MS-700 Managing Microsoft Teams Objective 1.4: Configure and Manage External Collaboration
MS-700 Exam Focus: This objective covers the comprehensive configuration and management of external collaboration in Microsoft Teams. Understanding licensing requirements, sharing settings, guest access, and cross-tenant collaboration is essential for enabling secure external partnerships while maintaining organizational security. Master these concepts for both exam success and real-world Teams external collaboration administration.
Introduction to External Collaboration in Teams
External collaboration in Microsoft Teams enables organizations to work securely with external partners, vendors, customers, and other stakeholders. This capability is essential for modern business operations but requires careful configuration to balance collaboration needs with security requirements. Understanding the various external collaboration options and their configuration is crucial for Teams administrators. These external collaboration features work in conjunction with security and compliance policies to ensure safe external access.
External collaboration in Teams encompasses multiple components:
- Guest Access: Allowing external users to access Teams as guests
- External Access: Enabling communication with external Teams users
- Shared Channels: Creating channels shared with external organizations
- B2B Direct Connect: Direct collaboration between tenant organizations
- Multitenant Organizations: Advanced cross-tenant collaboration scenarios
- Content Sharing: Sharing files and resources with external users
Identify Licensing Requirements for External Collaboration
External collaboration features in Teams are distributed across different Microsoft 365 license tiers. Understanding licensing requirements is essential for planning external collaboration implementation and ensuring access to necessary features.
External Collaboration License Requirements
Different aspects of external collaboration require specific license levels, with advanced features typically requiring higher-tier licenses.
External Collaboration Features by License:
- Basic Guest Access: Available in all Microsoft 365 plans
- Advanced Guest Management: Requires Microsoft 365 E3 or higher
- Shared Channels: Requires Microsoft 365 E3 or higher
- B2B Direct Connect: Requires Microsoft 365 E5 or Azure AD Premium P2
- Multitenant Organizations: Requires Microsoft 365 E5
- Advanced Security Controls: Requires Microsoft 365 E5 or add-on licenses
Guest User Licensing
Guest users in Teams have specific licensing considerations that affect their capabilities and access levels.
| Feature | Business Standard | E3 | E5 |
|---|---|---|---|
| Guest Access to Teams | ✓ | ✓ | ✓ |
| Guest Access to Files | ✓ | ✓ | ✓ |
| Shared Channels | ✗ | ✓ | ✓ |
| B2B Direct Connect | ✗ | ✗ | ✓ |
| Advanced Guest Controls | Limited | ✓ | ✓ |
| Guest Access Reviews | ✗ | ✗ | ✓ |
Configure SharePoint Online and OneDrive External Sharing Settings
SharePoint Online and OneDrive external sharing settings directly impact Teams external collaboration capabilities. These settings control how external users can access and interact with shared content in Teams.
SharePoint External Sharing Configuration
SharePoint external sharing settings control the level of external access to SharePoint sites, which directly affects Teams file sharing capabilities.
SharePoint External Sharing Levels:
- Anyone: Allow sharing with anyone who has the link
- New and Existing Guests: Allow sharing with authenticated external users
- Existing Guests Only: Allow sharing only with previously invited guests
- Only People in Your Organization: No external sharing allowed
OneDrive External Sharing Configuration
OneDrive external sharing settings control how users can share personal files with external collaborators.
OneDrive Sharing Settings:
- Link Sharing: Control link-based sharing options
- Guest Access: Enable or disable guest user access
- Domain Restrictions: Allow or block specific domains
- Expiration Settings: Set automatic link expiration
- Password Protection: Require passwords for shared links
- Download Restrictions: Control download capabilities
Teams Integration with SharePoint Sharing
Teams file sharing is built on SharePoint, so SharePoint sharing settings directly impact Teams external collaboration capabilities.
Teams-SharePoint Integration:
- Channel Files: Shared through SharePoint document libraries
- Chat Files: Shared through OneDrive for Business
- Meeting Files: Shared through SharePoint or OneDrive
- App Files: Shared according to app-specific settings
- Guest Permissions: Inherited from SharePoint sharing settings
- Access Controls: Managed through SharePoint permissions
Configure External Access in the Microsoft Teams Admin Center
External access in Teams allows users to communicate with external Teams users from other organizations. This feature enables federated communication while maintaining security boundaries.
External Access Configuration Options
External access can be configured at different levels to provide granular control over external communication capabilities.
External Access Settings:
- Allow External Access: Enable or disable external access globally
- Domain Allow List: Specify allowed external domains
- Domain Block List: Block specific external domains
- Anonymous Access: Allow communication with anonymous users
- Federation: Enable communication with federated organizations
- Public Cloud Access: Allow access to public cloud users
External Access vs Guest Access
Understanding the differences between external access and guest access is crucial for proper configuration and security.
| Feature | External Access | Guest Access |
|---|---|---|
| User Type | External Teams users | Any external user |
| Access Level | Communication only | Full team access |
| Authentication | Their organization's credentials | Guest account in your tenant |
| File Access | No file access | Full file access |
| Meeting Access | Can join meetings | Can join meetings |
Configure External Collaboration Settings in Microsoft Entra ID for Guest Access
Microsoft Entra ID (formerly Azure AD) provides comprehensive settings for managing external collaboration and guest access. These settings control the overall external collaboration experience across Microsoft 365 services.
