This post is not about inviting Google users to your meetings, where you just send them the meeting invite and all is good. This is about adding the Gmail user as a member of a Team, so they can see the Teams channels, chat and collaborate with files and apps along with everyone else in the Team.
You may be able to do all this as an end user, but if not then check some of the below points with your Microsoft 365 Administrator.
To invite Gmail users to Teams is all to do with B2B Collaboration, or Guest Accounts in Entra ID. So first, you need to allow the invitation of external guests to your Entra ID directory (previously known as Azure AD). If you have domain restrictions here, you would need to allow “gmail.com”. If the user you want to add uses G-Suite (Google Workspace) then you can invite them from their custom domain, but this domain also needs to be allowed if you block external domains.
Domains can be blocked in two places, both need to be checked by the administrator. The first is Entra ID and the second is Teams Admin Center.
Checking Entra ID for External User Restrictions
This is checked in the Entra ID portal at https://entra.microsoft.com > Identity > External Identities > External Collaboration Settings. From here ensure that the “Guest invite settings” allows guests to be invited (so anything but the last option):
If the top option is selected, the end users can invite the Gmail contact directly, but if either of the middle two options are selected then anyone with correct permissions can invite the guest user and will need to invite the Gmail user before the end user can add the user to a Team.
The other setting to check in Entra ID is the Collaboration Restrictions. From here you need to add gmail.com or the Google Workspace domain if you have the bottom option selected. If the middle option, ensure the opposite (that the domain is not denied) and with the top option the invite will just work:
Cross-Tenant Access Settings now also take effect (since late 2022), so check this area as well and make sure that there is not an entry for the domain in question that blocks B2B Collaboration or that the Default does not block B2B Collaboration as shown:
Once Entra ID is confirmed as allowing Gmail guests, check the settings in Teams.
Checking Teams Admin Centre for Guest Restrictions
This is accessible from https://admin.teams.microsoft.com/ > Users > Guest Access. This is not “External Access” which is to do with chat cross-company only and not B2B/Guest access to Teams. Ensure that Guest Access is On:
Conditional Access Restrictions
The Gmail guest user will be subject to any restrictions that your tenant has for Conditional Access for guest users. When writing this blog post I came across one that blocked Gmail users (where login is federated to Google) because the Conditional Access rule required an Authentication Strength rather than direct MFA. Changing it to Multifactor Authentication fixed the login.
This issue presents itself in the Entra ID sign-in logs for the guest user as “Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.”
Changing the Conditional Access rule for the Gmail guest to standard Multifactor Authentication in the Conditional Access policy and away from Authentication Strengths fixed this – this is due to Authentication Strengths not supporting the Email One-Time Pass (Guest) Authentication method (see Entra ID notes).
This change can be seen in the following picture of the same Conditional Access rule setting, but with the change made to Multifactor Authentication so that Email One-Time Code authentication is supported:
Inviting Gmail Users To Your Teams
The rest of the article looks at the process for the end user inviting the Gmail user to be part of their Team. If the above settings restrict who can invite external guests, then the initial invite step needs to be done before the user can be added to the Team, and if the guest user is already added to another Team, then its easy to add them as a member of more than one Team just by entering their email address. This flow looks at the first time invite and add to Team experience.
- In Teams, click the … next to the Team name. You need to be the Owner of the Team to invite new members. Type in the Gmail users address:
- You get an option now to set the “Display Name” for this user:
- The recipient in Gmail gets an email inviting them to the Team. The user needs to click the “Open Microsoft Teams” button in the email. The rest of the email tells the Team name and the purpose of the organization doing the invitation:
- The Gmail user is asked to sign-in to Teams with their Google account:
- To sign in for the first time, the M365 tenant prompts for accepting the privacy and permissions consent. The Gmail user needs to accept this. This will be branded with your organization’s information:
- If your tenant requires Multi-Factor Authentication for guest users, they will be prompted to set this up at this point in the authentication process:
- The setup for MFA continues as is found documented on plenty of websites on the Internet
- The user is asked to start the Teams app (if it is installed) or download the app or use the website. I’m using the website in this example, as my Teams app is already signed in with a seperate account – but the process is identical be it the browser or the application
- Depending upon your MFA choices, you might be prompted at this point to “upgrade your MFA to Microsoft Authenticator” as shown (I had set MFA up using Google Authenticator in this example and had entered my six digit code to login to Teams)
- Success, I am now using Teams as a guest user. For this I do not need a Teams licence, as I am making use of the free 1:5 (one licenced user to 5 guest users) or the free 50000 MAU (monthly active users) for guests that can be configured in Entra ID
Photo by Pixabay: https://www.pexels.com/photo/google-search-engine-on-macbook-pro-40185/
Leave a Reply