Guest access in Office 365 Groups

Updated: July 2017

Guest access in Office 365 Groups enables you and your team to collaborate with people from outside your organization by granting them access to group conversations, files, calendar invitations, and the group notebook. Access can be granted to a guest—including partners, vendors, suppliers, or consultants—by any group owner.

How it works

Office 365 users can use Outlook on the web or Outlook 2016 to add and manage guests in their Office 365 groups. Guests can have any email address, and the email account can be a work, personal, or school account.

Guest access is a tenant-level setting and is enabled by default. A tenant admin can manage the guests and their access to Office 365 group resources using PowerShell. See the Manage tab for instructions.

When a guest is invited to join a group, they receive a welcome email that includes a little information about the group and what they can expect now that they're a member.

Guests receive a welcome email

All of the guest member's interactions occur through their email inbox. They can't access the group site but can receive calendar invitations, participate in email conversations, and, if the tenant admin has enabled it, open shared files using a link or attachment.

All group emails and calendar invitations the guest receives will include a reminder to use "reply all" in responses to the group, along with links to view group files and leave the group. Here's an example:

All emails the guest receives from group members will have a footer with instructions and links

The following table summarizes what guests can and can't do.

Feature

Guest user allowed?

Create a group

No

Add/remove group members

No

Delete a group

No

Join a group

Yes, by invitation

Start a conversation

Yes

Reply to a conversation

Yes

Search for a conversation

Yes

@mention a person in the group

No

Pin/Favorite a group

No

Delete a conversation

Yes

"Like" messages

No

Manage meetings

No

View group calendar

No

Modify calendar events

No

Add a group calendar to a personal calendar

No

View and edit group files

Yes, if enabled by tenant admin

Access the group OneNote notebook

Yes, via link from group member

Browse groups

No

By default, guest access is enabled for your organization. When it's enabled, everyone in your organization can add guest users to an Office 365 Group. The guests will have access to all Office 365 Group features.

As the admin, you can control whether to allow guest access to Office 365 Groups for your whole organization or for individual Office 365 Groups. And you can control who can allow guests to be added to groups.

Manage guest access in the admin portal

  1. Sign in with your Office 365 global admin account at https://portal.office.com/adminportal/home.

  2. Go to Users > Guest users.

    Expand the Users section on the navigation pane to manage your Guest Users

If the guest already exists in your directory (see above) you can add them to your groups from the Office Admin Center or the Exchange Admin Center.

  1. Sign in with your Office 365 global admin account at https://portal.office.com/adminportal/home.

  2. Go to Users > Guest users.

    Expand the Groups section on the navigation pane to manage your groups

  3. Select the group you want to add the guest to, and click Edit in the Members section.

    Click Edit to manage your Group's membership

  4. Select the name of the guest you want to add.

  5. Click Save

You can't invite guests from the Office Admin Center or the Exchange Admin Center at this time. To invite guests centrally you might consider using the Azure Active Directory B2B collaboration preview. For more information, see About the Azure AD B2B collaboration preview.

Currently you can't add or edit guests from the Office Admin Center or the Exchange Admin Center. To edit guest accounts (such as their display name or profile photo) go to your Azure Active Directory portal. For more information, see Understanding Office 365 Identity and Azure Active Directory.

Control guest access to Office 365 Groups

By default, guests can access group files and OneNote. To turn this off, you need to turn off the SharePoint external sharing setting at the organization level. For the steps, see Turn external sharing on or off for SharePoint Online, "Manage external sharing for Office 365 Group site collections."

However, even if the SharePoint external sharing setting is turned off, the files from SharePoint sites can still be shared with new guest users based on SharePoint settings. To learn more, see Manage external sharing for your SharePoint Online environment.

By default, the Sharing option in your organization is enabled. This option allows guests to be added to your organization. To turn it off:

  1. Sign in with your Office 365 global admin account at https://portal.office.com/adminportal/home.

  2. In the navigation menu, choose Settings then Security & privacy

  3. Set the On / Off toggle for Allow adding of new guests to my organization.

    Allow adding of guest users to my organization

  1. Sign in with your Office 365 admin account at https://portal.office.com/adminportal/home.

  2. In the navigation menu, choose Settings then Services & add-ins.

  3. Choose Office 365 Groups.

    Office 365 groups

  4. On the Office 365 Groups page, set the toggle to On or Off, depending if you want to let people outside your organization access Office 365 group resources.

    If you turn this toggle On, you'll see another option to control whether you want to let group owners add people outside your organization to Office 365 groups. Set this toggle On if you want to let group owners add guest users.

    Let people outside my organization access Office 365 groups and resources

Use PowerShell to control guest access

IMPORTANT: The procedures in this article require the PREVIEW version Azure Active Directory Module for Windows PowerShell, specifically, the AzureADPreview module, version 2.0.0.137 or later.

