Guest access to Office 365 groups - Admin Help

Guest access in Office 365 groups enables you and your team to collaborate with people from outside your organization by granting them access to group conversations, files, calendar invitations, and the group notebook. Access can be granted to a guest—including partners, vendors, suppliers, or consultants—by any group owner. As the admin, you can control whether to allow guest access to Office 365 groups for your whole organization or per individual Office group. Once the guest access feature is turned on in your organization, by default, everyone is enabled and users will be able to add guest users to an Office 365 group, and they'll have access to all Office 365 group features. Read Office 365 groups to learn more about Office 365 groups, and read Guest access in Office 365 Groups to learn more about how guest access in Office 365 groups works.

In this topic

Before you begin

Before you can allow adding of guests to your organization, make sure the Sharing option in your organization has been enabled.

You must be an Office 365 global admin to perform this step.

  1. Sign in to Office 365 with your work or school account.

  2. Select the app launcher icon Office 365 app launcher icon in the upper-left and choose Admin.

    Tip: The Admin tile appears only to Office 365 administrators.

  3. In the navigation menu, choose Settings then Security & privacy

  4. Make sure that Allow adding of new guests to my organization is set to On. You can do that by clicking or tapping Edit and changing this setting.

    Allow adding of guest users to my organization

Before Office 365 guests can have access to group files and OneNote, the SharePoint external sharing setting at the organization level must be turned on. If this setting is turned off, the files from SharePoint sites can still be shared with new guest users based on SharePoint settings. Check out Manage external sharing for your SharePoint Online environment for the steps.

Who can add guest users to a group?

  • An Office 365 group owner can add guest users if this option has been enabled for your organization.

  • Global admins can add guest users to any Office 365 groups in the organization.

Use the Office 365 admin center to control adding guest users and guest access to all Office 365 groups in your organization

You must be an Office 365 global admin to perform this step.

  1. Sign in to Office 365 with your work or school account.

  2. Select the app launcher icon Office 365 app launcher icon in the upper-left and choose Admin.

    Tip: The Admin tile appears only to Office 365 administrators.

  3. In the navigation menu, choose Settings then Services & add-ins.

  4. Click or tap Office 365 Groups.

    Office 365 groups
  5. On the Office 365 Groups page, set the toggle to On or Off, depending if you want to let people outside your organization access Office 365 group resources.

    If you turn this toggle On, you'll see another option to control whether you want to let group owners add people outside your organization to Office 365 groups. Set this toggle On if you want to let group owners add guest users.

    Let people outside my organization access Office 365 groups and resources

    Important: Before Office 365 guests can have access to group files and OneNote, the SharePoint external sharing setting at the organization level must be turned on. If this setting is turned off, the files from SharePoint sites can still be shared with new guest users based on SharePoint settings. Check out Manage external sharing for your SharePoint Online environment for the steps.

Use PowerShell to control guest access to all Office 365 groups in your organization

Important: Before Office 365 guests users can have access to group files and OneNote, the SharePoint external sharing setting at the organization level must be turned on. If this setting is Off, even though the guest is a member of the group they won't have access to group files. Check out Manage external sharing for your SharePoint Online environment for the steps.

You can control guest access to your organization using PowerShell, but before you can run the cmdlet to allow guest access for your organization, you have to download and install a module that will let you talk to your Office 365 organization. Once you've done that, you can then run the cmdlets using the examples below to allow guest access for your organization.

Check out the Use Windows PowerShell cmdlets to manage your Windows Azure AD tenant topic for more information about Windows Powershell and cmdlets.

Run the following cmdlets to connect to Azure active directory.

  1. Connect to Windows PowerShell by using your company admin credentials. Run the following cmdlet:

    Connect-MsolService
  2. In the Enter Credentials page, enter your Office 365 global admin credentials. See Assigning admin roles for more info on roles in Office 365.

  3. After you enter your Office 365 credentials, enter the following in the PowerShell window:

    1. Import-Module MSOnline and click or tap Enter.

    2. $adminusername=<global admin username> and click or tap Enter.

    3. $adminpassword=<global admin password> and click or tap Enter.

