How to allow guests to access company resources (Teams/SP/Shared Mailbox)

[thecomputerguy]

Client is outsourcing work for employees who are out sick.

The request is to allow guest users to be able to access specific teams, and a specific shared mailbox.

Internet/ChatGPT says to add the user as a guest through Users > Guest Users

Then create a group and add the guest user to the group. Then assign that group access to the team / shared mailbox. Is it a M365 group? Security group??

I used my own gmail as a test guest user. Created a testguestuser@contoso.com group. I then added my guest account to the group but I see no where in Teams Admin center, or Exchange admin center to assign this group as a member of the Team and/or shared mailbox.

This seems like such a complicated ask. Would a better way be to assign them some license like basic and give them a company account?

@YeOldeStonecat

 

[thecomputerguy]

I'm an idiot ... My brain went sideways... obviously I can create a guest user and assign that guest to a team or a channel ... I just wasn't thinking.

What about giving a guest access to a mailbox or a shared mailbox? I'm not even sure how to do that.

 

[thecomputerguy]

Ok research says no on the shared mailbox ... turns out the client was explaining incorrectly.

The guest user is actually an onsite temp. I told them to stop allowing temps to use employee devices and now were just going refurbish a laptop and set it up as a temp only device.

So convuluted!

 

[YeOldeStonecat]

I don't like doing "guest users".....
I have quite a few non profits that...have "boards"....thus....they want to have regular Teams meetings with them like...once a month, or every 3 months, etc. For them, I do the non profit (free) Business Basic licenses. And Entra ID P1. (of course the main staff use M365 Biz Prem non profit). Ends up still being dirt cheap.

Having guest accounts...on end user personal devices...ends up just....what a nightmare to support. Someone may or may not know their Microsoft personal or family account information. Or...their personal computer once had a Microsoft account nested in credential mangler somewhere. Or..they forget they had a MS account, perhaps purchased Office family once about 10 years ago from Best Buy. Long story short...a support nightmare!

If my client wants me to assist in them setting up non-core-staff...like this....I license them within the tenant. They get a username and password that I control. And MFA that I back up. And I'll spend the time remoted into their personal computer....showing them how to use the web interface, setup their MS Auth app on their phone, I'll even set up Teams for them and configure it...since last years update to Teams made it work so dang well with signing into multiple tenants. Works great!

For "for profit" businesses...yeah...the cost is hire. But it's much much more if I'm to support a....external user scenario and a bunch of who knows what accounts.

 

[Sky-Knight]

B2B Guest usage of M365 can handle this without any further configuration than adding an email address to a Team.

The catch?

You need a Conditional Access policy that enforces MFA on guest users. And then you need to stick by it.

The organization has to be up front with these people that you're not responsible for their support, and if they do not have a personal Microsoft account with MFA protection at least to link up with... they're not getting at the data.

Otherwise, yes, local accounts you can support.