IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Blog: A Quick Look at Configuring Guest Access in Azure AD

Configuring external sharing in Microsoft 365 is complicated with interdependent settings across six different admin interfaces


A Quick Look at Configuring Guest Access in Azure AD 



Configuring external sharing in Microsoft 365 is complicated with interdependent settings across six different admin interfaces. So, we will use an analogy to simplify the process — the security precautions many organizations take to access their physical environments. 


If you invite an outsider to come to your office for a meeting, they will go through several levels of security checks in order to gain access to the meeting room and sensitive information being shared within that room. We’ll represent the first level as approaching the building’s campus. 


Azure AD: Accessing the Campus 


Microsoft’s layered model of security settings for securing and controlling outsider access to Microsoft Teams and Microsoft 365 begins with organization-wide settings in the Azure AD Admin Center. 


These global settings focus on verifying identity and setting the rules under which outsiders can be added to the directory (and by whom), along with their rights once established. An organization can have 5 guest users for every paid license. 


Graphical user interface, text, application, email

Description automatically generated 


The Microsoft 365 external sharing model is set up so that guests need to verify with their own identity provider and then you can choose to add on more stringent requirements for signing into your environment. This is a great feature, as it means that when a user leaves their department (perhaps for an outside vendor) their account is no longer active, and they no longer have the means to log in as a guest to your environment. 


As we depicted on our cheat sheet, the key settings at the Azure AD level are to determine if guests can see your entire membership directory or just the members of Teams to which they belong. 


This is also where you can select the “Admins and users in the guest inviter role can invite” toggle to determine if administrators can invite guests through the admin interface. It will need to be toggled on to allow Team Owners to invite guests through additional settings downstream. You could also choose to allow guests to invite other guests, but most departments don’t do this. 


azure ad 


One-Time Passcode 


As of March 2021, a one-time passcode option was made available to guests by default. This means if a resource like a document is shared with them and they are not currently in the directory or have a Microsoft account, they will be provided a one-time passcode for identity verification. Using our physical security analogy, those housed in larger buildings or campuses may enforce entry requirements to the entry road, car park, or campus perimeter for outsiders arriving by vehicle. A security guard checks that the outsider has valid identification from a trusted authority before lifting the entrance barrier. 


Some highly secured sites will only allow certain organizations onto the premises while others may just have a list of blacklisted organizations that can never enter. In other words, someone cannot get access to a meeting room if they can’t get inside the campus but being allowed inside the campus does not provide them with access to every meeting room. 


For more insights on configuring guest access settings across the Microsoft 365 Global Admin Center and Microsoft Teams Admin Center, be sure to download the full ebook here! 

Collaborate with confidence. AvePoint provides the most advanced platform for SaaS and data management to optimize SaaS operations and secure collaboration. More than 8 million cloud users rely on our solutions. Our SaaS solutions are also available to managed service providers via more than 100 cloud marketplaces, so they can better support and manage their small and mid-sized business customers. Founded in 2001, AvePoint is a five-time Global Microsoft Partner of the Year and headquartered in Jersey City, New Jersey. For more information, visit