For the past three months, I’ve been working with Microsoft Support on my SharePoint permission issue with private channels in Teams.
In my previous post and via LinkedIn, I asked readers to reach out if they were experiencing the same issue, and some organizations did. Thank you for your collaboration and for providing me with some valuable insights related to that issue.
Two weeks ago, a colleague reported a strange issue involving a guest in SharePoint. The guest received an error stating he didn’t have a SharePoint license to access a shared site. I was able to reproduce this with other guest accounts.
This is unusual, as guest accounts typically don’t require a SharePoint license. I immediately suspected the situation was related to my private channel issue. Both cases show similar behavior patterns.
- It works for internal users.
- Guest accounts encounter a ‘missing SharePoint license’ error in a specific scenario.
- I can’t reproduce it in my personal tenants.
As documented in the SharePoint service description:
Rights of guests: If you purchase a plan and create a site that uses enterprise features, guests you invite are granted rights to use and/or view the enterprise features within the site. While you can invite guests to perform a full range of actions on a site, they won’t have the same capabilities as a licensed user within your organization. For example, if your plan includes desktop versions of Office applications, guests can’t install them on their own computers unless you assign them a license.
I asked my contacts from the previous case one specific question:
Please verify whether SharePoint license enforcement is enabled in your tenant.
The test is simple:
Use any internal account without a SharePoint license and try to open a site shared with “Everyone.” SharePoint will display a message about the missing license if license enforcement is enabled.
The answer was consistent: All organizations that responded currently have license enforcement enabled.
This also explains why the issue only affects specific tenants, and when it does, it affects all private channels in that tenant. The problem isn’t with the guest accounts themselves, but with the underlying license requirement.
About SharePoint Online license enforcement
License enforcement in SharePoint is disabled by default. Microsoft documented this behavior back in 2018. I couldn’t find a current reference.
Previously, Microsoft explained that license enforcement is disabled by default, allowing customers to migrate data to SharePoint without requiring a full license. Once the migration is complete, organizations should request Microsoft Support to enable license enforcement. Once enabled, it cannot be turned off again.
With Microsoft’s input, the case finally makes sense. The private channel fails to sync guest permissions because the system responds with a 404 Not Found error. The system can’t find the guest account, as no valid SharePoint license is assigned.
The browser log below shows what happens when you add an unlicensed user to a private channel while license enforcement is enabled, affecting both internal and guest accounts.
- Teams calls an API to add a new member using the Entra ID object ID.
- Teams receives a “404 Not Found” error for the user object.
This is the same behavior you get when trying to add an unlicensed internal account to a SharePoint site.
Here’s an example comparing an unlicensed and a licensed user using PnP PowerShell.
- The unlicensed user can’t be added — SharePoint can’t find the account.
- No issue with the licensed user.
Normally, this doesn’t affect guest accounts, except for private channel site collections.
Similarly, unlicensed internal accounts don’t appear in the People Picker when license enforcement is enabled, and SharePoint will return an error if you try to share content with them.
What did I do to confirm the root cause?
- Internal account without a SharePoint service plan
I prepared an internal test account with the SharePoint service plan disabled. After adding it to my private channel, the permission wasn’t synced to the SharePoint site; the same behavior as with guest accounts. The screenshots showing the “404 Not Found” errors above are from this test user.
- Guest account with a SharePoint service plan
I then assigned a SharePoint Kiosk service plan to my guest account (all other service plans disabled).
After re-adding this guest to the private channel, the permission synced successfully to the SharePoint site. A test confirms it, the guest now has access to the files tab in the Teams private channel and the SharePoint site.
I shared my findings with Microsoft on Monday. They implemented a tenant-specific solution related to license enforcement, and private channels now work correctly for users without a SharePoint license.
I ran some additional tests. The tenant-specific solution: License enforcement was disabled. Microsoft is currently investigating a permanent solution.
The positive note: I was able to identify/confirm a second issue related to license enforcement.
