Secure Collaboration with Other Organizations – Enable Guest Screen Sharing & Control
It is essential to have a convenient means of collaboration with other organizations in today’s modern workplace. In recent years, the workflow has shifted to a remote model to ensure security and efficient administration. Most organizations already utilizing the Microsoft suite of technologies turn to Microsoft Teams to handle this workload.
Even if you’ve got Microsoft Teams set up in your organization, you may still have questions, especially once guests are added. What are the options to collaborate with guest and external users in Microsoft Teams? How does an organization set this up in the most efficient manner? If you’ve used Microsoft Teams you may have run into the inability to share your screen and or control someone else’s screen – Why can’t I share my screen in Microsoft Teams?
This article will cover the setup of Guest User Collaboration in Microsoft Teams, which will allow your participants to share their screens as well as control yours if you approve the request.
Azure Active Directory External Collaboration Settings
Allowing guest users to collaborate with an organization requires setup in a few places:
- The organization subscription must have at least Azure Premium P1 Licensing for Azure Active Directory
- For more information on Azure AD features check out Azure Active Directory Licensing
- For more information on Enterprise Licensing check out Compare Microsoft 365 Enterprise Plans
- Microsoft 365 guest sharing’s highest level of permissions are B2B External Collaboration in Azure Active Directory
- Log into the Azure Portal
- Browse to Azure Active Directory and Select “External Identities”
- On the next External Identities | Overview Screen select External Collaboration Settings
- From the External Collaboration Settings, set your organization settings for Guest User Access as required
Guest Access Reviews in Azure Active Directory
With all access to Azure Active Directory, it is possible to set up Access Reviews globally for all guest users (with Azure Ad Premium P2). These reviews can allow administrators, sponsors, or guests to govern who currently has guest access to the organization. It is also possible to set these reviews up for Directory Roles and in many different Identity Governance Scenarios. Please see Manage guest Access with Azure AD access reviews for more information on various scenarios.
Microsoft 365 Groups guest settings
Microsoft Teams requires Microsoft 365 groups for guest membership management. Enable Groups Guest Settings to allow guest users in Microsoft 365 groups.
- Browse to the Microsoft 365 Admin Center
- Expand the Settings Tab and Select Org Settings
- Browse down the options and find Microsoft 365 Groups; select it
- On the Blade that appears select the box next to the first option
- Select the 2nd option based on organizational requirements
Sharepoint organization level sharing settings
Content in Microsoft 365 is all stored in Sharepoint. Sharing at the Sharepoint Level is required to enable content sharing with guests in Microsoft Teams.
- Browse to the Microsoft 365 Admin Center and Select Sharepoint
- Expand the Policies Tab and select Sharing
- From set your External Sharing Permissive levels, it must be at least Existing Guests to allow Guests to collaborate
- Note: It is possible to provide more granular restrictions for Guest and external sharing in Sharepoint and Onedrive
- For more information check out Sharepoint: External Sharing Overview
Allow Guest User Access in Teams
The other prerequisite to allow Guest User Access in Microsoft Teams is to turn it on globally in the tenant
- Browse to the Teams Admin Center
- Expand the Users Tab and select Guest Access
- Set the Allow Guest Access in Teams to On
- Adjust the other settings as needed by organizational requirements
Allowing Guest Users to Request Control by Global-Org Wide Policy
The first and easiest method to enable this functionality is to allow Guest Users to Request/Give Control by a Global-Org Wide Policy:
- Browse to the Teams Admin Center and log in
- Expand the tab for Meetings and Select Meeting Policies:
- On this page select Global (Org-Wide Default):
- Find the Section for Content Sharing and the Setting “Allow an external participant to give or request control”, switch this to on
- Now all guest users in the organization should have access to Request/Give Control in Screen-sharing
For more information, check out Microsoft Teams Guest Setup
Allowing Guest Users to Request Control by Teams Policy for Guest Users
If we want to be more granular about controlling this feature for guest users, we can do so by assigning the policy at the team level:
- Browse to the Teams Admin Center and log in
- Expand the Teams Tab and Select Manage teams
- From here select +Add, give the new team a name and select apply
- Then select the team just created and click +Add. On the blade that opens, search for and select guest users to add to the team, then select apply
- Now expand the Meetings Tab and Select Meeting Policies
- Click +Add, give the policy a name, browse to the Content Sharing Section and turn on Allow an External Participant to give or request control. Set other organizationally required settings and select save
- Finally select the Group Policy Assignment tab, +Add Group, Select the team and policy created earlier and select apply
Guest Users vs External Users (Federation)
In this article, we have discussed collaboration in Microsoft Teams through Guest User Access. However, there is a second means of collaboration—this uses External users and Federation. Microsoft defines the difference as the following:
- External access - A type of federation that allows users to find, call, and chat with people in other organizations. These people cannot be added to teams unless they are invited as guests.
- Guest access - Guest access allows you to invite people from outside your organization to join a team. Invited people get a guest account in Azure Active Directory.
As far as Federation, there are three methods:
- Open Federation – this allows all organizations to find your organizational users and teams
- Allow Specific Domains: Negative Model allowing Specific Domains
- Block Specific Domains: Positive model, disallow specific domains
Since external access does not allow access to Microsoft Teams resources, it is only recommended in specific scenarios, as it allows an entire domain instead of just single users. For more information, check out Use guest access and external access to collaborate with people outside your organization.
If you need expert assistance with Microsoft Teams—WorldTech IT offers enterprise-class Microsoft Azure & Microsoft 365 Professional Services / Consulting and options for emergency support through our Always-On program. Our engineers combine extensive experience in the application delivery and security space with broad expertise in the Linux and open-source community.