Summary: How to configure External Guest Access in Office 365.
Date: Around 2018
Refactor: 8 March 2025: Checked links and formatting.

If you want to share data secure and in an universal way across all modules in Office 365 you could follow these steps to achieve that situation.

Please notice that you first need to restrict the number of users that can create office 365 groups: Manage Office 365 Group Creation

• Restrict sharing of SharePoint and OneDrive content by domain
• Manage sharing settings for SharePoint and OneDrive in Microsoft 365

Go to the sharepoint admin portal: https://shift-admin.sharepoint.com/ → sharing
Sharing outside your organization:

• Allow sharing only with the external users that already exist in your organization's directory
  • Allow sharing only for external users who are already in your directory. These users may exist in your directory because they previously accepted sharing invitations or because they were manually imported

Default Link Type

• Direct - specific people
  • Direct links are accessible only by users who already have permission to access the document or folder

Default Link Permission

• View

Additional Settings

• Limit external sharing using domains
  • Allow sharing only with users from these domains
    • Add the required domains. See below for how to manage the allowed domain list.
• Prevent external users from sharing files, folders, and sites that they don’t own
• External users must accept sharing invitations using the same account that the invitations were sent to

If required it is also possible to further restrict individual sites from sharing:

• Go the the new SharePoint Online admin center: https://shift-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/home
  • Go to active sites
  • Click the site you want to restrict
  • On the right a new screen appears. Scroll down and click Change in the external sharing part
    • It's only possible to restrict, not to setup less restrictive sharing. To disable sharing click:
      • Only people in current organization. No external sharing allowed.
  • Click save

Almost all settings are already transferred to the new Teams and Skype portal. But you can still configure the list of domains collaboration is allowed with:

• Go to the Skype legacy portaal: https://webdir1e.online.lync.com/LSCP → Organizations → External Communications
  • External Access: On only for allowed domains
  • Blocked or Allowed Domains
    • Add the required domains. See below for how to manage the allowed domain list.

• Collaborate with guests in a team (IT Admins)

Go to https://portal.office.com/adminportal/home → Settings → Services & Add-ins → Office 365 Groups

• Let group members outside the organization access group content: On
• Let group owners add people outside the organization to groups: On

Go to https://portal.office.com/adminportal/home → Settings → Security & privacy → Sharing → Edit

• Let users add new guests to the organization: On

Go to https://portal.azure.com → Azure Active Directory → User Settings → External Users

• Guest users permissions are limited: Yes
• Admins and users in the guest inviter role can invite: Yes
• Members can invite: Yes
• Guests can invite: No

Collaboration restrictions:

• Allow invitations only to the specified domains
  • Add the required domains. See below for how to manage the allowed domain list.

• Tutorial: Enforce multifactor authentication for B2B guest users

Go to https://portal.azure.com → Security → Conditional Access → Policies

• New Policy
  • Name: Always require MFA for Guest Accounts
• Assignments
  • Users and Groups: Include all guest users
  • Cloud Apps: All cloud apps
• Access Controls
  • Grant Access: Require multi-factor authentication
• Enable policy: On

Note: Ask someone to check the settings before you enable the policy. Making errors could get you locked out.

• Turn guest access in Microsoft Teams on or off
• IT Admins - Manage external meetings and chat with people and organizations using Microsoft identities

Go to https://admin.teams.microsoft.com/dashboard → Org-Wide Settings → Guest Access

• Allow guest access in Microsoft Teams: On
• Make private calls: Off
• All others default on ON

Go to Org-Wide → External access

• External Access: On
• Allowed domains is automatically imported from the skype portal, also see below for how to manage the allowed domain list.

Go to Org-wide settings → Teams settings

• Allow users to send emails to a channel email address: On
  • Add the required domains. See below for how to manage the allowed domain list.
  • Click Save

Go to Org-wide settings → Teams upgrade

• Coexistance mode: Islands
• Click save

This enables teams and skype users to chat with each other

Keep a transparent list of all allowed domains and use this list for all modules within office 365. An exaple could be:

The getshifting.com domain (your own) might not be required but I am not sure about that. = Shortlist on Adding Domains =

• Go to https://shift-admin.sharepoint.com/ → sharing
• Additional Settings → Limit external sharing using domains → Allow sharing only with users from these domains
• Add the domain

• Go to the Skype legacy portal: https://webdir1e.online.lync.com/LSCP → Organizations → External Communications
• Blocked or Allowed Domains
• Add the domain

• Go to https://portal.azure.com → Azure Active Directory → User Settings → External Users (Manage external collaboration settings)
• Add the domain at the bottom

• Go to https://admin.teams.microsoft.com/dashboard → Org-Wide Settings → External access
• Allowed domains is automatically imported from the skype portal
• Org-wide settings → Teams settings
• Allow users to send emails to a channel email address: On
• Add the domain at the bottom