Skip to Content
EmailTeamsExternal AccessGuest Access

Guest Access

Configure guest access in Microsoft Teams to allow external users to join teams and access channels, files, and conversations. Guest access settings are part of the broader Teams policy framework and interact with Azure AD external collaboration settings.

Note: Teams policies are available with any Microsoft 365 license that includes Teams. Policy management via Graph API requires Directory.ReadWrite.All and TeamsPolicy.ReadWrite.All permissions.

Guest Permissions

Team-level settings control what guests can do within teams they are invited to:

SettingDefaultDescription
Allow guests to create channelsOffGuests can create new channels in the team
Allow guests to update channelsOffGuests can modify channel settings
Allow guests to delete channelsOffGuests can remove channels

Guest vs Member Capabilities

CapabilityMemberGuest
Create/update channelsYes (if allowed)Configurable
Delete channelsConfigurableConfigurable
Add/remove appsYes (if allowed)No
Create/update/remove tabsYes (if allowed)Limited
Create/update/remove connectorsConfigurableNo
Access filesFull accessAllowed channels only
Participate in meetingsFull featuresFull features

Mention Settings

Control how @mentions work in teams with guests:

  • Show @team option — Allow members to mention the entire team
  • Show @channel option — Allow members to mention an entire channel

Guest Lifecycle

  1. Team owner invites guest by email address
  2. Guest receives invitation and accepts
  3. Guest account created in your Azure AD as a B2B user
  4. Guest accesses authorized teams and channels
  5. Periodic access reviews verify continued need
  6. Remove guest when access is no longer required

Membership Management

RoleCapabilitiesLimits
OwnerFull control: settings, members, channels, apps, delete teamMax 100 owners per team
MemberParticipate in channels, add tabs/connectors (if allowed)Max 25,000 members per team
GuestLimited access: chat, calls, files in allowed channels5 guests per licensed user

Dynamic Membership

Connect teams to Microsoft 365 Groups with dynamic membership rules. Members are automatically added or removed based on user attributes like department, location, or job title.

# Dynamic membership rule example
(user.department -eq "Engineering") and (user.country -eq "United States")

Best Practices

Policy Design

  • Use group-based assignment for scalability
  • Keep the global policy restrictive as a baseline
  • Document exceptions with business justification
  • Test policies in pilot groups before wide deployment
  • Use policy packages for common role types

Security Considerations

  • Restrict guest permissions to minimum necessary access
  • Enable periodic access reviews for all guest accounts
  • Block guest access for teams containing sensitive data
  • Review guest access policies quarterly
  • Monitor guest activity via audit logs

API Reference

# Create private channel with guest members
POST /teams/{team-id}/channels
{
  "displayName": "Leadership",
  "membershipType": "private",
  "members": [
    {
      "@odata.type": "#microsoft.graph.aadUserConversationMember",
      "roles": ["owner"],
      "user@odata.bind": "users/{user-id}"
    }
  ]
}
  • GET /api/teams/guest-access — Get guest access settings
  • PUT /api/teams/guest-access — Update guest access settings
  • GET /api/teams/guest-access/users — List guest users across teams
Last updated on
FederationManage Apps