Controlling Guest Access to your M365 Groups / Teams

Andres Bohren
Controlling Guest Access to your M365 Groups / Teams

Hi All,

Recently a collegue at work made me aware of the following Article, that describes how you can prevent Guest Users to M365/Teams. You can configure that on Tenant Level or on individual M365 Group Level.

PowerShell

Let’s check out these Settings with PowerShell

###############################################################################
# Connect Microsoft Graph
###############################################################################
Connect-MgGraph -Scopes GroupSettings.ReadWrite.All, Group.ReadWrite.All, User.Read.All -NoWelcome

Let’s check the Tenant Wide Setting. With Microsoft Graph and a Invoke-Graphrequest to the Beta API.

###############################################################################
# Group Settings Tenant Wide 
###############################################################################
Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
(Get-MgBetaDirectorySettingTemplate | Where-Object {$_.displayname -eq "group.unified.guest"}).Values | fl

#Invoke-MgGraphRequest
$URI = "https://graph.microsoft.com/beta/settings"
$Result = Invoke-MgGraphRequest -Method "GET" -Uri $URI
$Result.Value | Where-Object {$_.DisplayName -eq "Group.Unified"} | select -ExpandProperty values | where {$_.Name -eq "AllowToAddGuests"}

Let’s list the M365 Groups and get the ID of the “TestTeam”

###############################################################################
# Get Unified Groups (M365 Groups)
###############################################################################
Get-MgGroup -Filter "groupTypes/any(c:c eq 'Unified')"

#Get Group by DisplayName
$Group = Get-MgGroup  -Filter "DisplayName eq 'TestTeam'"
$Group.Id

Get the Setting of an individual M365 Group - nothing there

###############################################################################
# Group Settings for Single M365 Group
###############################################################################
$GroupID = "a2c92da0-28f8-4069-89ac-6affb12cb4d2"
Get-MgGroupSetting -GroupId $GroupID

#Invoke-MgGraphRequest
$GroupID = "a2c92da0-28f8-4069-89ac-6affb12cb4d2"
$URI = "https://graph.microsoft.com/beta/groups/$GroupID/settings"
Invoke-MgGraphRequest -Method "GET" -Uri $URI

Let’s list the Members - you can see that there is already one Guest present

###############################################################################
# List Members
###############################################################################
$GroupID = "a2c92da0-28f8-4069-89ac-6affb12cb4d2"
Get-MgGroupMember -GroupId $GroupID | select -ExpandProperty additionalProperties

Let’s add the Setting for the “TestTeam”

###############################################################################
# Patch Single M365 Group
###############################################################################
Import-Module Microsoft.Graph.Groups
$GroupID = "a2c92da0-28f8-4069-89ac-6affb12cb4d2"

$params = @{
    templateId = "08d542b9-071f-4e16-94b0-74abb372e3d9"
    values = @(
        @{
            name = "AllowToAddGuests"
            value = "false"
        }
    )
}

New-MgGroupSetting -GroupId $groupId -BodyParameter $params

Let’s check the Setting for the M365 Group again - now we have this Setting

###############################################################################
# Group Settings for Single M365 Group
###############################################################################
$GroupID = "a2c92da0-28f8-4069-89ac-6affb12cb4d2"
$GroupSettings = Get-MgGroupSetting -GroupId $GroupID
$GroupSettings
$GroupSettings | select -ExpandProperty values

#Invoke-MgGraphRequest
$GroupID = "a2c92da0-28f8-4069-89ac-6affb12cb4d2"
$URI = "https://graph.microsoft.com/beta/groups/$GroupID/settings"
$Result = Invoke-MgGraphRequest -Method "GET" -Uri $URI
$Result.Value | where {$_.DisplayName -eq "Group.Unified.Guest"} | select -ExpandProperty values

The Guest is still present

But you are unable to add Guests via Microsoft Teams

List Guest Users

###############################################################################
# Get Guest User
###############################################################################
Get-MgUser -Filter "UserType eq 'Guest'"
Get-MgUser -Filter "UserType eq 'Guest' and Mail eq 'andres.bohren@gmail.com'"

Add Guest to M365 Group - still possible

###############################################################################
# Add Guest User to Group
###############################################################################
$GroupID = "a2c92da0-28f8-4069-89ac-6affb12cb4d2"
$ObjectId = "44c21df7-55c7-4842-b7da-4d9395e37e9a" #andres.bohren@gmail.com
$params = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$ObjectId"
}
New-MgGroupMemberByRef -GroupId $GroupId -BodyParameter $params

The Guest has been added

Remove the Guest

###############################################################################
# Remove Guest User from Group
###############################################################################
$GroupID = "a2c92da0-28f8-4069-89ac-6affb12cb4d2"
$ObjectId = "44c21df7-55c7-4842-b7da-4d9395e37e9a" #andres.bohren@gmail.com
Remove-MgGroupMemberByRef -GroupId $GroupId -DirectoryObjectId $ObjectId

Guest has been removed

Let’s set the Setting that adding Guests is allowed

###############################################################################
# Update Group Settings for Single M365 Group
###############################################################################
Import-Module Microsoft.Graph.Groups
$GroupID = "a2c92da0-28f8-4069-89ac-6affb12cb4d2"

$GroupSettings = Get-MgGroupSetting -GroupId $GroupID
$GroupSettingId = $GroupSettings.Id

$params = @{
    values = @(
        @{
            name = "AllowToAddGuests"
            value = "true"
        }
    )
}

Update-MgGroupSetting -GroupId $GroupId -GroupSettingId $GroupSettingId -BodyParameter $params

Now Teams let’s you add Guests

To clean up, let’s remove the Setting from the M365 Group so the Tenant Setting is applied

###############################################################################
# Remove Group Settings for Single M365 Group
###############################################################################
Import-Module Microsoft.Graph.Groups
$GroupID = "a2c92da0-28f8-4069-89ac-6affb12cb4d2"

$GroupSettings = Get-MgGroupSetting -GroupId $GroupID
$GroupSettingId = $GroupSettings.Id

Remove-MgGroupSetting -GroupId $GroupID -GroupSettingId $GroupSettingId

Summary

You can use the “AllowToAddGuests” Feature Tenant wide or per M365 Group / Teams. But you have to make sure yourself, that there are not any Guests in the M365 Group / Teams are present at that time. There is no automatic removal of Guests, when you change this Setting.

Regards
Andres Bohren

M365 Logo

PowerShell Logo