Many customers using Microsoft Teams request teams restricted to internal members, without guest account access.
Teams’ behavior is very often controlled by SharePoint or Microsoft 365 Group settings and a typical team user may not know anything about these settings. We recommend building your own app or automation to ensure SharePoint and Microsoft 365 Group settings meet requirements, such as Naming standards, download control, guest access, sharing options, folder structures and much more. We’ve successfully assisted many customers in implementing this approach for better teams’ management.
But let’s see how we can prevent external sharing with guests on a Microsoft Team site.
Typically, we would allow guest access to most groups and teams but often we have some Teams/Groups where we want to prevent guest access, we can block guest access for individual groups and teams by blocking guest access to a team on the associated group.
This prevents new guests from being added but doesn’t remove guests that are already in the group or team.
Prevent guests from being added to a specific Microsoft 365 group or Microsoft Teams team
First, we will add a guest (test) without any change, just to verify that this is possible.
And we have added an external guest and it works as expected.
Using PowerShell and Graph beta, we identify all groups (Teams) with “Internal” in their name and prevent users from adding external members.
Connect-MgGraph -NoWelcome
$TeamsGroups = Get-MgbetaGroup -ConsistencyLevel eventual -Search '"DisplayName:internal"' -filter "ResourceProvisioningOptions/any(p:p eq 'team')"
$templateId = (Get-MgBetaDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}).Id
$TeamsParams = @{
templateId = "$templateId"
values = @(
@{
name = "AllowToAddGuests"
value = "false"
}
)
}
Foreach ($Team in $TeamsGroups) {
$GroupSettings = Get-MgBetaGroupSetting -GroupId $team.id | ? {$_.displayname -eq "group.unified.guest"}
if ($GroupSettings) {
Update-MgBetaGroupSetting -GroupId $team.id -BodyParameter $TeamsParams -DirectorySettingId $GroupSettings.Id
}
else {
New-MgBetaGroupSetting -GroupId $team.id -BodyParameter $TeamsParams | Out-Null
}
}
After this change, we can’t add guests—Teams shows “We couldn’t find any matches” when entering external email addresses.
But we still have the guest in the team we added before we changed the setting, so with a little change to our PowerShell code, we can also remove all guests from the Internal teams.
Connect-MgGraph -NoWelcome
$TeamsGroups = Get-MgbetaGroup -ConsistencyLevel eventual -Search '"DisplayName:internal"' -filter "ResourceProvisioningOptions/any(p:p eq 'team')"
$templateId = (Get-MgBetaDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}).Id
$TeamsParams = @{
templateId = "$templateId"
values = @(
@{
name = "AllowToAddGuests"
value = "false"
}
)
}
Foreach ($Team in $TeamsGroups) {
$GroupSettings = Get-MgBetaGroupSetting -GroupId $team.id | ? {$_.displayname -eq "group.unified.guest"}
$TeamMembers = Get-MgBetaTeamMember -TeamId $team.id -Filter "Roles/any(p:p eq 'guest')"
Foreach ($TeamMember in $TeamMembers) {
Remove-MgBetaTeamMember -ConversationMemberId $TeamMember.Id -TeamId $team.id
}
if ($GroupSettings) {
Update-MgBetaGroupSetting -GroupId $team.id -BodyParameter $TeamsParams -DirectorySettingId $GroupSettings.Id
}
else {
New-MgBetaGroupSetting -GroupId $team.id -BodyParameter $TeamsParams | Out-Null
}
}
And now the guest is removed from the team, and we cannot add new guests.
But we can still share files in this team from SharePoint, in Part two we will have a look at how we can control this, so stay tuned.
SharePoint, the Microsoft 365 admin portal, and Entra ID all significantly impact on how users experience Microsoft 365 and Teams. In our Governance workshops, we always begin with our governance data collector that gathers details about the current Microsoft 365 configuration and identifies areas where we suggest alternative approaches, the guest sharing options are a good example of data we collect for teams.
And now a short message in Danish 🙂
Hos Mindcore elsker vi at dele viden, men det er vores Danske kunder der rent faktisk gør dette arbejde muligt. Hvis du er interesseret i hvad vi kan tilbyde i forhold til Microsoft 365 Governance og sikkerhed, Azure ARC, Intune eller nogen af de andre områder vi har skrevet om her på bloggen, så kontakt os på info@mindcore.dk eller telefon 51 91 44 10.
