Home - OfficeDev/microsoft-teams-apps-request-a-guest GitHub Wiki

Many organisations have a requirement to control guest access into their Azure AD tenant. This can be achieved by locking down guest access within Azure AD so only administrators and those in the guest inviter role can issue invites to external guests. This can also be extended to SharePoint and OneDrive by only allowing sharing with existing guests in the tenant. For more information on controlling external access see: Limit Sharing in Microsoft 365

Once organisations control access this way there is a need to establish an operational procedure for employees to request that a guest is added to the tenant. The Request-a-guest app supports this requirement by providing a method for employees to request that a guest is added to the tenant and allows only the authorised users to approve these requests.

  • Provides a simple form for employees to request a guest is added to the tenant.
  • In built approval process to only progress requests if the guest domain is on the allow list (if required).
  • Provides fully audited workflow to inform helpdesk or SecOps when a request is submitted, rejected or approved.
  • Once approved, guest invites are automatically issued.
  • When the invite is issued the original requestor is added as the manager of the guest. This helps to ensure that the guest can be tracked back to the original requestor

New Request New Request form

Request Process Wizard:

  • Either from a Microsoft teams tab or directly from PowerApps, end users will complete a form to request that a guest is added into the tenant. End users need to provide guest details and a justification.

  • Once the request is submitted the guest domain is verified as approved. This is done by checking that the domain is in compliance with the settings in your AAD allow/block list for guest users.

  • Members of an approvers group will then see the request in the 'Approve requests' tab of the Request-a-guest app and can choose to approve or reject the request.

  • An adaptive card is also sent to a designated Team and Channel to allow reviewers to approve or deny requests directly from the adaptive card.

  • Approvals can be submitted either via the app or using the Teams adaptive card.

  • Requests and approval notifications are sent to the approval mailbox for auditing and history tracking if required.

  • The user who requested the guest is informed both through the app and via a Teams chat message.

My Requests
My Requests page

Approve Requests
Approve requests within the app

Approve Requests
Provide a comment on approval or rejection

Teams Approval

Approve or decline requests with a Teams adaptive card

My Approve Requests
End user notification of approval or rejection in the app

Teams Approval Notification
Teams chat message back to the end user with the verdict

Further Reading

Home

Architecture

Cost Estimates

Data Retention

Deployment Guide

Troubleshooting

⚠️ **GitHub.com Fallback** ⚠️