Based on access permissions and various capabilities, Microsoft Teams lets you categorize users broadly into three types – owners and members of teams, administrators, and external users and guest users. This ensures better organization of teams, appropriate utilization of resources and secure ways of sensitive data transfer inside and outside the organization. Further in this blog, we will learn how to configure settings and policies to provide access rights to different users in Microsoft Teams.
1. Team owners and members
Team owners can create a team based on an existing Office 365 group, add, and remove members in the team, add guests, update team settings, and manage administrative tasks associated with the team. They also have the ability to delete or archive the team. Besides, team owners can also grant the owner’s role to any team member which helps them to share responsibilities regarding the management of the team.
Team members are those users who join the team by accepting the owner’s invitation. By default, all users have permissions to create teams in Microsoft Teams. Hence, team members can also create teams if permitted to do so.
Unlike team owners, team members neither access nor modify Teams settings nor add members to the team directly. However, team members can send a request to the team owner to add a member which can be either approved or denied depending upon your company mandates. Furthermore, members can create and edit channels in Teams but can’t delete them.
Furthermore, if moderation is enabled in settings, then team owners as moderators can start new posts in the channel and control whether team members can reply to existing channel messages. Team owners can assign moderators within a channel. Moderators within a channel can add or remove other moderators within that channel.
Additionally, both owners and members can add or delete Teams channels if permitted to do so. They can also add external apps via Team channel tabs.
The following table shows the capabilities available for each role:
To learn more about managing teams settings and permissions in Teams, click here.
Microsoft Teams administrators are responsible for tenant-wide governance in Office 365 tenant and are the most powerful of all other roles. They can manage the entire Teams workload, or they can have delegated permissions for troubleshooting call quality problems or managing your organization’s telephony needs.
In Teams, the global administrator has the ultimate authority or dominance over Office 365 tenant. Using Azure Active Directory (Azure AD), the global administrator can delegate the responsibilities of an administrator to other users with different rights and permission levels of access for managing Microsoft Teams smoothly.
Besides the global administrator role, there are four admin roles available in Teams:
i. Teams service administrator: They have the capability to manage all aspects of Microsoft Teams service
ii. Teams communications administrator: They can manage calling and meetings features within the Microsoft Teams service.
iii. Teams communications support engineer: They have advanced tools to troubleshoot communication issues in Teams.
iv. Teams communications support specialist: They have basic tools to troubleshoot communication issues in Teams.
To learn more about administrators’ capabilities in Teams, click here.
3. External users/guest users
External users and guest users are those users who do not belong to your organization but can be allowed to collaborate with your team(s) with fewer or more restrictions. To understand the difference between external and guest users, please check out our blog here.
To set up a team for collaboration with guests, the following configuration steps are important:
i. At the highest level, organizational relationships settings in Azure Active Directory governs sharing in Office 365. Ensure that sharing with guests is enabled in Azure AD, else it overrides any sharing settings that you configure in Office 365. To set organizational relationship settings, follow these steps:
- Log in to Microsoft Azure at https://portal.azure.com.
- In the left navigation, click Azure Active Directory.
- In the Overview pane, click External identities.
- In the Organizational identities pane, click External collaboration settings.
- Ensure that Admins and users in the guest inviter role can invite and Members can invite are both set to Yes.
- If you made changes, click Save.
ii. Next, there is a variety of settings available to control what guests can do in a team. To enable guest access in Teams, follow these steps:
- Sign in to the Microsoft 365 admin center at https://admin.microsoft.com.
- In the left navigation, click Show all and then under Admin centers, click Teams.
- Now, in the Teams admin center, expand Org-wide settings in the left navigation, and click Guest access.
- Ensure that Allow guest access in Teams is set to On.
- Make any desired changes to the additional guest settings, and then click Save.
iii. Teams uses Office 365 Groups for team membership. Hence, the Office 365 Groups guest settings must be turned on to allow guest users work in Teams. To set Office 365 Groups guest settings, follow these steps:
- In the Microsoft 365 admin center, expand Settings in the left navigation.
- Now, click Org settings and then in the list, click Microsoft 365 Groups.
- Ensure that the Let group members outside your organization access group content and Let group owners add people outside your organization to groups, both check boxes are checked.
