Comparing Slack, Microsoft Teams, and Cisco Webex Teams Guest Account Management
The digital work hub is shifting from email to team collaboration applications. Increasingly users rely on them as their primary means of engaging with their co-workers to manage tasks, workflows, group conversations, sharing documents, and meetings.
Also, team collaboration is rapidly extending beyond enterprise boundaries as companies look to embrace team apps to improve engagement with partners, suppliers, and customers.
Recent studies show that nearly half (49%) of respondents said that business discussions, tasks, or transactions happening with users outside the company have now shifted from email to team collaboration platforms.
However, managing collaboration with external partners remains complicated. A lack of interoperability between collaboration platforms means organizations need a plan for handling collaboration with partners outside of the organization.
IT departments need to consider which platforms best support external collaboration. Additionally, they should plan how to provide access to external partners and manage the end of a collaborative project.
The most obvious option is to assign external team members accounts and licenses so they would look and act as if they all belong to the same company. However, this approach comes with several inherent pitfalls. Aside from cost considerations, these include the need to assign corporate email addresses and enforce access controls to ensure external team members can reach only the resources they need in the context of the project. As you might guess, this can lead to an administrative and data security nightmare.
Another option is for the host organization to invite external members to specific team collaboration resources on an as-needed basis as third-party guests. By default, guest access creates the proper levels of separation when working with external parties.
Currently, 44.2% of organizations rely on guest access for 3rd party collaborations. Either to enable external access to their team collaboration platform or to allow their employees to use external team collaboration apps to connect with partner organizations.
Guest access works seamlessly if the external members have the same platform as the host organization. Also, depending on the team collaboration platform, the host and guest organizations using similar platforms, such as Slack, can merge, yet maintain separate access and data security.
For instance, with Slack Connect, separate organizations can collaborate in a Slack channel, each from within their own Slack workspace. Members can send direct messages, upload files, use apps and integrations, and start calls—all in a common space.
Microsoft Teams offers an external access federation option for Skype for Business customers that do not want to use guest accounts. However, this option is limited to IM and Presence messages.
But when it comes to managing collaboration with external partners that have different platforms, things become complicated. These organizations and their users have to create and use a stripped-down freemium guest account. A free account may or may not have all the features needed for collaboration, and the external partner may be required to purchase a license.
According to recent studies, nearly 42% of organizations run more than one team collaboration app internally. In such a case, external partners’ users may have to purchase several guest accounts to collaborate with the users of the host organization.
Also, administrators have no idea how far away from home their users are playing. Once someone accepts an invitation from another platform, everything they do inside that platform is invisible to the administrator of their home platform.
In general, the guest access method works well when companies need to add a few external members to a team. However, this capability can quickly become unmanageable when working with a third-party company that requires hundreds or more guest accounts.
In this article, I like to compare the guest account management capabilities of Microsoft Teams, Slack, and Cisco Webex Teams.
Security and Access Control
Slack guest accounts are available only on paid plans (Standard, Plus, and Enterprise Grid) and can be either Multi-Channel or Single-Channel. Multi-Channel Guests only have access to the invited channels. Slack charges for Multi-Channel Guests, and you can add them to an unlimited number of channels.
Both Multi-Channel or Single-Channel Slack guest accounts do not offer strong security measures like password complexity check, password expiration, and Two-Factor Authentication (2FA).
Slack Admins must manually provision guest accounts one by one. Admins can choose an automatic expiration date for each guest account.
Cisco Webex Teams
When the Webex Teams users send their invitations, non-Webex users are NOT initially required to have an account on the Webex teams to communicate with Webex users. However, this temporary access, available via URL, is only valid for 24 hours. After 24 hours, the external users must sign up for a Webex team account to continue collaborating with their colleagues through the platform.
The password policy for external Webex Teams accounts only requires letters and numbers and does not include Two-Factor Authentication (2FA). As a result, it’s nearly impossible for you to control whether accounts have strong security measures like password complexity check, password expiration, and Two-Factor Authentication (2FA).
To understand Microsoft guest access, we should point out that guest access differs from external access in Microsoft Teams.
- External access gives access permission to an entire domain—allowing Teams users from other domains to find, contact, and set up meetings with you. External users can call you through Teams and send instant messages. But if you want them to be able to access teams and channels, guest access might be the better option.
- Guest access is when you invite an external user to be a member of the team—it gives access permission to an individual rather than a domain. Once a team owner has granted someone guest access, they can access that team’s resources, share files, and join a group chat with other team members.
