Jul 8, 2019 - 6 min read
Microsoft Teams External Collaboration Options – Guest Accounts vs. Direct Federation
In order for collaboration to truly flourish, platforms need to reach beyond the boundaries of your organization and allow for open collaboration with partners and customers. Unfortunately, those customers and partners might use different team collaboration solutions or they might still use a legacy Unified Communications platform.
You may think that even if there are multiple collaboration platforms within the enterprise, your teams and workers can still communicate across different platforms. Many of the new team collaboration platforms like Microsoft Teams or Slack include guest access, allowing anyone to invite an outside user (outside of a team or an organization) to join the platform and collaborate via chat, join channels, share files, etc.
While these platforms provide some options for connectivity, they are not truly open. And there are limitations, cost considerations and security risks in the current form of interoperability that these platforms provide.
For Microsoft Teams users, Microsoft includes Guest Access, which enables inter-company (outside your organization) collaboration via chat or channels for external partners, customers, suppliers, etc. This means your users can invite ANY external user with a business or consumer email account, such as Gmail, to participate as a guest in Microsoft Teams with full access to team chats, meetings, and files. Though this sounds like an easy way to provide external access to your organization, there are limitations and additional support that IT should be aware of in order to maintain security and control while preventing cost overruns. Below are a few to keep in mind:
User Authorization and Authentication
First and foremost, MS Teams guest accounts require corresponding Azure AD accounts. This means when your users invite their external colleagues to collaborate using an MS Teams guest account, their external colleagues have to create and maintain Azure AD accounts.
However, it’s nearly impossible for you to control whether these external Azure AD accounts have strong security measures like password complexity, password expiration, and Two-Factor Authentication (2FA). Microsoft became aware of these security concerns, and as a result, decoupled guest accounts’ authorization from authentication. Authentication will be managed by the external users, which you cannot control, but the authorization can be controlled by your organization.
Given today’s landscape, hackers can wreak havoc on weak guest accounts and gain access to unsuspecting end-users. Increasingly, IT departments view guest access as an unmitigated risk to their infrastructure.
Once the guest accounts are granted, as the MS Teams admin you need to manage them. However, since these users belong to other companies you cannot disable their guest accounts when they leave their organization. This can create additional security and access control headaches.
End-User Support
A lack of end-user support is another issue that comes up with guest accounts. For example, if your partners decide to block domains on the Microsoft O365 service, their end users cannot accept and use guest accounts to collaborate with workers within your company. In such a scenario, troubleshooting why guest accounts aren’t working is impossible and will create unnecessary support escalations as your end-users become frustrated when they can’t work with their colleagues.
Licensing Limitations and Costs
The number of guest accounts a company can extend is limited. For instance, Microsoft only allows five guest accounts per paid Azure AD license. In other words, a company with 1,000 Microsoft licenses can only send out 5,000 guest account invitations.
Further complicating the issue is that Microsoft guest accounts invites are not limited to MS Teams, but can be sent out for other Microsoft services such as sharing files on One Drive and SharePoint. Moreover, there is no limitation or control on how many guest account invites a user can send, as long as your company stays within its overall limit. So invitations can begin to pile up. If any one user or team goes beyond a company’s limit, this prevents everyone from sending out guest account invites.
Direct Federation
As an alternative to guest access, Microsoft also offers a limited form of Direct Federation. The main difference between guest access and the direct federation is that direct federation only provides presence and one-to-one chat sessions. With guest access, you can grant permissions for external users to participate in channels, share files and access your corporate resources, such as One Drive.
Direct federation is a more secure way for collaboration with external parties. Unlike guest accounts, you can be sure the external user is on a managed UC or collaboration platform and that they don’t have access to any of your corporate resources. On the other hand, it offers limited capabilities. Below is a detailed comparison of both options.
Table 1 – Feature comparison of Guest and Microsoft Direct Federation (source: Technet)
| Feature | MS Direct Federation | Guest Accounts |
| Chat | Yes | Yes |
| Presence | Yes | Yes |
| Voice Call | Yes | Yes |
| Search for users across external tenants | Yes | No |
| Share Files | No | Yes |
| Access to Teams resources | No | Yes |
| Channels and Group Chat | No | Yes |
| Meeting | Yes | Yes |
| Additional users can be added to a chat with an external user | No | N/A |
| User is identified as an external party | Yes | Yes |
| Out of office message is shown | No | Yes |
| Blocking individual users | No | Yes |
| @mentions are supported | No | Yes |
While guest accounts seem like the best option to enable B2B communication between enterprises, it is important to remember that once your organization provides guest access to external users, situations could arise where these guest accounts expose your organization to security risks.
Since guest accounts are normally connected to Azure AD accounts (B2B federation), when your users invite someone, you take a security risk as it is unclear that the Azure AD account with which the guest account is connected effectively managed or not.
A Different Alternative
We believe that inter-company communication should be controlled as much as possible with both organizations participating in full control of their users.
Inter-company collaboration and communication should be seamless and secure. Enterprises should always be able to use their preferred Unified Communications or Team Collaboration tool to maintain control over all communication and collaboration. To eliminate security, support and cost issues, we recommend using a unique API based integration which provides federation capabilities between managed platforms, so the stakeholders of the organizations can be sure that communication to other parties is only done with their explicit consent.