Automating the Provisioning of Selective Teams with Guest Access: History & Background

Michael Mukalian
3 min readDec 10, 2019

Sherman, set the WABAC machine for 2015!

Series Contents

How Did We Get Here?

Office 365 Groups is a service providing a single identity for teams across different applications within Office 365. Office 365 applications that use Office 365 Groups for managing access and membership include Microsoft Teams and the various other services like SharePoint, OneDrive, etc.

Office 365 Groups have been around for a few years, but they didn’t really get “proper” Guest Access until around last year.

Let me in! I need to collaborate with my team!

Normal day-to-day businesses work with all sorts of people as part of ongoing projects. Businesses need to work with these people, independent as to what “type” of person they are. So, it’s only natural that these business want to engage with people both internal and external to their enterprise.

Which face are you?

This type of engagement offers many challenges in existing enterprises. Usually, IT controls this level of access, but they are historically so busy, or there’s a lack of understanding as to the features/capabilities that can support this scenario. Some may also struggle to keep up with the pace of innovation that is the cloud, and are just so fatigued at that point that they just concentrate on other, more easier requests. When you throw security into the mix, the knee-jerk reaction is usually like “you want to do *what*?”

Controls?

Luckily there are controls available to let us accommodate what businesses are asking for. While the existing interface allows us to “flip the switch” and turn on the ability to collaborate with guests, it’s a big switch, meaning that it’s open for everybody in the tenant. What happens when we want to get more granular? Luckily, we have additional controls that let us provide this capability.

Solution Overview

We have a pretty wide range of services in Office 365 that allow us to get a little bit more granular with what we’re looking to do. Because the guest access control is available at the specific group level, we can use the Microsoft Graph to set it to the relevant value (on/off). This allows us to control guests in, or not in, for a specific group. Couple this with using a Flow in Power Automate, we can also provide a mechanism to create a Team and then set it to allow guests in or not. Now, put all of those requests into a SharePoint list and we can start working with a consistent request process, that starts with a request being submitted, moves through an approval process, and then ends up with a Team properly configured. That’s what this solution is:

  1. Enter a request for a Microsoft Team, asking for Guest Access on or off
  2. Flow in Power Automate picks up the request, and sends it through an approval process
  3. Microsoft Graph in Flow provisions the Team

Our next article in the series will allow us to set up the “plumbing” to make our process work. Head over there to catch up on Azure AD Application Registrations.

--

--

Michael Mukalian

Covering the Microsoft Modern Workplace as a Technical Architect at the Philadelphia Microsoft Technology Center in Malvern.