Microsoft guest access requires corresponding Azure AD accounts for the guests. As a result, when users invite their external colleagues to collaborate that do not have O365 accounts, their colleagues must create and maintain Azure AD accounts.
Microsoft has detached the authorization of guest accounts from the authentication. By default, external Azure AD accounts do not have strong security measures like password complexity check, password expiration, and Two-Factor Authentication (2FA).
Once added to a team, an external user is considered a member, so there’s no way to make their access “read-only.”
Also, you cannot invite a guest to a specific channel in a team. You would need to either create a separate team dedicated to collaborating with internal users—or create private channels to hide particular content and conversations from guests within the team.
Delete/Remove Guest Accounts
Guest accounts require active management. For instance, contractors, clients, interns, or temporary employees come and go out of projects or change jobs or companies. Microsoft, Slack, and Cisco provide the ability to delete or remove guest accounts. However, managing guest accounts can become a security and management burden, which can result in hidden costs.
Also, administrators have no idea how far away from home their users are playing. Once someone accepts an invitation from another platform, everything they do inside that platform is invisible to the administrator of their home platform. For instance, given the success of Microsoft Teams, a user can end up being a guest in a surprising number of Microsoft Teams tenants.
Licensing Limitations & Costs
Single-Channel guest users are free. However, there is a limitation of 5 single-channel guest users per paid Slack user. In other words, a company with 1,000 Slack licenses can only send out 5,000 single-channel guest invitations.
There is no limitation on Multi-Channel guest users. However, Slack invoices them at the regular member prices.
Depending on the pricing plan, Slack bills between $8 to $15/person per month. As a result, 1,000 Multi-Channel guest users can cost up to $15,000.
Cisco Webex Teams
To manage, limit access, or limit the number of WebEx Teams, External accounts require Cisco Webex Control Hub Pro Pack for an additional cost of over $30.00 per user/mon.
The number of guest accounts a company can extend is limited. For instance, Microsoft only allows five guest accounts per paid Azure AD license. In other words, a company with 1,000 Microsoft licenses can only send out 5,000 Guest Account invitations.
Microsoft guest account invites are not limited to MS Teams, but users can send them for other Microsoft services such as sharing files on One Drive and SharePoint.
There is no limitation or control on how many guest account a user can send out as long as your company stays within its overall limit. So, invitations can begin to pile up. If a user or team goes beyond your company’s limit, no one else can send guest account invites.
According to a recent report by Nemertes, guest accounts are problematic for several reasons:
- Lack of ability to enforce security policies or to monitor what is being shared by employees on external team apps
- Lack of ability to manage revocation of guest account access for those using guest accounts to allow external access to internal team spaces, and for employees who are using external team apps.
As a result, according to Irwin Lazard of Nemertes, “the use of guest accounts represents a significant security threat to an organization’s information resources. Guest accounts are also inefficient for employees and create administrative overhead for IT managers.”
The alternative to Guest Accounts – NextPlane Intercompany Collaboration
As a general rule, guest accounts are not a viable option for large enterprise companies. Also, external partners may not allow their employees to have guest accounts, or they may be in regulated industries such as healthcare, financial services, where guest accounts can potentially trigger compliance issues.
Also, administrators have no idea how far away from home their users are playing. Once someone accepts an invitation from another platform, everything they do inside that platform is invisible to the administrator of their home platform. People can have accounts on multiple platforms. Given the success of Microsoft Teams, a user on Slack or Cisco WebEx teams can end up being a guest in a surprising number of teams tenants.
Compliance is the obvious driver for why such oversight might be needed. Companies invest heavily in technologies like communications compliance policies to ensure their company remains within regulatory and legal requirements. Everything works well if collaboration activity remains inside the company. But if someone becomes a guest in another platform and begins communicating there (for instance, inside Slack chats or channel conversations), there’s no trace of what they are doing visible to their company, which undermines a carefully built compliance regime.
NextPlane eliminates the need for external users’ need to have access to your workspaces, chats, channels, and files. It also minimizes the IT administrative burdens.
NextPlane intercompany federation allows host organizations to connect to their external partners securely. As a result, their users can send messages, share their presence status & files, and participate in workspaces & channels, without leaving their respective client applications. Also, external contacts can do the same without leaving their preferred tools.
Using NextPlane Management Portal, you can seamlessly connect your organization with customers, partners, or suppliers. The NextPlane management portal gives you detailed reports on the users, the number of messages exchanged, as well as detailed usage reports by external partners.