How Microsoft Teams Admin Center Lets You Add External Users To Work Chat

Microsoft Teams Admin Center: Add External Users to Work Chat

Teams Admin Center gives IT administrators granular control over external collaboration. Two methods are available: External Access (federation for chat and calls) and Guest Access (deeper team participation with file sharing). Each method is configured separately in the Admin Center. EPC Group has configured Teams external collaboration for hundreds of enterprise organizations over 29 years.

Key facts

• External Access (federation) allows chat and calls with users in other Microsoft 365 or Skype for Business organizations — no channel or file access.
• Guest Access adds external users to your Azure AD tenant as B2B guests with access to team channels, files, and apps.
• Shared Channels (Azure AD B2B Direct Connect) let external users join a specific channel without becoming a guest in your tenant.
• Guest Access requires both Teams Admin Center and Azure AD guest settings to be enabled.
• EPC Group: 29-year Microsoft partner, 10,000+ enterprise deployments, all six Solutions Partner designations.

External Access vs Guest Access: understanding the difference

Teams supports two distinct methods for collaborating with users outside your organization. Choosing the right method depends on how much access the external user needs.

External Access (federation)

External Access lets your users chat and call users in other Microsoft 365 organizations or Skype for Business. External users stay in their own organization. They cannot access your team channels, files, or apps. Think of it as "phone call-level" access.

Guest Access

Guest Access adds external users to your Teams environment as guest members. Guests can participate in team channels, access SharePoint files, join meetings, and collaborate on documents. They are added to your Azure AD as B2B guest accounts with configurable permissions.

Shared Channels

Shared Channels use Azure AD B2B Direct Connect. External users access a specific channel from their own Teams client — without switching tenants. They are not added to your Azure AD as guests. Shared Channels work best for focused collaboration on specific projects. Guest Access works better when external users need full team participation.

Configuring External Access in Teams Admin Center

External Access settings control which external organizations your users can communicate with via chat and calls. These settings apply at the tenant level.

1. Sign in to the Teams Admin Center (admin.teams.microsoft.com) with Global Admin or Teams Administrator credentials.
2. Navigate to Users > External access.
3. Under Teams and Skype for Business Users, choose: allow all external domains (open federation), block specific domains, or allow only specific domains. For regulated industries, allow-list specific partner domains rather than opening federation to all.
4. Configure whether users can communicate with personal Teams accounts (non-organizational). Disable this in environments with strict DLP requirements.
5. Enable or disable communication with consumer Skype users. Most enterprise organizations disable this.

Configuring Guest Access in Teams Admin Center

Guest Access provides deeper collaboration but requires more careful configuration.

1. Navigate to Users > Guest access in the Teams Admin Center.
2. Toggle Allow guest access in Teams to On. This is the master switch — no guest invitations can be sent without it.
3. Configure Calling permissions — whether guests can make private voice and video calls.
4. Configure Meeting permissions — whether guests can use video, screen sharing, and recording. Disable recording for guests in regulated environments.
5. Configure Messaging permissions — whether guests can edit or delete sent messages, use Giphy, memes, and stickers.
6. Configure Channel permissions — whether guests can create, update, and delete channels. Best practice: restrict guests to participating in existing channels only.

Azure AD Guest settings (required prerequisites)

Guest Access in Teams depends on Azure Active Directory B2B collaboration settings. These must be configured correctly in the Azure portal before Teams guest invitations will work.

• External Collaboration Settings — In Azure AD > External Identities > External collaboration settings, configure who can invite guests: admins only, admins and specific roles, anyone in the organization, or no one. For governance, restrict to admins and team owners.
• Collaboration Restrictions — Specify allowed or denied domains for guest invitations. These settings should align with Teams external access settings to avoid conflicting policies.
• Guest User Permissions — Configure the default permission level for guest accounts. "Guest users have limited access" is the recommended setting.

How to add an external user as a guest

1. Confirm that guest access is enabled in both Teams Admin Center and Azure AD.
2. A team owner opens the team in Teams.
3. Click the three-dot menu next to the team name and select Add member.
4. Enter the external user's email address and set their role as Guest.
5. The guest receives an email invitation with a link to accept and join the team.
6. The guest can then access all standard channels. To restrict guests to specific channels, use private channels — which can be configured to include or exclude guest members.

Security best practices for external collaboration

• Require MFA for Guests — Create an Azure AD Conditional Access policy that requires multi-factor authentication for all guest sign-ins, regardless of the guest's home organization MFA policies.
• Apply Sensitivity Labels — Use Microsoft Purview sensitivity labels on teams and channels to control whether guests can be added. Label "Confidential" teams to automatically block guest membership.
• Data Loss Prevention — Configure DLP policies that monitor and block sharing of sensitive information (PII, PHI, financial data) in chats and channels where guests are present.
• Audit Guest Activity — Monitor guest sign-ins, file access, and message activity through Microsoft 365 audit logs and Microsoft Sentinel.
• Lifecycle Management — Set automatic guest account expiration after 90–180 days. Conduct quarterly access reviews. Remove inactive guest accounts automatically.
• Information Barriers — Use Teams information barriers to prevent guests from being added to teams containing conflicting business interests.

HIPAA compliance for Teams guest access

Teams guest access can be configured for HIPAA compliance. Required controls include:

• Enforce MFA for guests via Conditional Access
• Apply DLP policies to prevent PHI sharing outside the organization
• Use sensitivity labels to control which teams allow guests
• Disable guest screen recording and file downloads where appropriate
• Make sure your organization has a signed BAA with Microsoft (included in Microsoft 365 E3/E5 enterprise agreements)

Frequently asked questions

Can guest users access SharePoint files in Teams?

Yes — if added via Guest Access. Files shared in standard Teams channels are stored in the team's SharePoint site, and guest access permissions flow through. External Access (federation) users cannot access any files, channels, or team resources. If external users need to access shared documents, use Guest Access instead of External Access.

Can team owners remove guest users?

Team owners can remove guests from specific teams via team membership settings. To remove the guest account from your Azure AD tenant entirely, an administrator must go to Azure AD > Users, find the guest account, and delete it. Configure Azure AD access reviews to automate periodic review and removal of inactive guest accounts.

What is the difference between Shared Channels and Guest Access?

Shared Channels let external users join a specific channel from their own Teams client without being added to your tenant as a guest.

Guest Access adds external users to your Azure AD as B2B guests with broader access to the team's channels, files, and apps. Shared Channels work best for focused project collaboration. Guest Access works best when external users need full team participation.

What licenses are required for Teams external collaboration?

External Access is available in all Microsoft 365 plans. Guest Access requires Azure AD B2B, which is included in Azure AD Free and all Microsoft 365 commercial plans. Advanced features like Conditional Access for guests, Purview sensitivity labels, and Information Barriers require Microsoft 365 E3 or E5 licenses.

Configure secure Teams external collaboration

Talk to an EPC Group Teams architect about building a secure external collaboration framework for your organization. Call (888) 381-9725 or request a 30-minute discovery call.