External sharing is an integral part of the collaboration process in most organizations. To make sure you have control over how your organization’s data is shared with external players and avoid any security issues that may come with it, you need to understand how to configure and manage external sharing in Microsoft Teams.
In this blog post we’ll guide you through the process.
There are several ways to share information with people outside your organization in Microsoft Teams: through external access, guest access and through SharePoint. These first notions often get confused, so let’s understand the difference between the two.
This is the term many people use when they imply external sharing, when in fact external access gives users very limited capabilities.
External access allows users from an external domain to find, chat, call and set up meetings with people inside your organization in Microsoft Teams.
Basically, it enables your employees only to communicate with external users who use Teams or Skype for Business.
External users can’t:
You can check out the list of all the capabilities here.
By default, external access is open to all domains out there (Open federation). This means that your users can call, chat, and meet with anyone outside your organization with enabled Open federation or if your domain is marked as allowed.
You can also configure Allowed domains – external access will be limited only to specific domains; or Blocked domains – users from all but blocked domains can communicate with your internal users.
You can manage external access in the Microsoft Teams admin center.
As you can see, external access doesn’t give enough permissions to work efficiently with external users. Instead, you may want to enable guest access.
If you need to collaborate with people outside your organization in Teams, you will need to grant them guest access. This capability is what makes external collaboration in Microsoft Teams possible.
Guest access enables you to invite external users into a particular team, give them access to team channels and conversations, as well as share and collaborate on files. Guests can be given nearly all the Teams capabilities as native team members. The key limitation they have is that guests can share content only within the teams they are members of.
Here’s how it works: if you’re a project manager and you’re inviting your customer to your Project Management team as a guest user, they will be able to access all the channels and all the content shared inside the team. The only exception is private chats – they are visible only to team owners and invited team members.
At the same time, if your customer was invited just to this specific team, they won’t be able to access any other team in your tenant or search for users outside the team they’re a member of.
There are some other limitations that guest users have:
Guest access is something you can only enable or disable at the organization level, in the Teams admin portal.
For a full list of guest access capabilities, head over to this article.
Even though you can collaborate with people outside your organization through guest access, you may not want some of them to access everything within your Office 365 group or site. This is where external sharing comes in. You can bypass guest access and still share files externally through SharePoint, considering that’s where files that you store in Microsoft Teams end up.
You do not want to make external sharing too restrictive, since one way or another your users will share information with people outside your organization. And it is up to you to make sure they have all the right tools in the environment that you can control. But at the same time, giving wide permissions to guest users can cause some issues:
Once you allow guest users to enter your teams, it will automatically grant them access to all the files shared in their channels. This is where you may want to be careful and make sure you don’t store sensitive information in public teams.
You can also protect your confidential data by storing and sharing it in private channels of teams with guest users. However, only team owners and specified team members will be able to access it.
Data shouldn’t be open to everyone by default. Some documents must be finalized before being shared with or accessed by key stakeholders. Otherwise, you risk creating chaos and extra work for everyone involved. Oversharing is a potential challenge when you enable external sharing. Establishing the right governance policies can help you minimize these risks.
As we pointed out earlier, external sharing in Teams is enabled with guest access and SharePoint sharing configurations.
Now, let’s delve into how to manage external sharing using different tools. Firstly, we will need to enable guest access.
Azure AD B2B collaboration feature allows you to invite guest users to collaborate within your organization.
To configure external collaboration settings, sign in the Azure portal. Then, select Azure Active Directory > External Identities > External collaboration settings.
Choose the level of restrictions for guests in corresponding fields.
You can establish whether guest users can view other users and browse group membership. You can also decide who can invite guest users and impose collaboration restrictions to specific domains.
Microsoft Teams uses Microsoft 365 Groups for team membership. Therefore, for guest access to work in Teams, you need to set up Microsoft 365 Group guest settings.
In the Microsoft Teams 365 admin center under Settings, select Org settings and choose Microsoft 365 Groups.
Make sure both the Let group owners add people outside your organization to Microsoft 365 Groups as guests and Let guest group members access group content check boxes are checked.
Once guest access is set up at Microsoft 365 Group level, you can configure external and guest permissions in the Microsoft Teams admin center.
In the guest access page, you manage specific calling, meeting, and messaging policies for guests.
Teams content is stored in SharePoint, so to make sure your guests have access to Team files and folder and prevent unauthorized users from accessing your data, you need to configure SharePoint external sharing policies.
In the SharePoint admin center, expand Policies and select Sharing. Then, you can choose the level of permissions for external sharing in SharePoint and OneDrive.
To make sure only guests have access to data stored in teams, you can choose New and existing guests.
To further protect your organizational information, you may want to configure more external sharing settings. For example, if you don’t wish to enable external sharing but you have a security group that can be allowed to share files externally, select Users only in specific security groups can share files externally.
You may also choose permissions for sharing links, their expiration, and other settings.
These are organization-level settings. Learn how to further restrict external sharing for individual site or OneDrive.
If the nature of your operations implies a high level of sensitivity of internal information, you may want to set up alert policies in the security and compliance center to protect your organizational data. There are several default alert policies that help you monitor different activities, including external sharing.
Here are the built-in alert policies concerning external sharing that you can turn on:
Generates an alert when a large number of activities is performed on files by guest users in SharePoint or OneDrive. These activities include accessing, downloading, and deleting files.
Generates an alert when an unusually large number of files in SharePoint or OneDrive is shared with people outside your organization.
Learn more about managing alerts.
You can apply sensitivity labels to your internal content. For example, you may want to encrypt emails and documents, mark the content when you use Office 365 apps, protect content in containers such as sites and groups, and apply the label automatically to files and emails, or recommend a label.
Learn more about sensitivity labels.
At the team creation level, you can set up sensitivity labels in order to configure a privacy level of the new team. Once set as Confidential, it won’t allow guest access, meaning only members of your organization will be able to join the team.
You can also configure privacy label at the template level, to make sure all the teams based on a specific template will follow the same governance policies. Learn more.
By following these tips you can protect your internal information while enabling your users to effectively collaborate with people outside your organization.