As a best practice, we recommend always staying current: uninstall the old AzureADPreview version and get the latest one before you run PowerShell commands.

  1. Open Windows PowerShell as an administrator:

    1. In your search bar, type Windows PowerShell.

    2. Right-click on Windows PowerShell and select Run as Administrator.

      Open PowerShell as "Run as administrator."

    The Windows PowerShell window will pop open. The prompt C:\Windows\system32 means you opened it as an administrator.

    What PowerShell looks like when you first open it.

  2. To uninstall a previous version of AzureADPreview, run this command:

    Uninstall-Module AzureADPreview
  3. To install the latest version of AzureADPreview, run this command:

    Install-Module AzureADPreview

    At the message about an untrusted repository, type Y. It will take a minute or so for the new module to install.

  1. Did you install the AzureADPreview module, as instructed in the above section "Install the preview version of the Azure Active Directory Module for Windows PowerShell"? Not having the most current preview version is the #1 reason these steps don't work for people.

  2. If you haven't already, open a Windows PowerShell window on your computer (it doesn't matter if it's a normal Windows PowerShell window, or one you opened by selecting Run as administrator).

  3. Run the following commands. Press Enter after each command.

    Import-Module AzureADPreview
    Connect-AzureAD

    In the Sign in to your Account screen that opens, enter your Office 365 admin account and password to connect you to your service, and click Sign in.

    Enter your Office 365 credentials
  4. Run the following command:

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"}

  5. See if you already have an AzureADDirectorySetting object, and if so save the Object ID. Run this command:

    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

    IF, and ONLY if, that cmdlet displays an error saying the object doesn’t exist, create one using these cmdlets:

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"}

    $settingsCopy = $template.CreateDirectorySetting()

    New-AzureADDirectorySetting -DirectorySetting $settingsCopy

    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

  6. Copy the AzureADDirectorySetting object back into the local $settingsCopy variable:

    $settingsCopy = Get-AzureADDirectorySetting –Id $settingsObjectID

    This is only a COPY of the settings; changes won’t take effect until you copy it BACK to the AzureADDirectorySetting object.

  7. Set the option to allow guests to access O365 groups:

    $settingsCopy["AllowGuestsToAccessGroups"] = "true"

  8. Finally, (as mentioned above) in order for the change to take effect you must copy the settings BACK to the AzureADDirectorySetting object:

    Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

  9. To verify the change took effect, retrieve the value from the AzureADDirectorySetting object (don’t just look at the local copy in $settingsCopy):

    (Get-AzureADDirectorySetting –Id $settingsObjectID).Values

    The results should look like this:

    AllowGuestsToAccessGroups should be set to True

  1. Did you install the AzureADPreview module, as instructed in the above section "Install the preview version of the Azure Active Directory Module for Windows PowerShell"? Not having the most current preview version is the #1 reason these steps don't work for people.

  2. If you haven't already, open a Windows PowerShell window on your computer (it doesn't matter if it's a normal Windows PowerShell window, or one you opened by selecting Run as administrator).

  3. Run the following commands. Press Enter after each command.

    Import-Module AzureADPreview
    Connect-AzureAD

    In the Sign in to your Account screen that opens, enter your Office 365 admin account and password to connect you to your service, and click Sign in.

    Enter your Office 365 credentials
  4. Run the following command:

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"}

  5. See if you already have an AzureADDirectorySetting object, and if so save the Object ID

    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

    IF, and ONLY if, that cmdlet displays an error saying the object doesn’t exist, create one using these commands:

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"}

    $settingsCopy = $template.CreateDirectorySetting()

    New-AzureADDirectorySetting -DirectorySetting $settingsCopy

    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

  6. Copy the AzureADDirectorySetting object back into the local $settingsCopy variable:

    $settingsCopy = Get-AzureADDirectorySetting –Id $settingsObjectID

    This is only a COPY of the settings; changes won’t take effect until you copy it BACK to the AzureADDirectorySetting object.

  7. Set the option to allow guests to be added to all O365 groups:

    $settingsCopy["AllowToAddGuests"] = "true"

  8. Finally, (as mentioned above) in order for the change to take effect you must copy the settings BACK to the AzureADDirectorySetting object:

    Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

  9. To verify the change took effect, retrieve the value from the AzureADDirectorySetting object (don’t just look at the local copy in $settingsCopy):

    (Get-AzureADDirectorySetting –Id $settingsObjectID).Values

  1. Did you install the AzureADPreview module, as instructed in the above section "Install the preview version of the Azure Active Directory Module for Windows PowerShell"? Not having the most current preview version is the #1 reason these steps don't work for people.

  2. If you haven't already, open a Windows PowerShell window on your computer (it doesn't matter if it's a normal Windows PowerShell window, or one you opened by selecting Run as administrator).

