Manage guest access to Office 365 Groups

Updated on 31 July, 2017

By default, guest access is enabled for your organization. When it's enabled, by default everyone in your organization can add guest users to an Office 365 Group. The guests will have access to all Office 365 Group features. How guest access works

As the admin, you can control whether to allow guest access to Office 365 Groups for your whole organization or for individual Office Groups. And you can control who can allow guests to be added to groups.

Who can add guest users to a group?

  • An Office 365 group owner can add guest users if this option has been enabled for your organization.

  • Global admins can add guest users to any Office 365 groups in the organization.

Turn on or off guest access to Group files and OneNote

By default, guests can access group files and OneNote. To turn this off, you need to turn off the SharePoint external sharing setting at the organization level. For the steps, see Turn external sharing on or off for SharePoint Online, "Manage external sharing for Office 365 Group site collections."

However, even if the SharePoint external sharing setting is turned off, the files from SharePoint sites can still be shared with new guest users based on SharePoint settings. To learn more, see Manage external sharing for your SharePoint Online environment.

Turn on or off the Sharing option

By default, the Sharing option in your organization is enabled. This option allows guests to be added to your organization. To turn it off:

  1. Sign in with your Office 365 admin account at https://portal.office.com/adminportal/home.

    Sign in with your Office 365 admin account.

    Sign in to Office 365 operated by 21Vianet

  2. In the navigation menu, choose Settings then Security & privacy

  3. Set the On / Off toggle for Allow adding of new guests to my organization.

    Allow adding of guest users to my organization

Control adding guest users and guest access to all Office 365 groups in your organization

  1. Sign in with your Office 365 admin account at https://portal.office.com/adminportal/home.

    Sign in with your Office 365 admin account.

    Sign in to Office 365 operated by 21Vianet

  2. In the navigation menu, choose Settings then Services & add-ins.

  3. Choose Office 365 Groups.

    Office 365 groups

  4. On the Office 365 Groups page, set the toggle to On or Off, depending if you want to let people outside your organization access Office 365 group resources.

    If you turn this toggle On, you'll see another option to control whether you want to let group owners add people outside your organization to Office 365 groups. Set this toggle On if you want to let group owners add guest users.

    Let people outside my organization access Office 365 groups and resources

For info on viewing guest users and adding existing guest users to Office 365 Groups, check out Manage guest access in admin portal.

Use PowerShell to control guest access

Install the preview version of the Azure Active Directory Module for Windows PowerShell

IMPORTANT: The procedures in this article require the PREVIEW version Azure Active Directory Module for Windows PowerShell, specifically, the AzureADPreview module, version 2.0.0.137 or later.

As a best practice, we recommend always staying current: uninstall the old AzureADPreview version and get the latest one before you run PowerShell commands.

  1. Open Windows PowerShell as an administrator:

    1. In your search bar, type Windows PowerShell.

    2. Right-click on Windows PowerShell and select Run as Administrator.

      Open PowerShell as "Run as administrator."

    The Windows PowerShell window will pop open. The prompt C:\Windows\system32 means you opened it as an administrator.

    What PowerShell looks like when you first open it.

  2. To uninstall a previous version of AzureADPreview, run this command:

    Uninstall-Module AzureADPreview
  3. To install the latest version of AzureADPreview, run this command:

    Install-Module AzureADPreview

    At the message about an untrusted repository, type Y. It will take a minute or so for the new module to install.

Control guest access to all Office 365 groups

  1. Did you install the AzureADPreview module, as instructed above? Not having the most current preview version is the #1 reason these steps don't work for people.

  2. If you haven't already, open a Windows PowerShell window on your computer (it doesn't matter if it's a normal Windows PowerShell window, or one you opened by selecting Run as administrator).

  3. Run the following commands. Press Enter after each command.

    Import-Module AzureADPreview
    Connect-AzureAD

    In the Sign in to your Account screen that opens, enter your Office 365 admin account and password to connect you to your service, and click Sign in.

    Enter your Office 365 credentials
  4. Run the following command:

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"}

  5. See if you already have an AzureADDirectorySetting object, and if so save the Object ID. Run this command:

    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

    IF, and ONLY if, that cmdlet displays an error saying the object doesn’t exist, create one using these cmdlets:

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"}

    $settingsCopy = $template.CreateDirectorySetting()

    New-AzureADDirectorySetting -DirectorySetting $settingsCopy

    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

  6. Copy the AzureADDirectorySetting object back into the local $settingsCopy variable:

    $settingsCopy = Get-AzureADDirectorySetting –Id $settingsObjectID

    This is only a COPY of the settings; changes won’t take effect until you copy it BACK to the AzureADDirectorySetting object.

  7. Set the option to allow guests to access O365 groups:

    $settingsCopy["AllowGuestsToAccessGroups"] = "true"

  8. Finally, (as mentioned above) in order for the change to take effect you must copy the settings BACK to the AzureADDirectorySetting object:

    Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

  9. To verify the change took effect, retrieve the value from the AzureADDirectorySetting object (don’t just look at the local copy in $settingsCopy):

    (Get-AzureADDirectorySetting –Id $settingsObjectID).Values

    The results should look like this:

    AllowGuestsToAccessGroups should be set to True

Allow guests to be added to all Office 365 groups

  1. Did you install the AzureADPreview module, as instructed above? Not having the most current preview version is the #1 reason these steps don't work for people.

