This chapter covers Teams channels and external access governance, a core topic for the MS-102 exam under objective 1.3 (Tenant Management). You'll learn how to configure channel types (standard, private, shared), manage guest access, and enforce external sharing policies to secure collaboration. Expect 10-15% of exam questions to touch on these concepts, often in scenario-based items requiring you to choose the correct policy or permission setting.
Jump to a section
Think of a Microsoft Teams team as a corporate filing cabinet dedicated to a project. The cabinet itself (the team) has a set of keys (permissions) that control who can open it. Inside the cabinet are several hanging folders (channels) — each folder is for a specific topic like "Budget" or "Design Specs." Each folder can have sub-folders (private channels) that only certain people can see, even if they have the cabinet key. The cabinet also has a shared notebook (Wiki tab) and a bulletin board (Posts tab) where everyone with access can leave notes. Now, external access governance is like deciding whether to let people from other companies borrow a key to the cabinet. You can issue a temporary badge (guest access) that lets them open the cabinet and see only the folders you choose. But you must set rules: guests can't create new folders (channels) unless you allow it, and their badge expires after a set time. If you don't lock down the cabinet properly, a guest might wander into a folder marked "Confidential" — that's a data leak. The MS-102 exam tests your ability to configure these folder permissions, guest badges, and sharing rules so that the right people have the right access to the right folders, and no more.
What Are Teams Channels and Why Do They Exist?
Microsoft Teams channels are sub-areas within a team that organize conversations, files, and apps by topic or workstream. They exist to provide structure and security — without channels, all discussions would be in a single chaotic feed. Channels allow you to scope permissions, control access to sensitive data, and integrate specific apps per topic. The MS-102 exam tests your ability to govern these channels, especially regarding external users.
Types of Channels
Teams offers three channel types, each with distinct governance implications:
Standard channels: Visible to all team members. Any team member can create a standard channel (by default). They inherit the team's sharing settings and guest access.
Private channels: Visible only to a subset of team members. Each private channel has its own SharePoint site collection, separate from the team's main SharePoint site. Only owners can create private channels (by default). Guests can be added to private channels individually.
Shared channels: Introduced later, shared channels allow you to add people from outside the team (including from other organizations) without making them guests of the tenant. Shared channels have their own SharePoint site and can be created by team owners and members (if allowed). External participants in shared channels do not count against the guest license limit.
External Access Governance Components
External access governance in Teams involves three distinct mechanisms:
Guest access: Users from other organizations are added as Azure AD B2B guests. They have a guest account in your tenant and must accept an invitation. Guests can be added to teams and channels (except shared channels, which use a different model). Guest access is controlled at the tenant level via the Teams admin center > Org-wide settings > Guest access. Key toggles include:
- Allow guest access in Teams (on/off) - Make private calls (default: on) - Use IP video (default: on) - Screen sharing mode (default: entire screen) - Meet (default: on)
External access (federation): Allows users from other domains to communicate via chat, call, and meeting without being guests. Federation is domain-based; you can allow or block specific domains. Federation does NOT grant access to teams or channels — it's only for 1:1 and group chat, calls, and meeting invitations.
Shared channel external participation: Allows users from other organizations to be added directly to a shared channel without a guest account. This uses Azure AD B2B direct connect, which requires mutual trust configuration between tenants. Shared channels are governed by the "Shared channel" settings in Teams admin center > Teams policies > Channels policies.
Step-by-Step Mechanism of Guest Access
When you add a guest to a team:
The team owner or member (if allowed) adds the guest's email address in the Teams client.
Teams sends an invitation via Azure AD B2B. The guest must accept the invitation.
Upon acceptance, a guest user object is created in your Azure AD. The user type is set to "Guest."
The guest is added to the team's membership list. They see only standard channels and any private channels to which they are explicitly added.
