Monday 11 September 2017

How to enable external guest access in Microsoft Teams

Hello readers.  I hope you're well.

This is a quick post on a new feature added today to Microsoft Teams.  It is one of the most anticipated and popular features with (at time of writing) 5,999 votes on Uservoice.

The feature is External Guest access.  This first iteration of guest access allows team owners to add or, more precicely, invite external users with an Azure AD account as a member of a team.  This will send an email invitation to the guest inviting them to access the team.

For now, only users who have an email address corresponding to an Azure Active Directory or Office 365 work or school account can be added as a guest user.  Microsoft will be expanding this to users with MSO accounts (like outlook.com or hotmail.com).

Before your users can add guests, you need to enable guest access in the tenant admin.

To turn on guess access for Microsoft Teams

1. Sign in to Office 365 Admin portal at https://portal.office.com/adminportal/home.

2. Expand settings and click on Services & Add-ins.  

3. Now select Microsoft Teams to open the Microsoft Teams side bar.

4. Under Settings by User/license type, select the user type you want to configure click on the drop down list and choose Guest.



5. Now flip the toggle next to Turn Microsoft Teams on or off for your entire organization to the On position and then click Save at the bottom.


6. To enable the full Microsoft Teams guest access experience, Office 365 admins need to select On for the following settings:
How to invite external guests
Once everything is enabled, users will be able to add external contacts in the same way they currently add internal members.  The below Gif shows how.


Update

Adding a guest is as easy as searching for the contact by email address.

1. Click on the menu (three dots) next to a team you want to manage, then add members.

2. Then type an email address of an account that has Azure AD (i.e. someone with an Office 365 account).  Doesn't matter if they've never used Teams, it will invite them to start.  More on that later,



3. If it finds a valid account, it will display below the search bar.  Click on that account.

4. Then click Add

5. Then click Close.

What happens now is that the guest account you've invited gets added as a guest account in your Azure AD.

From here, you can view and even edit their profile.  You can even block sign in directly from here.  

You can also view members and see what you can do.

Click on the invite
Once you enable and add a guest the user will receive a welcome email similar to those when you send a chat to users that haven't used Teams.  

The guest must redeem the invitation by clicking on the link in the email before they can get access to the team and the channels therein.

Open Teams
When the user clicks on the invite it takes the user to Teams on the web and (because I have the Teams app) asks whether to open Teams or to use the web app.

I used the Teams app.  Once you click on open the app, you'll get a popup in Teams asking if you want to switch accounts.

Switch accounts
This basically logs you out of Teams and then back in.  At this point it adds the additional tenant context so you can switch between your primary account and your guest account.

In order to do anything with the person that invited you, you need to switch from your primary/company account to the guest acccount.  You can't be in both accounts at the same time.  You are literally logging out of your tenant and in to the guest account you've been given on the Office 365 tenant of the person that invited you.  Switching accounts takes about 10 seconds.

I have only added a single account, but I assume, as you get invited to more teams, your account list will grow.

First time logging in as a guest
The first time you log in to the guest account you get a slide show.




Followed by a video which lasts about 2 minutes.

The video is a quick tour of Teams.  Click here to watch if you haven't seen it.

Once you're in you will see the team you've been invited to, any channels and tabs, conversation history, files.  Everything.

You'll also be able to communicate directly with the person that invited you.  This includes one to one chat, audio and video.

Calling and video only works between users logged into the full client.  I tried both directions and the call starts and ends a second later.  From the full client it just ends with no explanation.  From the web it displays a warning that the feature isn't yet available in the web and it invites you to download the app.


Calling from the app to the person logged into the web app generates a missed call notification.

The chat experience between clients is as you'd expect if you've chatted in Teams.  Calling and video is also very good as you'd expect.

Meetings with guests
The only thing you don't get is meetings between users and guests.  The meeting section is missing from the guest experience.  

I tried inviting a guest to a meeting and it allowed me to in Teams, but I got an NDR email.

The NDR says "Your message to first.last_guestdomain.com#EXT#@yourdomain.com couldn't be delivered.

first.last_guestdomain.com#EXT# wasn't found at yourdomain.com.
So, 1. Teams doesn't really know how to invite a guest, and 2. Meetings are internal only, for now.  Shame it actually let me generate and send the invite.  If I were an uninitiated end user it would confuse me.

