Block Guest Access for Specific Teams in Microsoft Teams

To minimize the risk of data loss and sprawl from freely added guests in Microsoft Teams, it often makes sense to disable guest access.

But what if collaboration with external parties is a central part of your work?

Maybe you want to disable guest access for a few specific teams, not for all teams.

Or vice versa, you want to allow guest access for individual teams, while deactivating it overall.

In such cases, you can control guest access for the individual team or the associated M365 group individually. When deactivated, new guests can then no longer be added. Existing guests, however, remain in the group or team, they are not removed by this.

Note: There is of course also the possibility to allow guest access in general, but to specify in great detail what guests can and cannot do. Read more about this our blog post Microsoft Teams Guest Access (Part 1).

The individual control of guest access can be implemented either with Sensitivity Labels assigned to each team or group, or with a PowerShell script that allows you to change the group settings of an individual group. Third-party tools like the External User Manager also offer a handy solution. (Please note that the linked SharePoint site behind the team has its own guest access controls).

In this blog article, we want to take a closer look at the method via the PowerShell script.

Basic information on getting started with PowerShell can be found in Microsoft Docs, including here:

• https://learn.microsoft.com/de-de/powershell/scripting/learn/ps101/01-getting-started
• https://learn.microsoft.com/de-de/microsoft-365/enterprise/connect-to-microsoft-365-powershell

Guest Access Settings with PowerShell

You will need global administrator rights to implement it, as well as the latest preview version of Azure Active Directory PowerShell for Graph (AzureADPreview module).

• If you want to install the PowerShell AzureADPreview module from scratch, use “Install-module AzureADPreview” to install the preview version. Please note that the preview version and the General Availability version must not be installed at the same time. For more information, see the Microsoft doc Installing the Azure AD Module.

• If you have installed the General Availability version of the Azure AD PowerShell module (AzureAD), you must first uninstall it by running “Uninstall-Module AzureAD” in your PowerShell session. Then install the preview version as described above.

• If you have a preview version already installed, run “Install-Module AzureADPreview” to make sure it is the latest version of that module.

Then, in your PowerShell session, run the following script. Before you do so, change <GroupName> to the name of the group for which you want to block guest access. With $settingsCopy[“AllowToAddGuests”]=$False you disable the guest access.

$GroupName = "<GroupName>"

Connect-AzureAD

$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
$settingsCopy["AllowToAddGuests"]=$False
$groupID= (Get-AzureADGroup -SearchString $GroupName).ObjectId
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $settingsCopy

To verify that the script was executed correctly, run the following script:

Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups | fl Values

If everything was done correctly, you will get the following result:

Values : {class SettingValue {
	  Name: AllowToAddGuests
	  Value: False
	 }
	 }

To undo the setting and re-enable guest access, simply run the above script again, only this time set AllowToAddGuests to $True. (Again, please change <GroupName> to the name of the group you want to enable guest access for).

$GroupName = "<GroupName>"

Connect-AzureAD

$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
$settingsCopy["AllowToAddGuests"]=$True
$groupID= (Get-AzureADGroup -SearchString $GroupName).ObjectId
$id = (get-AzureADObjectSetting -TargetType groups -TargetObjectId $groupID).id
Set-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $settingsCopy -id $id

If you’re looking for an easier way than PowerShell to control guest access for individual teams, we recommend using External User Manager. Our apps are built precisely to give you full control over individual teams.

With External User Manager, you not only minimize the risk from guests who can be added freely, but you can also have them sign documents such as NDAs, ensuring that guests are integrated into your system in a legally correct way. In addition, External User Manager can regularly check whether guests still need access or can be removed from your environment.

Florian Pflanz

Head of Marketing & Sales at Solutions2Share – Florian Pflanz has 6 years of M365 experience and has been involved in numerous projects concerning Microsoft Teams governance. In over 200 workshops, he has collected extensive knowledge and best practices regarding Microsoft Teams and companies’ management requirements.

Subscribe to Newsletter