Guest permissions are governed by the guest access settings in Teams admin center. By default, guests have limited capabilities:
- Cannot create teams or channels - Cannot browse public teams (unless allowed) - Cannot use the "People" app - Cannot use the "Org chart" app
Key Defaults and Timers
Guest access: Disabled by default in new tenants. Must be explicitly enabled.
External access (federation): Enabled by default for all domains. You can block specific domains or allow only specific domains.
Shared channel external participation: Disabled by default. Requires enabling in the Teams admin center and configuring cross-tenant access settings in Azure AD.
Guest invitation expiration: By default, invitations never expire for guests who haven't redeemed. You can set a redemption expiration (e.g., 30 days) via Azure AD external identities settings.
Guest user object cleanup: Azure AD guest objects remain in the tenant even after removal from teams, until deleted manually or via lifecycle management policies.
Configuration via PowerShell and Admin Center
To manage guest access via PowerShell:
# Connect to Teams PowerShell
Connect-MicrosoftTeams
# Get current guest access settings
Get-CsTeamsClientConfiguration | Select-Object AllowGuestUser, AllowGuestUserCalls, AllowGuestUserVideo, AllowGuestUserScreenSharingMode
# Enable guest access
Set-CsTeamsClientConfiguration -AllowGuestUser $true
# Set screen sharing mode for guests
Set-CsTeamsClientConfiguration -AllowGuestUserScreenSharingMode 'EntireScreen'To manage external access (federation):
# Get current federation configuration
Get-CsTenantFederationConfiguration | Select-Object AllowFederatedUsers, BlockedDomains, AllowedDomains
# Block a specific domain
Set-CsTenantFederationConfiguration -BlockedDomains @{Add="malicious.com"}To manage shared channels policies:
# Get channel policies
Get-CsTeamsChannelsPolicy | Select-Object Identity, AllowChannelSharingWithExternalUsers, AllowUserToCreatePrivateChannels
# Create a policy that allows external sharing in shared channels
New-CsTeamsChannelsPolicy -Identity "SharedChannelExternal" -AllowChannelSharingWithExternalUsers $trueInteraction with Related Technologies
Azure AD B2B: Guest access relies on Azure AD B2B collaboration. Guest users are subject to Azure AD conditional access policies, MFA, and sign-in logs.
SharePoint: Each team and private channel has a SharePoint site. File sharing permissions in SharePoint can override Teams channel permissions if not aligned. For example, if a guest is removed from a team but still has direct SharePoint access to a document, they can still access it.
Microsoft 365 Groups: Every team is backed by a Microsoft 365 group. The group's membership governs access to the team, its SharePoint site, Planner, and other connected services. Adding a guest to a team adds them to the underlying Microsoft 365 group.
Information Protection: Sensitivity labels can be applied to teams and channels to enforce encryption or access restrictions. Labels can prevent external sharing entirely. This is configured via the Microsoft Purview compliance portal.
Exam-Relevant Details
The exam often asks: "A user from another organization needs to collaborate in a channel without being a guest. What should you use?" Answer: Shared channels with external participants.
Another common question: "You need to prevent guests from creating channels. What setting do you configure?" Answer: In Teams admin center > Org-wide settings > Guest access, disable "Allow guests to create channels." Note: This setting only appears after guest access is enabled.
Trap: "External access" and "guest access" are often confused. External access (federation) is for chat/call only. Guest access is for team/channel membership.
The exam tests default values: Guest access is off by default. External access is on by default (all domains). Shared channel external participation is off by default.
Summary of Governance Controls
Tenant-level: Enable/disable guest access, federation, shared channel external sharing.
Team-level: Team owners can add/remove guests, create channels, and assign channel moderators.
Channel-level: Private channels restrict visibility; shared channels allow external participants without guest accounts.
Policy-level: Teams policies can restrict who can create private channels, who can create shared channels, and whether external sharing is allowed in shared channels.
Compliance-level: Sensitivity labels can block external sharing, apply encryption, or require MFA.