Entra ID External Collaboration Settings
Entra ID external collaboration settings provide centralized control over guest access and external collaboration capabilities.
Key External Collaboration Settings:
- Guest User Access Restrictions: Control guest user capabilities
- Guest Invitation Settings: Configure invitation policies and restrictions
- Collaboration Restrictions: Set domain-based collaboration limits
- Guest Self-Service Sign-Up: Enable or disable self-service registration
- Terms of Use: Require guests to accept terms of use
- Multi-Factor Authentication: Require MFA for guest users
Guest User Lifecycle Management
Entra ID provides comprehensive lifecycle management capabilities for guest users, including invitation, access control, and removal processes.
Guest Lifecycle Management Features:
- Invitation Management: Control who can invite guests
- Approval Workflows: Require approval for guest invitations
- Access Reviews: Regular review of guest access
- Automatic Expiration: Set automatic guest account expiration
- Usage Monitoring: Track guest user activity and access
- Bulk Management: Manage multiple guest users simultaneously
Configure Guest Access and Sharing in Admin Centers
Guest access and sharing can be configured through multiple admin centers, each providing different levels of control and management capabilities.
Teams Admin Center Guest Settings
The Teams admin center provides specific settings for guest access within Teams, including chat, calling, and meeting capabilities.
Teams Guest Access Settings:
- Allow Guest Access: Enable or disable guest access in Teams
- Make Private Calls: Allow guests to make private calls
- IP Video: Enable or disable video calling for guests
- Screen Sharing Mode: Control screen sharing capabilities
- Meet Now: Allow guests to start instant meetings
- Content Sharing: Control content sharing in meetings
Microsoft 365 Admin Center Settings
The Microsoft 365 admin center provides organization-wide settings for external sharing and collaboration.
M365 Admin Center Settings:
- External Sharing: Organization-wide sharing policies
- Guest Access: Global guest access settings
- Security Defaults: Security settings for external users
- Conditional Access: Access policies for external users
- Data Loss Prevention: DLP policies for external sharing
- Compliance Policies: Compliance settings for external collaboration
SharePoint Admin Center Settings
The SharePoint admin center provides granular control over file sharing and external access to SharePoint content.
SharePoint Admin Center Settings:
- External Sharing: Site-level sharing policies
- Guest Access: Guest user permissions and restrictions
- Anonymous Access: Anonymous sharing capabilities
- Domain Restrictions: Allow or block specific domains
- Link Expiration: Automatic link expiration settings
- Access Requests: Access request workflows
Control Guest Access to Specific Teams Using Microsoft Purview and Entra ID
Advanced guest access control can be implemented using Microsoft Purview and Entra ID to provide granular control over guest access to specific teams and content.
Microsoft Purview Guest Access Controls
Microsoft Purview provides advanced data governance and compliance controls for guest access management.
Purview Guest Access Features:
- Sensitivity Labels: Apply sensitivity labels to control guest access
- Data Loss Prevention: DLP policies for guest access scenarios
- Retention Policies: Control data retention for guest-accessible content
- Access Reviews: Regular review of guest access permissions
- Audit and Compliance: Comprehensive audit trails for guest activities
- Information Protection: Advanced information protection for shared content
Entra ID Conditional Access for Guests
Entra ID conditional access policies can be applied to guest users to enforce additional security controls.
Conditional Access for Guests:
- Device Compliance: Require compliant devices for guest access
- Location Restrictions: Restrict guest access based on location
- Multi-Factor Authentication: Require MFA for guest users
- App Protection: Require app protection policies for mobile access
- Risk-Based Access: Adjust access based on risk signals
- Session Controls: Control guest session duration and capabilities
Remove Guests from Teams
Guest removal from Teams can be performed at different levels, from individual team removal to complete tenant removal. Understanding the different removal options and their implications is essential for proper guest management.
Guest Removal Scenarios
Different scenarios require different approaches to guest removal, each with specific implications and procedures.
Guest Removal Types:
- Team Removal: Remove guest from specific team only
- Channel Removal: Remove guest from specific channel
- Chat Removal: Remove guest from private chats
- Tenant Removal: Remove guest from entire tenant
- Account Deletion: Permanently delete guest account
- Access Revocation: Revoke access without removing account
Guest Removal Procedures
Proper guest removal procedures ensure clean removal while maintaining data integrity and security.
Removal Best Practices:
- Data Backup: Ensure important data is backed up before removal
- Access Review: Review guest's current access and activities
- Notification: Notify relevant stakeholders of removal
- Gradual Removal: Remove access gradually to minimize disruption
- Documentation: Document removal reasons and procedures
- Audit Trail: Maintain audit trail of removal activities
Configure Shared Channels for External Access
Shared channels enable organizations to create channels that can be shared with external organizations, providing a more integrated collaboration experience than traditional guest access.