    4. $password=ConvertTo-SecureString $adminpassword -AsPlainText –Force and click or tap Enter.

    5. $credential=New-Object System.Management.Automation.PsCredential($adminusername,$password) and click or tap Enter.

    6. $cred=Get-Credential -cred $credential and click or tap Enter.

    7. Connect-Msolservice -cred $cred and click or tap Enter.

    8. $template= Get-MsolSettingTemplate -TemplateId 62375ab9-6b52-47ed-826b-58e47e0e304b and click or tap Enter.

    9. $setting = $template.CreateSettingsObject() and click or tap Enter.

    10. $new_setting = New-MsolSettings -SettingsObject $setting and click or tap Enter.

    11. $new_setting.Values and click or tap Enter.

    12. $new_setting | Select-Object -Property *

      Note: # use Objectid value after you run this line as the SettingId for the next line.

    13. $setting = Get-MsolSettings -SettingId <SettingId> and click or tap Enter.

    14. $value = $setting.GetSettingsValue() and click or tap Enter.

    15. $value["AllowGuestsToAccessGroups"] = "false" or "true".

      Note: This setting maps to enabling guest users at the organizational level. Setting this value to false will stop your users from being able to invite guests to Office 365 groups. Setting this value to true allows your users to invite guest users to Office 365 groups.

There are other settings at the org level that can be modified here, such as GroupCreationAllowedGroupId, UsageGuidelinesUrl, ClassificationList, EnableGroupCreation and GuestUsageGuidelinesUrl.

The example below shows how to use the $modifiedsettings.values to change some of these settings.

  • Set-MsolSettings -SettingId <SettingId> -SettingsValue $value.

  • $modifiedsettings = Get-MsolSettings -SettingId <SettingId>.

  • $modifiedsettings.Values

Use PowerShell to control adding guest users to all Office 365 groups in your organization

Before you can run the following PowerShell cmdlets, you have to configure the user access setting in the Azure active directory admin center to allow guest users to be invited into your Office 365 organization. Read the Set guest user access policies section in the Add new users or users with Microsoft accounts to Azure Active Directory topic for details on how to allow invitations.

Run the following cmdlets to control adding guest users to all Office 365 groups in your organization.

Run the following cmdlet to connect to Azure active directory.

  1. Connect to Windows PowerShell by using your company admin credentials. Run the following cmdlet:

    Connect-MsolService
  2. In the Enter Credentials page, enter your Office 365 global admin credentials. See Assigning admin roles for more info on roles in Office 365.

  3. After you enter your Office 365 credentials, enter the following in the PowerShell window:

    1. Import-Module MSOnline and click or tap enter.

    2. $adminusername=<global admin username> and click or tap Enter.

    3. $adminpassword=<global admin password> and click or tap enter.

    4. $password=ConvertTo-SecureString $adminpassword -AsPlainText –Force and click or tap Enter.

    5. $credential=New-Object System.Management.Automation.PsCredential($adminusername,$password) and click or tap Enter.

    6. $cred=Get-Credential -cred $credential and click or tap Enter.

    7. Connect-Msolservice -cred $cred and click or tap Enter.

    8. $template= Get-MsolSettingTemplate -TemplateId 62375ab9-6b52-47ed-826b-58e47e0e304b and click or tap Enter.

    9. $setting = $template.CreateSettingsObject() and click or tap Enter.

    10. $new_setting = New-MsolSettings -SettingsObject $setting and click or tap Enter.

    11. $new_setting.Values and click or tap Enter.

    12. $new_setting | Select-Object -Property * and click or tap Enter.

      Note: # use Objectid value after you run this line as the SettingId for the next line.

    13. $setting = Get-MsolAllSettings and click or tap Enter.

    14. $value = $setting.GetSettingsValue() and click or tap Enter.

    15. $value[“AllowToAddGuests”] = false and click or tap Enter.

      Note: Setting this value to false will stop your users from being able to add guest users to any Office 365 groups.

    16. Set-MsolSettings -SettingId <SettingId> -SettingsValue $value and click or tap Enter.

Use PowerShell to control adding guest users to a specific group in your organization

Follow the steps in this section to control adding guest users to a specific Office 365 group. But before you can run the cmdlets, you have to download and install a module that will let you talk to your Office 365 organization. Once you've done that, you can then run the cmdlets using the examples below to allow guest access for your organization.