To pass the MS-102 exam, you must understand not only the configuration steps but also the underlying mechanisms — how guest accounts differ from federated users, how shared channels avoid guest licensing, and how policies cascade from tenant to team to channel.
Enable Guest Access Tenant-Wide
In the Teams admin center, navigate to Org-wide settings > Guest access. Set 'Allow guest access in Teams' to On. This toggle is the master switch — if Off, no guest can be added to any team. After enabling, configure guest-specific permissions like calling, video, and screen sharing. These settings apply to all guests across all teams. Note: It can take up to 24 hours for the change to fully propagate. Verify by checking the guest access section; the 'Allow guest access' toggle must be On and the sub-settings must be configured as desired.
Configure External Access (Federation)
In Teams admin center > Org-wide settings > External access, you can manage federation. By default, all external domains are allowed. To restrict, choose 'Allow only specific external domains' and add allowed domains, or block specific domains. This setting affects only 1:1 and group chat, calls, and meeting invitations — not team membership. Federation does not require the external user to accept an invitation; they just need to be signed into their own tenant. To block all federation, set 'Allow all external domains' to Off and add no domains.
Set Up Shared Channels for External Collaboration
First, enable external sharing for shared channels in Teams admin center > Teams policies > Channels policies. Create or modify a policy with 'Allow channel sharing with external users' set to On. Then, assign this policy to users who will create shared channels. Additionally, in Azure AD > External Identities > Cross-tenant access settings, configure inbound and outbound trust settings for the external organization. Both tenants must agree to the trust. Once configured, a team owner can create a shared channel and add external users directly by email — no guest invitation required.
Create and Manage Private Channels
By default, only team owners can create private channels. To allow members to create private channels, modify the Teams policy assigned to those members. In Teams admin center > Teams policies > Channels policy, set 'Create private channels' to On. When a private channel is created, a new SharePoint site collection is provisioned for that channel. Only members of the private channel can see it. To add a guest to a private channel, the guest must already be a member of the team. Then, the private channel owner can add the guest directly from the channel's membership list.
Apply Sensitivity Labels to Restrict External Sharing
In Microsoft Purview compliance portal, create a sensitivity label that blocks external sharing. Under 'Protection settings', choose 'Control access' and set 'Let users assign permissions' to Off. Then, under 'Control sharing from SharePoint and Teams', select 'Block external sharing'. Publish the label to users. In Teams, owners can apply this label to a team via Settings > Sensitivity. Once applied, no guest can be added to that team, and existing guests are not removed but new guest additions are blocked. This label also affects the team's SharePoint site.
Scenario 1: Multinational Corporation with External Consultants
A large enterprise works with multiple consulting firms. Each consultant needs access to specific teams and channels but not the entire tenant. The company enables guest access tenant-wide and creates a separate team per project. Consultants are added as guests to their respective teams. To prevent guest sprawl, the company sets a guest invitation expiration of 30 days via Azure AD external identities settings. They also create a Teams policy that disables guest screen sharing to reduce support overhead. The challenge is that guests accumulate in Azure AD even after projects end. The solution: use Azure AD access reviews to automatically remove guests who haven't signed in for 90 days. In production, they monitor guest activity via Azure AD sign-in logs. Misconfiguration example: If the guest access toggle is accidentally turned off, all guests lose access immediately — a common outage scenario.
Scenario 2: Healthcare Organization with Strict Compliance
A hospital needs to collaborate with a research partner on a clinical trial. Due to HIPAA, external users cannot be guests (which require guest accounts in the tenant). Instead, they use shared channels. Both tenants configure cross-tenant access in Azure AD, enabling inbound and outbound trust for shared channels. The hospital creates a shared channel in the research team and adds the partner's users directly. No guest accounts are created. The channel has a sensitivity label that encrypts all files and prevents downloading. Performance consideration: Shared channels use a separate SharePoint site; ensure the partner's users have appropriate licenses (Azure AD External ID free tier is sufficient for direct connect). Common misconfiguration: If the partner tenant does not enable outbound trust, the shared channel invitation fails silently.
