Guest Access Control in Teams

For many organizations, the best thing about Microsoft Teams is the ability to quickly and easily collaborate and share with Guest users. For the same reason, and many more, the worst thing about Guest access in Microsoft Teams is the ability to quickly and easily collaborate and share with Guest users. With the right tools in place you can ensure internal and guest users can collaborate securely without risking accidental data exposure or loss.

Teams Guest Access – To Do or Not to Do

The divide between pros and cons of using Teams for Guest access usually occur along familiar lines – namely between users and IT. It’s a classic IT challenge; balancing what users want with what IT can safely provide. Microsoft Teams is just the latest in a long line of tools to pose this issue. The unusual nature of 2020 has also added a new dimension to the challenge as organizations accelerated the adoption of Microsoft Teams to support large volumes of remote workers.

Rather than go through a list of pros and cons of allowing guest access from the user and IT perspective, let us just cut to the chase. If users want to share information with people outside of their organization they will find a tool to do it – sanctioned or not. If employees are asking you about making this possible within Teams, then they are already sharing content via some other tool. Likely, one that IT has no control over.

The best approach is to accept that users will share data with third parties, and provide a safe and controlled environment for it. Microsoft Teams absolutely can be that safe place – but only if the right information protection and security controls are in place.

Guest Access Does Not Have to Be All or Nothing

One of the misconceptions that we often run into is that organizations only have a binary choice when it comes to Guest access. This is often driven by the official administration guides for Teams that show how you allow guest access in Teams. The choice appears to be very binary. Literally you must decide whether you flick the switch or not.

Guest Access in Microsoft Teams is Binary

Over time Microsoft has added more controls to make this less of a binary decision. Within the Teams administration console, you now have options for allowing a little more control over app features for calling, meetings and messages for guest users.

There are also additional configurations within Azure Active Directory to provide some control over who can invite guest users into Teams. For example, it is possible to only allow admins to be able to add new guest users. The drawback of this is that standard Teams owners, i.e. normal users, can only add guests to their Team that and administrator has previously added. Putting barriers like this in the way of users will drive them to seek alternatives.

Despite some of the limitations, at least the process is less binary than it was early on with Teams. The good news is you don’t have to settle for limited guest collaboration options. There are solutions that can provide a better balance when it comes to Guest access in Microsoft Teams.

Third Party Teams Governance Solutions and Guest Access

Building on top of some of the out of the box improvements, several governance solutions for Teams have appeared in the market. Some created by third party vendors and some leveraging workflows and other Microsoft tools from their administration toolkit.

The capabilities found within solutions like this typically focus on controlling the provisioning process of Teams by using templates or workflows as part of a process. This addresses several of the application level concerns that IT has with Teams. Some of the common features found in Teams governance solutions are:

  1. Controlling which sites can have guest users and/or…
  2. Approval workflows for allowing guest users or creating new Teams
  3. Ensuring correct Teams naming conventions
  4. Preventing duplication of Teams
  5. Life cycle control e.g. archiving or deleting stale content and Teams

By providing IT with more control over who can create Teams and how they can be created alleviates some of the concerns that organizations have with using a decentralized collaboration tool like Teams. The out of the box behavior of allowing users to create new Teams anytime they want and invite anyone that they want gets to the core of what users like and what IT dislikes about Teams. A lack of insight into who is sharing what and with whom within Teams is a valid concern for IT.

However, any governance solution, particularly one that puts a multi-step process between a user and the creation of their new Team should come with a health warning. While the “3-click rule” is usually associated with website design it is something that software vendors and process designers should also bear in mind. Replacing the ability to create a new Team and share content with colleagues or external guests with a couple of clicks in minutes with a process that delays the creation due to an approval workflow risks user adoption of Teams and increases the potential for users to revert to finding their own solutions.

Information Protection – Making Guest Access Work for You

Notice that we used the term “application level” concerns in the previous section on governance tools. The use of the term was very deliberate as it points towards a potentially fatal flaw in a Teams strategy for safely allowing Guest access. Even if a Team was created with the correct template, using the correct naming convention and was approved to have Guest access within it does not solve the problem of making sure that guest users don’t have access to data that they should not.

There are several other considerations that IT needs to meet before they can categorically say that they are providing a safe and controlled external collaboration environment.

  • What happens when someone uploads files containing sensitive information to a Team containing guest users?
  • Are all guest users equal in terms of their level of information access?
  • What happens when an internal user puts a file in the wrong Team?

A governance solution makes sure that the container is the correct size and shape but does not control what users can put in it.

This is where an Information Protection solution bridges the security gap. Solutions like NC Protect evaluate all attributes associated with the Team, user (both internal and guest) and the file or chat message in question and applies the appropriate level of access and sharing rights and encryption. This ensures that the container, the governance process approved Team, is always being used for its intended purpose.

Information Protection Should Not Be Static

Just like falling into the trap of thinking that setting up a Team through a controlled process will ensure success so does thinking that information protection controls need only be setup to accommodate the content that is expected within the Team. Any information protection policies that are applied cannot just be tied to either the Team or the file classification or other piece of metadata. The constantly changing nature of a collaboration environment like Teams require a more flexible approach where information protection can adjust automatically to meet the changing security risks.

Secure Guest Access in Microsoft Teams is Possible with NC Protect

Guest Access for Microsoft Teams has thankfully become less of a binary choice and risk thanks to improvements with the out of the box administration features and additional solutions that support a governance strategy. A good governance approach to Teams provisioning and lifecycle provides the correct basis on day zero. But what about days 1 and 1+n?

Without the addition of an Information Protection solution to protect the data shared your organization will still be exposed to risk from Guest access. NC Protect provides the context and content awareness to adapt access controls and sharing rights down to the file or chat message level to ensure your employees and guest can collaborate securely.

Learn more about NC Protect for Controlling Guest Access in Teams