  3. Run the following commands. Press Enter after each command.

    Import-Module AzureADPreview
    Connect-AzureAD

    In the Sign in to your Account screen that opens, enter your Office 365 admin account and password to connect you to your service, and click Sign in.

    Enter your Office 365 credentials
  4. Run this command.

    $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}

  5. Run this command.

    $settingsCopy = $template.CreateDirectorySetting()

  6. Run this command. Set to False to block guest access to a specific group. Set to True to allow guest access to a specific group.

    $settingsCopy["AllowToAddGuests"]=$False

  7. Run this command.

    $groupID= (Get-AzureADGroup -SearchString "YourGroupEmailAddress").ObjectId

    Where you would replace YourGroupEmailAddress with something like Information@contoso.com.

  8. Run this command.

    New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $settingsCopy

    It takes 2-3 minutes to be synced.

  9. To verify your settings, run this command:

     Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups | fl Values 

    The verification looks like this:

    The verification

You can allow or block guest users who are using a specific domain. For example, let's say your business (Contoso) has a partnership with another business (Fabrikam). You can add Fabrikam to your Allow list so your users can add those guests to their groups.

For more information, see Allow/Block guest access to Office 365 groups

For end users

A guest is someone who is not an employee, student, or member of your organization. They don't have a school or work account with your organization.

No. Guest access is included with all Office 365 Business Premium and Office 365 Enterprise subscriptions.

No. Only people who are outside of your organization, such as partners or consultants, can be added as guests. You can invite people from within your organization to join as regular group members.

Yes, you can. External mail contacts are contacts listed in your company's global address list. An example of this type of contact is a vendor company who regularly provides services to your organization.

Your tenant admin must enable the guest feature for the tenant before you can add guests. When you see the "contact your administrator message," it's likely that the guest feature has not yet been enabled. See the Manage tab for more information.

Guest members cannot view messages that are protected with Information Rights Management (IRM).

You might get a non-delivery report when replying to a group message with an email address that's different from the one used when you joined or were added to the group. For example, if you joined the group as seanc@contoso.com but try replying to a group message in your inbox from seanc@service.contoso.com, you'll receive a non-delivery report.

No. You can only share Office 365 group files with guests who have been invited to join the group.

A modern attachment is a file stored on OneDrive for Business. One link goes to all recipients. Because the file is stored in the cloud, all recipients can read and edit the file without having to reconcile individual copies. See Smarter attachments for more information.

Modern attachments in an Office 365 group are only shared with members of the group. When a message with a modern attachment is forwarded to a guest member in the group, he or she will be able to access the attachment upon signing in with a username and password. If the message is forwarded to a user who isn't a member of the group, the user won't be able to open the attachment.

Yes. The guests won't receive a welcome mail but will have all the privileges of any other guest member. If you've not yet migrated your distribution lists, see Migrate distribution lists to Office 365 Groups for instructions. Distribution lists that contain guests can't be migrated.

Office 365 Connected Yammer Groups do not currently support guest access, but you can create non-connected, external groups in your Yammer network. See Create and manage external groups in Yammer for instructions.

Guests might not receive group conversations for several reasons. See Guest users aren't receiving Group conversation for information.

For admins

  • An Office 365 Group owner can add guest users if this option has been enabled for your organization.

  • Global admins can add guest users to any Office 365 groups in the organization.

  • Owners of an Office 365 group and global admins who are owners of the group can add guest users to Office 365 groups through Outlook on Web.

  • Sharing a file with a guest from a SharePoint site or an Office 365 group. See Share group files.

  • Adding guests to your organization through Azure active directory B2B collaboration. Azure active directory B2B collaboration allows a company administrator to invite and authorize a set of external users by uploading a comma-separated values (CSV) file of no more than 2000 lines to the B2B collaboration portal. For more details, check out Azure Active Directory B2B collaboration.

Yes, global admins can use Azure active directory Powershell cmdlets to disable "AllowGuestAccessToGroups" property on Company object, assuming external sharing is turned On for SharePoint sites.

The guest settings are set in Azure active directory. It takes 2 to 24 hours for the changes to be effective across your Office 365 organization.

No. You can only share Office 365 Group document library with guests who have been invited to join the group. But individual group files can be still shared with guests users through file sharing from SharePoint Online.

Yes, read Manage your group-connected team site for more details.

No, individual guest users can't be blocked.

No, not at this time.

No guest users who are members of a group aren't synched back to on-premises along with the group.

Yes, you can. External mail contacts are contacts listed in your company's global address list. An example of this type of contact is a vendor company who regularly provides services to your organization.

Office 365 Connected Yammer Groups do not currently support guest access, but you can create non-connected, external groups in your Yammer network. See Create and manage external groups in Yammer for instructions.

Related Topics

Learn about Office 365 Groups
Guest doesn't receive group email conversations
Manage Group membership in the Office 365 admin center
Allow/Deny guest access to Office 365 groups based on their domain
Azure Active Directory access reviews

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×