Scenario 3: Education Institution with Federated Collaboration
A university allows students to collaborate with peers at other universities via Teams. They enable external access (federation) for all domains. Students can chat, call, and meet with external users without any guest setup. However, the university wants to prevent external users from being added to class teams. They disable guest access tenant-wide. They also block federation with specific high-risk domains. This works well for ad-hoc collaboration but limits structured team membership. The trade-off: federation is easy but doesn't allow channel-level access. The university later decides to enable guest access for specific research teams only, using a Teams policy that allows guest access only for those teams via a custom policy assignment.
MS-102 Exam Coverage
This topic falls under Objective 1.3: Manage tenant management and governance. Specifically, you must be able to:
Configure guest access in Teams (1.3.1)
Manage external access (federation) (1.3.2)
Configure shared channel settings (1.3.3)
Apply sensitivity labels to teams (1.3.4)
Common Wrong Answers and Why
"External access allows users to join teams." Wrong. External access (federation) only enables 1:1 chat, group chat, calls, and meeting invitations. To join a team, the user must be added as a guest or via shared channel.
"Guests can create private channels by default." Wrong. By default, guests cannot create any channels. Even if the tenant allows guests to create channels (via guest access settings), they can only create standard channels. Private channel creation is restricted to team owners/members based on policy.
"Shared channels require guest accounts." Wrong. Shared channels use Azure AD B2B direct connect, which does not create guest accounts. External users are added directly without a B2B invitation.
"Sensitivity labels applied to teams automatically block all external users." Wrong. Sensitivity labels can block external sharing, but they do not remove existing guests. They only prevent new guest additions. Also, labels affect the entire team, including its SharePoint site.
Specific Numbers and Values Tested
Guest access default: Off
External access default: All domains allowed
Shared channel external sharing default: Off
Maximum number of private channels per team: 30 (not 200)
Maximum number of shared channels per team: 50 (not 200)
Maximum number of members in a private channel: 250 (not 100)
Guest invitation expiration: up to 90 days (configurable via Azure AD)
Edge Cases and Exceptions
If a user is added as a guest to a team and then the team is converted to a private channel, the guest remains in the team but not in the private channel automatically.
If a sensitivity label blocks external sharing, but a guest already has access, they retain access until manually removed.
Shared channels can be created by team members only if the policy allows. The default is owners only.
External participants in shared channels cannot be added to the parent team or other channels.
How to Eliminate Wrong Answers
If the question mentions "adding an external user to a team," the answer is either guest access or shared channel. Look for clues: if the user needs access to multiple channels, guest access is required. If only one channel, shared channel may be used.
If the question mentions "licensing," shared channels avoid guest licenses because external users use their own tenant licenses.
If the question says "block all external communication except with specific domains," configure external access to allow only specific domains, not guest access.
Guest access must be explicitly enabled in Teams admin center; it is off by default.
External access (federation) enables chat/call only, not team membership.
Shared channels allow external users without guest accounts, but require mutual cross-tenant trust.
Private channels have a separate SharePoint site and are limited to 30 per team.
Shared channels are limited to 50 per team and 250 members per channel.
Sensitivity labels can block external sharing but do not remove existing guests.
Guest invitation expiration can be set in Azure AD from 0 to 90 days (default: no expiration).
Guests cannot create private channels by default; private channel creation is controlled by Teams policy.
The 'Allow guests to create channels' setting only appears after guest access is enabled at tenant level.
To remove a guest's access, remove them from the team (or Microsoft 365 group) and optionally delete the guest object from Azure AD.
These come up on the exam all the time. Here's how to tell them apart.