  2. If you haven't already, open a Windows PowerShell window on your computer (it doesn't matter if it's a normal Windows PowerShell window, or one you opened by selecting Run as administrator).

  3. Run the following commands. Press Enter after each command.

    Import-Module AzureADPreview
    Connect-AzureAD

    In the Sign in to your Account screen that opens, enter your Office 365 admin account and password to connect you to your service, and click Sign in.

    Enter your Office 365 credentials
  4. Run the following command:

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"}

  5. See if you already have an AzureADDirectorySetting object, and if so save the Object ID

    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

    IF, and ONLY if, that cmdlet displays an error saying the object doesn’t exist, create one using these commands:

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"}

    $settingsCopy = $template.CreateDirectorySetting()

    New-AzureADDirectorySetting -DirectorySetting $settingsCopy

    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

  6. Copy the AzureADDirectorySetting object back into the local $settingsCopy variable:

    $settingsCopy = Get-AzureADDirectorySetting –Id $settingsObjectID

    This is only a COPY of the settings; changes won’t take effect until you copy it BACK to the AzureADDirectorySetting object.

  7. Set the option to allow guests to be added to all O365 groups:

    $settingsCopy["AllowToAddGuests"] = "true"

  8. Finally, (as mentioned above) in order for the change to take effect you must copy the settings BACK to the AzureADDirectorySetting object:

    Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

  9. To verify the change took effect, retrieve the value from the AzureADDirectorySetting object (don’t just look at the local copy in $settingsCopy):

    (Get-AzureADDirectorySetting –Id $settingsObjectID).Values

Allow or block guest users from a specific group

  1. Did you install the AzureADPreview module, as instructed above? Not having the most current preview version is the #1 reason these steps don't work for people.

  2. If you haven't already, open a Windows PowerShell window on your computer (it doesn't matter if it's a normal Windows PowerShell window, or one you opened by selecting Run as administrator).

  3. Run the following commands. Press Enter after each command.

    Import-Module AzureADPreview
    Connect-AzureAD

    In the Sign in to your Account screen that opens, enter your Office 365 admin account and password to connect you to your service, and click Sign in.

    Enter your Office 365 credentials
  4. Run this command.

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}

  5. Run this command.

    $settingsCopy = $template.CreateDirectorySetting()

  6. Run this command. Set to False to block guest access to a specific group. Set to True to allow guest access to a specific group.

    $settingsCopy["AllowToAddGuests"]=$False

  7. Run this command.

    $groupID= (Get-AzureADGroup -SearchString "YourGroupEmailAddress").ObjectId

    Where you would replace YourGroupEmailAddress with something like Information@contoso.com.

  8. Run this command.

    New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $settingsCopy

    It takes 2-3 minutes to be synced.

  9. To verify your settings, run this command:

     Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups | fl Values 

    The verification looks like this:

    The verification

Allow/Block guest access based on their domain

You can allow or block guest users who are using a specific domain. For example, let's say your business (Contoso) has a partnership with another business (Fabrikam). You can add Fabrikam to your Allow list so your users can add those guests to their groups.

For more information, see Allow/Block guest access to Office 365 groups

Frequently asked questions

  • Owners of an Office 365 group and global admins who are owners of the group can add guest users to Office 365 groups through Outlook on Web. To learn more, see Guest access in Office 365 Groups.

  • Sharing a file with a guest from a SharePoint site or an Office 365 group. See Share group files.

  • Adding guests to your organization through Azure active directory B2B collaboration. Azure active directory B2B collaboration allows a company administrator to invite and authorize a set of external users by uploading a comma-separated values (CSV) file of no more than 2000 lines to the B2B collaboration portal. For more details, check out Azure Active Directory B2B collaboration.

Yes, global admins can use Azure active directory Powershell cmdlets to disable "AllowGuestAccessToGroups" property on Company object, assuming external sharing is turned On for SharePoint sites.

The guest settings are set in Azure active directory. It takes about 2 to 24 hours for the changes to be effective across your Office 365 organization.

No. You can only share Office 365 group document library with guests who have been invited to join the group. But individual group files can be still shared with guests users through file sharing from SharePoint Online.

Yes, read Manage your group-connected team site for more details.

No, individual guest users can't be blocked.

No, not at this time.

No guest users who are members of a group aren't synched back to on-premises along with the group.

Starting 10 June 2017, we have rolled-out this support to First Release tenants & soon rolling out to WW availability. For tenants that are not on First Release you'll get the following error if you try to add a mail contact to a group.

Screenshot: Can't add mail contact to a group. Contact your admin to add the user as a guest to the group.

If you want to add this mail contact to a group, you can delete the mail contact and create a guest user. Read Upgrade distribution lists to Office 365 Groups for more details.

Office 365 Connected Yammer Groups do not currently support guest access, but you can create non-connected, external groups in your Yammer network. See Create and manage external groups in Yammer for instructions.

Fix issues with guest access

Why are some of the guest users missing group messages?

It could be one of the following reasons:

  • Make sure guest user access to Office 365 groups is enabled in your organization.

  • Office 365 group messages may be going to the SPAM folder of the guest user.

  • The guest user's email provider could be rejecting the Office 365 group messages.

Related articles

Guest doesn't receive group email conversations

Guest access in Office 365 Groups

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×