Capabilities of Guest Users in Teams
Guests have a subset of capabilities of internal users.  All in all, not a bad list.  Although I would question a couple of them.  Do guests need to be able to create a channel in someone else's team?  Maybe, but be wary.  And really they shouldn't be able to create policies or invite new guests, surely.  I'll let you decide.

Team Owners can also tweak some of the permissions.   

Click on the menu (3 dots) -> view team -> Settings ->@ expand Guest permissions.

It is possible to control guest access to Office 365 Groups (the backbone of Teams) using PowerShell.  Click Here.

Licensing required
No additional licenses are required.  Guest access is included in Office 365 Business Premium, Enterprise and Education subscriptions.  This is excellent news.  All three organisation types will surely have a requirement to add guests.

What do I think?
I'm glad you asked.  I am mindful that this is the first iteration of guest access.  I hope/assume it will get better.  It needs work, however.

The above paints a picture that the whole process is easy.  There are several things to change as an admin, but they are actually pretty straightforward.  Log in, tick some boxes and wait.  

My Real Experience
The invite was delivered within a few minutes (at most).  I clicked on the link and follwed the prompt to switch accounts.  The first time I did this it took me back to my primary account.  I couldn't see the your accounts section.  I logged out and back in and actually got a warning taht my account wasn't enabled by my admin.

I clicked try again several times and got teh same thing.  I tried to sign out and back in and the same.  At this point I restarted my PC and tried to log back in.  It was only at this point that I got prompted for my multi factor method and I was able to log in.  However, I still didn't have the dual accounts.

A couple of hours went by and nothing.  So I started a chat with the guest.  I was able to send chats, but they weren't received.  This was clearly because the guest wasn't in their guest account.  About 30 minutes after that I got an email saying that the person had sent a message in Teams.

I clicked on the link and it started the redemption process again.  Open the app or login to the web app.  I clicked on open the app and I got the Switch accounts popup.  At this point I had to log in again with my credentials, including MFA.

This time it logged me in to the guest account.  And I was able to switch back and forth between accounts.  

What could be better?

1. Failed first attempt - I don't know why it failed the first time I clicked on the invite and switch accounts, but it did.  It really has to not do that.  Especially for end users.  If it takes a bit of time on the back end to get things finalised, delay the sending of the invite until it is actually ready for it to work.

Update: this only happens in the desktop app.  The web first attempt is quick and painless.  Once you accept the invite, it adds the additional tenant guest context to your account even if you're already logged in.  And it switched immediately.

2. Meeting experience - If you can't invite a guest to a meeting, don't let the user find the guest in the invite list and press send and eventually get the NDR.  This is really poor.

3. Admin process - I've read that users also need to be Limited Admin to be able to send invites.  My user account in my tenant is the only user and is, of course, admin.  Something to be mindful of.  

The actual admin process I have above is pretty straightforward, but could all be on a single screen rather than 3 or more.  Just agregate all of the settings into a single screen with all of the tick boxes needed and a clear explanation of permissions.

4. Guest Accounts - At the moment guests have to have Azure AD, and soon Teams will allow anyone with a MSO account.  The former limits the possibility of working with anyone that doesn't have Office 365.  The latter is a little like Lync 2013 federation with Skype for Consumer.  At first, you could only send an invite to a hotmail (or similar) account and the user had to convert their Skype account to MSO.  If the guest account is being added as a new entry in Azure AD, why should it matter what type of account they have?  Surely, we should just be able to add a guest account with an email address.  If Teams needs a user to authenticate, then it should set up an AD guest account with a username and password.  

What this says to me is that you can only work with people (customers, suppliers, contractors) in Office 365.  It will get a little better with MSO.  A lot more people have MSO accounts than Office 365 accounts.  And as Microsoft says, they can just set up one if they don't have one already.  I think it should have allowed MSO as well as Azure AD at launch.

5. Account switching - I can't believe I have to leave my own company context and go into another to interact.  While I'm in the guest account I am missing everything in my normal account.  I think you should be able to stay in your normal account and a new team should appear inline with all the other teams.  You should be able distinguish between internal teams and Guest teams and just move about as normal.

That's it for now.

Additional resources
Admin Guide on Support.Office.com
The announcement by Lori Wright

________________________________________________________________________

I hope you found this useful.  Thank you for reading.

If this or any other post has been useful to you please take a moment to share.  Comments are welcome.