Guest Access
Creates Azure AD B2B guest account in host tenant
Requires guest license (Azure AD External ID) for each guest
Guest can be added to multiple teams and channels
Guest must accept invitation
Guest permissions controlled by tenant-level guest access settings
Shared Channels
Uses Azure AD B2B direct connect — no guest account
External user uses their own tenant license
External user can only be added to one shared channel per team (but can be in multiple shared channels across teams)
No invitation acceptance needed (if trust configured)
Permissions controlled by channel policy and cross-tenant access settings
Mistake
External access and guest access are the same thing.
Correct
External access (federation) allows chat, call, and meeting with external users without them joining your tenant. Guest access creates a B2B guest account in your Azure AD and allows membership in teams and channels.
Mistake
Guests can be added to any channel without being a team member.
Correct
Guests must first be added to the team (or the underlying Microsoft 365 group) to be added to any channel, including private channels. For private channels, the guest must be explicitly added to the private channel membership after being a team member.
Mistake
Shared channels require the external user to have a guest account.
Correct
Shared channels use Azure AD B2B direct connect, which does not create a guest object in the host tenant. The external user accesses the channel using their own identity and license.
Mistake
Turning off guest access in Teams admin center immediately removes all guests.
Correct
Turning off guest access prevents new guest additions but does not remove existing guests. Existing guests retain access until manually removed from teams or the Azure AD guest objects are deleted.
Mistake
Sensitivity labels on teams block external sharing for all users, including existing guests.
Correct
Sensitivity labels configured to block external sharing only prevent new guest additions. Existing guests are not removed. To remove existing guests, you must manually remove them from the team or use a compliance policy.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Guest access allows external users to be added as members of a team, with a guest account in your Azure AD. They can access channels, files, and apps within that team. External access (federation) allows users from other domains to communicate via 1:1 chat, group chat, calls, and meetings but does not grant access to team membership. Federation is domain-based, while guest access is per-user. For the exam, remember: if the question involves joining a team, it's guest access or shared channel; if it's just chat/call, it's external access.
First, ensure both tenants have configured cross-tenant access in Azure AD > External Identities > Cross-tenant access settings. Both must add the other's tenant ID and enable inbound/outbound trust for 'Microsoft Teams Shared Channels'. Then, in Teams, a team owner or member (if policy allows) can create a shared channel and add external users by email. The external user receives a notification in Teams and can access the channel without accepting a guest invitation. They do not appear as guests in your tenant.
By default, guests cannot create any channels. However, you can enable this in Teams admin center > Org-wide settings > Guest access > 'Allow guests to create channels'. Even if enabled, guests can only create standard channels, not private or shared channels. The ability to create private channels is controlled by Teams policy (assigned to users, not guests). For the exam, note that the guest access settings page only shows channel creation options after guest access is enabled.
Turning off the guest access toggle prevents new guest additions. Existing guests retain their access to teams and channels. They will not be removed automatically. To remove existing guests, you must manually remove them from each team or use Azure AD to delete their guest objects. The exam may test that this toggle is not a kill switch for existing guests — it only blocks new ones.
To block all external users, disable guest access (Org-wide settings > Guest access > set to Off) and disable external access (Org-wide settings > External access > set 'Allow all external domains' to Off). Additionally, ensure that no Teams policies allow shared channel external sharing. For sensitivity labels, you can create a label that blocks external sharing and apply it to all teams. However, note that disabling external access only affects chat/call, not team membership via guest access. You must disable both to fully block external users.
Guest users in Teams do not require a paid Microsoft 365 license. They access Teams under the host tenant's licensing. However, the host tenant must have the appropriate Azure AD External ID licensing (formerly Azure AD B2B). For shared channels, external users use their own tenant's license, so no guest license is consumed. The exam may ask about licensing implications: shared channels are cost-effective for occasional external collaboration.
No, sensitivity labels can only be applied to teams, not individual channels. When you apply a label to a team, it affects the entire team, including all channels. However, you can use Azure AD conditional access policies or SharePoint permissions to further restrict access to specific channels. The exam may test that labels are team-level, not channel-level.
You've just covered Teams Channels and External Access Governance — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?