Collaborating with external users in Teams using Guest accounts

This is how to invite external users to work with you in Team, for example to work on a project with external users in a secure manner. This can be used for example even if external sharing is disabled for a Team or SharePoint site, since you are inviting users to be Guests in your own tenant.

As you may know, whilst you can use federation in Teams to chat 1-1 with external users (if the Teams policies from both sides allow it), it is impossible to add an external user to a Team without using Guest accounts. You have to invite the external users to your tenant, which creates a guest account for them in your Azure AD.

The process we use to do this is simplified (from a user perspective) so that Guests don’t have to accept an invitation email, they receive only a single email with a link to the shared area.

This does require some PowerShell knowledge.

Inviting the Guest users

Whilst you can invite guest users using Azure AD https://portal.azure.com/, if done this way an email invitation is sent to the user, and they have to click on the link in the email to accept it. This caused some issues as external users were claiming not to have received the emails, or just did not click on it.

It is therefore simpler for everyone to use link based invites as per https://docs.microsoft.com/en-us/azure/active-directory/external-identities/add-user-without-invite, whereby the user is invited using PowerShell, no invite email is sent, and the invitation is automatically accepted when they click on a link to an application.

Note: external users will have to have a Microsoft account, either a Work (Office 365) or Personal account. If they do not have one they can create one during the login process. Either way it will then use their own email address and password, Guest accounts in Azure AD do not have passwords in the host tenant.

Create a CSV file as follows and save as guestusers.csv

"DisplayName","UserPrincipalName"
"Jo User","[email protected]"

Run the script, requires a Global Admin account in tenant:

# Invites Guest users without sending an email invite

# CSV file containing all the users to invite
$CSVfile = "$PSScriptRoot\guestusers.csv"


write-host "Connecting to AzureAD"
# Connect to AzureAD
."$PSScriptRoot\..\Connections\ConnectAzureAD.ps1"


 #Get the Users CSV file
 try {
    $users = Import-Csv $CSVfile
}
catch {
    $errorZero = $Error[0]
    write-host "Error:" $errorZero -ForegroundColor Red 
    exit
}

write-host "About the invite the following users:"
foreach ($user in $users) {$user.UserPrincipalName,$user.DisplayName}

# Check which tenant we are connected to:
$tenant = Get-AzureADTenantDetail
write-host "Connected to" $tenant.DisplayName "proceed with user invite?" -ForegroundColor Yellow
Read-Host -Prompt "Press Enter to continue or CTRL-C to quit"

foreach ($user in $users) {
    $UPN = $user.UserPrincipalName
    $DisplayName = $user.DisplayName
    if (Get-AzureADuser | Where-Object {($_.DisplayName -eq $DisplayName) -and ($_.UserType -eq 'Guest')}) {
        write-host "Error: $DisplayName Guest already exists" -ForegroundColor Red
        Exit
    }
    else {
write-host "Inviting $UPN"
New-AzureADMSInvitation -InvitedUserDisplayName $user.DisplayName -InvitedUserEmailAddress $user.UserPrincipalName -InviteRedirectURL https://myapps.azure.com -SendInvitationMessage $false
}
}

ConnectAzureAD.ps1:

write-host "Checking connection"
try 
{ $var = Get-AzureADTenantDetail } 

catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] 
{ Write-Host "Not connected, authenticate in other window"; Connect-AzureAD}

$AzureADUsers = Get-AzureADUser

Create a Team and add the users

Go to https://admin.teams.microsoft.com/ and create a new Team for the project.

Add any internal and external (Guest) users as required.

Internal users can just access the folder via Teams, or you could send them the SharePoint site link if they don’t have Teams installed in case they just want to work on files. You can get this from the SharePoint admin centre.

Posted in Azure AD, Office 365, PowerShell, Teams

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.