Tech Brief



Collaboration platforms, such as Microsoft Teams, provide uninhibited collaboration within the enterprise. But, increasingly large enterprises are using more than one Team Collaboration solution. And when you look outside the company to customers, partners, or suppliers, the number of collaboration platforms in use becomes even more diverse.

Microsoft Teams provides Guest Access as an alternative to interoperability. The Guest Access allows your Microsoft Teams users to invite ANY external users with a business or consumer email account, such as Gmail, to participate as a guest in your Microsoft Teams with full access to team chats, meetings, and files.

Though this sounds like an easy way to provide external access for your organization, there are limitations and security risks that you need to consider before enabling Guest Access across your organization. Let’s walk through the risks of enabling Guest Accounts on your Microsoft Teams.

Let’s walk through the risks of enabling Guest Accounts on your Microsoft Teams.

Security and Access Control

Setting up Microsoft Guest Access can be complicated, and security is a big concern. Microsoft Guest Access requires corresponding Azure AD accounts for the guests. This means when your users invite their external colleagues to collaborate, using Guest Accounts, their colleagues have to create and maintain Azure AD accounts.

Microsoft has decoupled Guest Accounts’ authorization from authentication. As a result, it’s nearly impossible for you to control whether these external Azure AD accounts have strong security measures like password complexity check, password expiration, and Two-Factor Authentication (2FA).

This allows hackers to prey on Guest Access Accounts with weak passwords to reach your unsuspecting Microsoft Teams users. Since these compromised guest accounts belong to other companies, you cannot disable them. As a result, they become permanent backdoors to your infrastructure. Most security experts view Microsoft Guest Access as an unmitigated risk to their infrastructure.

msteam admin center

Licensing Limitations

The number of Guest Accounts a company can extend is limited. For instance, Microsoft only allows five Guest Accounts per paid Azure AD license. In other words, a company with 1,000 Microsoft licenses can only send out 5,000 Guest Account invitations.

Further complicating the issue is that Microsoft Guest Accounts invites are not limited to MS Teams, but your users can send them for other Microsoft services such as sharing files on One Drive and SharePoint.

There is no limitation or control on how many Guest Account a user can send out as long as your company stays within its overall limit. So invitations can begin to pile up. If a user or team goes beyond your company’s limit, everyone else can not send Guest Account invites.

End User Support

End-user support could be more complex when using Guest Accounts. For example, if your partners decide to block their domains on the Microsoft O365 service, their end users cannot accept and use Guest Accounts.

In such a scenario, troubleshooting why Guest Accounts aren’t working is impossible. It will create unnecessary support escalations as your end-users become frustrated when they can’t work with their colleagues.

NextPlane for Microsoft Teams Federation

Unlike Microsoft Guest Access for MS Teams, NextPlane gives you user-level control on your federations. It also allows you to track and control your users by federated domains.

To provide you with user-level control requires your users to install the NextPlane app on their MS Teams clients and send chat invitations.

NextPlane app takes advantage of the Microsoft Bot Framework to provide a richer collaboration experience for both MS Teams and Non-MS Teams users:

  • Add external contacts
  • See external contacts’ profiles
  • Share presence
  • Exchange chat and IM messages with external contacts
  • Invite external users to channels
  • Send messages with rich-text
  • Send messages with emoji reactions
  • Share files

Microsoft Teams users only need the nextplane bot, which is available from NextPlane for MS Teams.

The nextplane bot is not an executable code. It’s a registration of NextPlane ConverseCloud within the MS Teams’ infrastructure. This registration provides NextPlane ConverseCloud with an access token to call MS Teams API methods and listen to MS Teams events on behalf of the installed NextPlane bots.

The nextplane bot only passes chat messages between your Microsoft Teams users and the NextPlane ConverseCloud. It treats Microsoft Teams chat inputs as a command and translates them into contact requests, such as SIP invites, and sends them to non-MS Teams contacts. When the contact request is accepted, it sends Microsoft Teams users a link to the peer-to-peer chat channel with the invited contact.


NextPlane ConverseCloud only uses the Microsoft Bot Framework to exchange chat messages with the Microsoft Teams users and does not use any other APIs, such as the Microsoft Graph API. By limiting all the internal operations and workflows to the Microsoft Bot Framework, NextPlane does not need or require access to any admin credentials or elevated privileges.

During the installation, the nextplane bot will request the following permissions:

  • To receive messages and data
  • To send messages and notifications
  • To access user profile information

To send and receive messages, NextPlane uses authenticated and encrypted channels. The federated platform may use TLS-enabled SIP, XMPP, or HTTP protocol. The Microsoft Teams users’ messages are transferred via the OAuth2-authenticated and TLS-enabled HTTP connection between NextPlane ConverseCloud and the Microsoft Bot Connector.


The permissions given to the nextplane bots allow NextPlane ConverseCloud to:

  • Listen to the Microsoft Teams events, like when users post new messages to their respective Microsoft Teams chat, add emoji, invoke an invite command, modify or delete messages.
  • Retrieve and send messages to the Microsoft Teams peer-to-peer chat.

Restricted by the Microsoft Teams Permissions model, NextPlane ConverseCloud can receive events, retrieve, or send messages only to those Microsoft Teams peer-to-peer chats where the NextPlane bots have been added. Otherwise, NextPlane ConverseCloud cannot listen to any events or perform any actions in these chats. Also, NextPlane ConverseCloud has no access to any kind of information (messages or files) shared in the Microsoft Teams channels where your users have not added the NextPlane bots.

NextPlane ConverseCloud collects different kinds of information, including personally identifiable ones. The following are the types of information NextPlane ConverseCloud collects:


ConverseCloud collects Microsoft Teams users’ ID and profile information (name and email) and keeps them in its database. ConverseCloud only uses this information to provide external contacts with their connected Microsoft Teams’ users’ contact details.

Log Data

The NextPlane servers automatically record a log entry for each message they process. The log entry contains only the metadata without the message content. The metadata consists of the following fields:

  • Sender address (e.g.,
  • Receiver address (e.g.,
  • Message type (IM, Presence, typing, error)
  • Time and date of the message
  • Chat session ID


Using NextPlane Management Portal, you can seamlessly connect different collaboration platforms within your company, or partners such as customers, partners, or suppliers outside your company. The NextPlane management portal provides customers with trailing 12 months of charts and graphs depicting the number of unique users, the number of messages exchanged, as well as detailed usage reports by internal and external federated domains and platforms.

Get More Information

NextPlane can help you with your interoperability and federation needs. Learn how the NextPlane ConverseCloud can help your business by visiting NextPlane, requesting a demo, or by connecting with us at

Download Report