Guest access in groups in outlook

Teamwork is changing. It’s getting more and more global and it involves people who are outside of the organization. Now, a large percentage of the workforce is contingent workforce, and users don’t mind using shadow IT.  Guest access in groups in outlook provides a solution for both the problems. It helps to collaborate with external users in a very simple and seamless way without any license or app and is also safe and secure. It has certain policies in place for the IT Admin to control guest access within an organization. This feature was launched for outlook-web in September 2016. It is now available in outlook-desktop and outlook-mobile also.

Who is a Guest user?

A user who is outside of the organization. They could be Vendor/Contract workers/Company partnerships/friend & family with the universal identity of email. We can literally invite any email address on this planet. Added guest users in the group, need not install any app or client. They can use their preferred email app or browser.

With Guest access in groups a user can

  • 1. access SharePoint files.
  • 2. reply to the group mail, which will be received by all the group members.
  • 3. calendar invite can be sent to the user and user can add to their personal calendar so that user get notification about the meeting/invite.
  • 4. will able to access the SharePoint file.

A guest user can do all the stuff with the file just as a normal user does and all the SharePoint policies will work as well.

Guest user Architecture:

Any email address can be added as an external/guest user. Added user will be added to Active Azure Directory (AAD-B2B) which is used for guest user access. Guest can work seamlessly with Microsoft apps and services like Microsoft Teams/One Drive for Business/ SharePoint Which also uses AAD as their platform.

Figure 1 Guest user Architecture

 

Steps to add a guest user in groups:

Based on the policies defined by the IT Admin, one can add a guest user to the groups. It is just like adding new member to a group. While adding an external user to a group (info message pops up saying you are adding an external user). Once a user is added, they will get a welcome email saying you “have been added to the group” with all the information the user needs to collaborate with the group.

Figure 2, 3 Adding guest user, welcome email received by guest user

 

It also has “Access file link” which will take the user to sign in page. Gmail users need to follow a two-step process (create MS account and password). Outlook/O365 users can use their existing credentials.

With every conversation, there is a footer which contains all information that user can use to collaborate like leaving the group/ learn more about O365 / accessing group files.

We can identify the guests (external users) in my organization and in groups by the globe icon and using guest filter in Outlook web which filters guest users in that group.

 

How can IT Admin control/manage guest access?

Figure 4 IT Admin policies

 

There are four level of policies to control guest access.

  1. Guest inviter role:

Admin can specify a group of people for guest inviter role. Only those people will be able to add a guest user in that tenant. And that can be based on job designation, job title or any property in the AD.

PowerShell Script to assign guest inviter role:

“Add-MsolRoleMember -RoleObjectId 95e79109-95c0-4d8e-aee3-d01accf2d47b -RoleMemberEmailAddress <RoleMemberEmailAddress>”

Figure 5 User setting option in AAD

 

More detail: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-delegate-invitations

2. Group level policy: Admin can configure “allow to add guest” setting for each group individually. So, for a group, Admin can enable/disable it.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-groups-settings-cmdlets#update-settings-for-a-specific-group

3. Allow/block list: Admin can specify a list of domains as allowed/blocked. People can invite guests either from those domains or those domains will be blocked.

Reference: https://technet.microsoft.com/library/a86bb46f-0e5b-43a3-b6ef-7394f344a8da

PowerShell Scripts to alter allow/block list:

Create/replace allow list:

Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @(“contoso.com”, “fabrikam.com”)

Create/replace block list:

Set-GuestAllowBlockDomainPolicy.ps1 -Update -BlockList @(“contoso.com”, “fabrikam.com”)

Add more domains:

Set-GuestAllowBlockDomainPolicy.ps1 -Append -AllowList @(“contoso.com”)

Set-GuestAllowBlockDomainPolicy.ps1 -Append -BlockList @(“contoso.com”) ·

Migrate from SharePoint online:

Set-GuestAllowBlockDomainPolicy.ps1 -MigrateFromSharepoint ·

Clear list:

Set-GuestAllowBlockDomainPolicy.ps1 -Remove  Required: Go to Script for Allow/Block policy at Microsoft Download Center to download the script (Set-GuestAllowBlockDomainPolicy.ps1) for Allow/Block policy.

4. IT managed: selected IT- Only IT admins will be able to add guests.

All these policies are at AAD B2B level (team, planner, project will inherit these policies) and can be customized based on one’s business needs to manage guest access in groups.

 

Advanced Policies:

Guest expiry: When a guest user is invited in an organization for a designated task for the limited time. Admin can set up guest user expiry policy which would require group owners to review the membership on periodically and we can customize that period. Based on the period set, the group owner will send a notification email to extend/decline membership or they can ignore.

Audit Logs: For every guest invitation, guest user accessing any resource, guest user sign-in all tracked at azure B2B level. All data will be available at portal.azure.com and can also disable guest user sign-in based on the number of sign-in’s.

Figure 6, 7 Guest user expiry flow, Guest user audit log data in AAD

Related posts