Check out the Use Windows PowerShell cmdlets to manage your Windows Azure AD tenant topic for more information about Windows Powershell and cmdlets.

  1. Connect to Windows PowerShell by using your company admin credentials. Run the following cmdlet:

    Connect-MsolService
  2. In the Enter Credentials page, enter your Office 365 global admin credentials. See Assigning admin roles for more info on roles in Office 365.

  3. After you enter your Office 365 credentials, enter the following in the PowerShell window:

    1. Import-Module MSOnline and click or tap Enter.

    2. $adminusername=<global admin username> and click or tap Enter.

    3. $adminpassword=<global admin password> and click or tap Enter.

    4. $password=ConvertTo-SecureString $adminpassword -AsPlainText –Force and click or tap Enter.

    5. $credential=New-Object System.Management.Automation.PsCredential($adminusername,$password) and click or tap Enter.

    6. $cred=Get-Credential -cred $credential and click or tap Enter.

    7. Connect-Msolservice -cred $cred and click or tap Enter.

    8. $template = Get-MsolSettingTemplate -TemplateId 08d542b9-071f-4e16-94b0-74abb372e3d9 and click or tap Enter.

    9. $setting = $template.CreateSettingsObject() and click or tap Enter.

    10. $new_setting = New-MsolSettings -SettingsObject $setting -TargetObjectId <GroupObjectID> and click or tap Enter.

    11. $new_setting.Values and click or tap Enter.

    12. $new_setting | Select-Object -Property *

      Note: # use Objectid value after you run this line as the SettingId for the next line.

    13. $setting = Get-MsolAllSettings -TargetObjectId <GroupObjectId> and click or tap Enter.

    14. $value = $setting.GetSettingsValue() and click or tap Enter.

    15. $value["AllowToAddGuests"] = "true" | "false".

    16. Set-MsolSettings -SettingId <SettingId> -TargetObjectId <GroupObjectId> -SettingsValue $value.

Info for your end users

Send the following topics to the users in your organization to learn more about allowing guest access in their Office 365 groups:

Guest user frequently asked questions

Can global admin block guests in groups and still allow guests to access SharePoint sites?

  • Yes, global admins can use Azure active directory Powershell cmdlets to disable "AllowGuestAccessToGroups" property on Company object, assuming external sharing is turned On for SharePoint sites.

How can a global admin add a new guest user to the organization?

  • Owners of an Office 365 group and global admins who are owners of the group can add guest users to Office 365 groups through Outlook on Web.

  • Sharing a file with a guest from a SharePoint site or an Office 365 group. Check out Share group files for more details.

  • Adding guests to your organization through Azure active directory B2B collaboration. Azure active directory B2B collaboration allows a company administrator to invite and authorize a set of external users by uploading a comma-separated values (CSV) file of no more than 2000 lines to the B2B collaboration portal. For more details, check out Azure Active Directory B2B collaboration.

Can global admins control guest addition to Office 365 groups?

  • Yes.

How long until the guest user settings take effect in the Office 365 organization?

  • The guest settings are set in Azure active directory. It takes about 2 to 24 hours for change to be effective across your Office 365 organization.

Can I share a group document library with an external user who isn't a member of the group?

  • No. You can only share Office 365 group document library with guests who have been invited to join the group. But individual group files can be still shared with guests users through file sharing from SharePoint Online.

Is there a way to block individual guest users?

  • No, individual guest users can't be blocked.

Can I set display properties of a guest user?

  • No, not at this time.

In a hybrid Office 365 organization, do guest users who are members of an Office 365 group sync back to on-premises Exchange servers?

  • No guest users who are members of a group aren't synched back to on-premises along with the group.

Troubleshooting guest user issues

Why are some of the guest users missing group messages?

  • It could be one of the following reasons:

    • Make sure guest user access to Office 365 groups is enabled in your organization.

    • Office 365 group messages may be going to the SPAM folder of the guest user.

    • The guest user's email provider could be rejecting the Office 365 group messages.

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×