, audit logging was most likely not enabled when the event occurred.
To prevent this, verify if audit logging is enabled in Microsoft Purview and review its retention settings before inviting guests in.
Scripts failing across tenants
If one of your scripts works perfectly on one tenant and throws errors in another, you should use delegated access with the Secure App Model. This authentication method is ideal for multi-tenant scenarios.
Additionally, consider switching to certificate-based authentication using Microsoft Graph tokens for cross-tenant automation.
Guests retain old permissions.
Removing a guest from one team or group won’t automatically revoke their access to other shared resources.
You need to remove stale Azure AD group assignments or Teams memberships manually or use PowerShell scripts to automate the cleanup process.
Securing guest access in Microsoft Teams with NinjaOne
NinjaOne simplifies securing guest access by:
- Deploying PowerShell-based auditing scripts across hybrid endpoints.
- Reading and alerting on registry keys that track guest audit results.
- Tagging devices or tenants with high guest volume for security review.
- Generating QBR-ready reports on Teams guest usage, risks, and rights.
- Automating guest access checks during onboarding, offboarding, or scheduled review windows.
With NinjaOne, MSPs can standardize and scale secure Microsoft Teams collaboration across all managed tenants.
Build secure collaborative environments by managing guest access in Microsoft Teams
You don’t need to sacrifice compliance to build collaborative Microsoft 365 environments.
By learning how to control Teams’ guest access and implementing regular audits, you can help your clients build strong business relationships without worrying about safety.
Related topics:
