Month: April 2020

List guest users of Microsoft Teams

Posted on Updated on

Imagine for a moment that your organization deployed Microsoft Teams through the business so as to advance user productivity, but the organization wasn’t quite ready to address the governance, security, or potential data exfiltration of Teams. That decision to postpone security and compliance may have occurred simply due to awareness of the risk, desire or resources to plan and implement, the knowledge of the technology to use, ability to use the technology (i.e. licenses), or even the capability to reinforce the organizational stance.

Now imagine that your Teams deployment has reached thousands of users and their productivity is on the rise, which is great….but now that you have found there are also thousands of “guest” users in your Azure AD users list which have likely been invited into Teams from within your company. Even guest users from the likes of Gmail, Yahoo, and the various Microsoft consumer domains.

The risk of data exfiltration or even device and user identity security is much higher – and now you need to really truly address it. What can be done? Assuming that you had already identified that there are guest users in your organization via the Azure AD users list, then you may want to further refine which of those guest users are part of a Team within Microsoft Teams. To do that, use the following PowerShell script to grab this information. Note that this script relies upon having installed the PS module for MicrosoftTeams (Install-Module MicrosoftTeams) and also logged into Azure AD (Connect-MicrosoftTeams).

#Login to Azure AD manually
Connect-MicrosoftTeams

# Define log file
$OutFile = "C:\TeamsGuestUsers.txt"

# Get a collection / array of all Teams
$AllTeams = Get-Team

# Process each Team
ForEach ($Team in $AllTeams) {
# Do not process $Team if it is null
If (($Team).GroupID -ne $null) {
# Get all the Guest users of a Team
$GuestUsers = Get-TeamUser -Role Guest -GroupID ($Team).GroupID

# If no guest users exist in Team, skip logging
If ($GuestUsers -ne $null) {
# Log the Team and GroupID
Write-Output ("Team: " + ($Team).DisplayName + ", GroupID: " + ($Team).GroupID ) | Out-File $OutFile -Append
# Log each guest user in the Team
ForEach ($User in $GuestUsers) {
Write-Output (" => Guest user: " + ($User).User) | Out-File $OutFile -Append
}
}
}
}

With this information, you can next develop your plan guest access. Including for which domains to restrict or allow with Azure AD B2B controls. A good place to get started with your planning is: