Teams external guests: which settings define the risk profiles?

Teams guest access has three layers at once: organisation settings, team settings, and chat settings. Here's the mental model so you don't accidentally leave everything wide open.

Teams guests are simultaneously the most practical and the most risky M365 feature. Three layers determine what they can do:

1. Organisation level (Teams admin center)

\n
• Guest access on/off globally.
\n
• Per-capability toggles: meetings, chat, calling, channels.
\n
• Recommended: enable all, but review anything you're not using (can be turned off).
\n

2. Team level

\n
• Team owner can decide per team whether guests are allowed.
\n
• Public teams are open to everyone in your tenant — consider whether that's really the intention.
\n

3. Chat level (external access)

\n
• 1-on-1 chat with external users who also use Teams.
\n
• Whitelisted or blacklisted domains are possible.
\n
• Recommended: whitelist of partner domains, block generic mail providers.
\n

Shared channels (separate feature)

Since 2022 you can share channels with external Teams tenants without a guest link. This goes via Teams Connect. Review implication: check which shared channels exist and with whom.

Practical tip

Set a monthly alert on "new guest users". In modern tenants this is easily trackable via Entra audit logs. A sudden spike is a reason to check what's going on.

See also: guest access basics, M365 pillar.