Shared Channel Configuration
Shared channels require specific configuration to enable external access while maintaining security and governance.
Shared Channel Settings:
- Enable Shared Channels: Enable shared channel creation
- External Access: Allow external organizations to be added
- Channel Creation: Control who can create shared channels
- External Sharing: Configure external sharing policies
- Security Policies: Apply security policies to shared channels
- Compliance Controls: Implement compliance controls for shared content
Shared Channel vs Guest Access
Understanding the differences between shared channels and guest access helps in choosing the appropriate collaboration method.
| Feature | Shared Channels | Guest Access |
|---|---|---|
| User Experience | Native Teams experience | Guest account experience |
| Authentication | Their organization's credentials | Guest account in your tenant |
| Access Scope | Specific channels only | Full team access |
| File Access | Channel files only | All team files |
| Management | Channel-level management | User-level management |
Configure and Manage B2B Direct Connect Cross-Tenant Access Settings
B2B Direct Connect enables direct collaboration between tenant organizations through shared channels, providing a seamless collaboration experience without requiring guest accounts.
B2B Direct Connect Configuration
B2B Direct Connect requires configuration in both tenant organizations to establish secure cross-tenant collaboration.
B2B Direct Connect Settings:
- Cross-Tenant Access Policies: Define allowed and blocked organizations
- Inbound Access: Control inbound access from external organizations
- Outbound Access: Control outbound access to external organizations
- Trust Settings: Configure trust relationships between organizations
- Security Policies: Apply security policies to cross-tenant access
- Compliance Controls: Implement compliance controls for cross-tenant collaboration
Cross-Tenant Access Policy Configuration
Cross-tenant access policies provide granular control over B2B Direct Connect relationships and capabilities.
Policy Configuration Options:
- Organization Settings: Configure settings for specific organizations
- User and Group Settings: Control access for specific users or groups
- Application Settings: Configure access for specific applications
- Conditional Access: Apply conditional access policies
- Multi-Factor Authentication: Require MFA for cross-tenant access
- Device Compliance: Require compliant devices for access
Configure a Multitenant Organization (MTO)
Multitenant Organizations (MTO) provide advanced cross-tenant collaboration capabilities, enabling organizations to work together as if they were part of a single organization while maintaining separate tenant boundaries.
MTO Configuration Requirements
MTO configuration requires specific prerequisites and careful planning to ensure successful implementation.
MTO Prerequisites:
- Microsoft 365 E5: All participating organizations must have E5 licenses
- Entra ID Premium P2: Required for advanced identity features
- Administrative Consent: Consent from all participating organizations
- Network Connectivity: Proper network configuration for cross-tenant access
- Security Policies: Aligned security policies across organizations
- Compliance Requirements: Compatible compliance and governance frameworks
MTO Implementation Process
MTO implementation involves several steps and considerations to ensure successful deployment and operation.
MTO Implementation Steps:
- Planning and Design: Plan the MTO architecture and governance
- Prerequisites Verification: Ensure all prerequisites are met
- Cross-Tenant Access Configuration: Configure cross-tenant access policies
- Identity Synchronization: Set up identity synchronization if needed
- Security Policy Alignment: Align security policies across organizations
- Testing and Validation: Test MTO functionality and security
- Deployment and Monitoring: Deploy and monitor MTO operations
MTO Management and Governance
MTO requires ongoing management and governance to ensure security, compliance, and effective collaboration.
MTO Management Considerations:
- Governance Framework: Establish governance framework for MTO
- Security Monitoring: Continuous security monitoring and threat detection
- Compliance Management: Ensure compliance across all participating organizations
- Access Reviews: Regular review of cross-tenant access
- Incident Response: Coordinated incident response procedures
- Performance Monitoring: Monitor MTO performance and user experience
Exam Preparation Tips
For the MS-700 exam, focus on understanding the different external collaboration options and their configuration requirements, and be able to identify appropriate solutions for specific collaboration scenarios.
Key Exam Points:
- Understand licensing requirements for different external collaboration features
- Know how to configure SharePoint and OneDrive external sharing settings
- Understand the differences between external access and guest access
- Know how to configure external collaboration settings in Entra ID
- Understand guest access configuration across different admin centers
- Know how to use Microsoft Purview and Entra ID for advanced guest controls
- Understand guest removal procedures and best practices
- Know how to configure shared channels for external access
- Understand B2B Direct Connect configuration and management
- Know the requirements and process for configuring MTO
Real-World Implementation Considerations
In practice, implementing external collaboration requires balancing security requirements with collaboration needs. Successful implementations consider both technical capabilities and organizational policies.
Remember that external collaboration is an ongoing process that requires regular review, monitoring, and adjustment. A comprehensive understanding of external collaboration features provides the foundation for building secure, compliant, and effective collaboration environments that enable productive partnerships while maintaining organizational security and governance standards.
Summary
External collaboration in Teams encompasses guest access, external access, shared channels, B2B Direct Connect, and multitenant organizations. Understanding these components and their configuration requirements enables administrators to implement comprehensive external collaboration frameworks that balance security, compliance, and productivity while enabling effective partnerships with external organizations.