- After making changes, click Save changes.
iv. SharePoint stores all teams content such as files, folders, and lists. To allow guests an access to these items in Teams, the SharePoint organization-level sharing settings must be configured appropriately. To set SharePoint organization level sharing settings, follow these steps:
- Go to Microsoft 365 admin center, in the left navigation, under Admin centers, click SharePoint.
- In the SharePoint admin center, click Sharing in the left navigation.
- Ensure that external sharing for SharePoint is set to Anyone or New and existing guests. If you want files and folders to be shared with unauthenticated people, choose Anyone. If you want to ensure that all guests must go through an authentication procedure, choose New and existing guests. Select the most permissive setting that will be needed by any site in your organization.
- If you made changes, click Save.
v. The default file and folder link settings determine which link option is shown to the user by default when they share a file or folder. Users can change the link type to one of the other options before sharing if desired. Select the type of link to set it as default when users share files and folders:
- Specific people – Choose this option if you want to do a lot of file and folder sharing with guests. This link requires guests to authenticate.
- Anyone with the link – Consider this option if you are likely to do a lot of unauthenticated sharing of files and folders.
- Only people in your organization – Choose this option if you want to share files and folders with people inside your organization.
Now, to set the SharePoint organization level default link settings, follow these steps:
- Navigate to the Sharing page in the SharePoint admin center.
- Under File and folder links, select the default sharing link that you want to use.
- After making changes, click Save.
Lastly, after creating the team, check the site-level sharing settings to ensure that they allow the type of access that you want for this team. For example, if you set the organization-level settings to Anyone, but you want all guests to authenticate for this team, then make sure the site-level sharing settings are set to New and existing guests. To set site-level sharing settings, follow these steps:
- In the SharePoint admin center, in the left navigation, expand Sites and click Active sites.
- Select the site you just created.
- In the ribbon, click Sharing.
- Ensure that sharing is set to Anyone or New and existing guests.
- After making any changes, click Save.
Though external access gives a greater dimension to online collaboration with rich settings and policies in Microsoft Teams, it has certain loopholes that make external user management complex and time-consuming. If there could be a way to make administrators productive, that will be to give them everything that they need at one single place!
TeamsHub by Cyclotron and external access management
There is good news to share! TeamsHub by Cyclotron resolves the most persistent external access management issues by assembling all dispersed pieces of settings together in a unified interface to make administration friction-less. Let’s have a glance at how we do it:
Through external collaboration in TeamsHub by Cyclotron, you can share content to guest users. Global administrators can change their organization-level sharing settings for groups, SharePoint, and OneDrive. In TeamsHub by Cyclotron, you can collaborate with guests on three levels:
- Collaborate with guests in groups
- Collaborate with guests in a SharePoint site
- Collaborate with guests in OneDrive
Next, there are four sharing levels defined. They are:
- Only people in your organization – No external sharing allowed. It is the lowest and least permissive level.
- Existing guests – Only users already in your organization.
- New and existing guests – Guests must sign in or provide a verification code.
- Anyone – Users can share files and folders using links that don’t require sign-in. It is the highest and most permissive level.
You can specify your sharing level for Groups. If you select Only people in your organization, external sharing among groups will be turned off. But if you select ‘Existing guests’, then you have three options to allow access to guests. They are:
1. Enable administrator approval to add new guests to the organization – Once enabled, this option allows users to send an approval request for adding new guests.
2. Allow guests to be group owner – If enabled, users can add guests as team or group owners as well as members, both.
3. Allow guests to access the group content – If you don’t select this, guests will still be listed as members of the groups, but they won’t receive group emails or be able to access any group content. They will only be able to access files that are shared directly with them.
Furthermore, we have settings called- Guest Invite and Collaboration restrictions for Groups, SharePoint, and OneDrive to encompass more features for external collaboration. Using these capabilities, you can allow or restrict guest users to invite other external users in your organization. You can enable authentication using One-Time Passcode for guests before granting access. Additionally, you can allow users to send invitations to or deny invitations from specified domains.
What’s even more exciting about TeamsHub by Cyclotron is that the guest access can be managed at the individual team level too!
Collaborating on important projects with business partners, advisors, or consultants, etc., enables an organization to engage its users and achieve its goals. However, in past years, administrators have been quite apprehensive about enabling guest access in Microsoft Teams because of its complexity. TeamsHub by Cyclotron, leveraging the power of self-service, ensures that external collaboration is not a hassle but an enhanced experience to drive productivity and boost efficiency.