A growing technology company in Ontario had dozens of external collaborators locked out of SharePoint and Teams for weeks. Azure AD recognized every guest user. SharePoint did not. The client's IT team had exhausted their troubleshooting ideas, and project timelines with external partners were starting to slip.
Teclara diagnosed the root cause in 20 minutes using Claude Code and the Lokka MCP server, then fixed it with a single PowerShell command. This is how that played out.
The Client
A mid-sized technology company with approximately 85 employees, based in Ontario. They collaborate heavily with external consultants, contractors, and partner organizations, which means guest user access in Microsoft 365 is a daily operational requirement. SharePoint handles their document storage and Teams runs their collaboration, so both platforms depend on guest users being able to log in and work alongside internal staff.
The Challenge
Guest users were being invited through Azure Active Directory and successfully accepting those invitations. Azure AD recognized them and the provisioning process was working correctly. The problem showed up one step later: when those same guest users tried to access SharePoint sites or Teams channels, authentication would fail or hang indefinitely.
Internal employees had no issues accessing the same resources. The disconnect was entirely limited to external collaborators, and it had been going on for several weeks before the client reached out to Teclara.
External consultants could not review or contribute to project documents. Partner organizations were locked out of collaborative workspaces. Project timelines were slipping, and the client's reputation with external stakeholders was starting to take damage. Their internal IT team had run through basic troubleshooting without isolating the root cause.
The Diagnostic
Teclara's team connected Claude Code to the client's Microsoft 365 tenant using Lokka, an open-source MCP (Model Context Protocol) server for Microsoft Graph. Lokka gives Claude Code the ability to query Azure AD, SharePoint, and other Microsoft 365 services directly through natural language. Instead of clicking through multiple admin portals and cross-referencing configurations manually, the investigation ran as a conversation. This is the same MCP-based approach we used when we built a full sales pipeline in three hours using Claude and Attio's MCP connector, applied here to infrastructure diagnostics instead of CRM operations.
Verifying Azure AD. Through Lokka, Claude Code pulled the Azure AD guest user objects and confirmed they existed with the correct attributes: user principal names, email addresses, and invitation status all matched what the client expected. The identity layer was clean.
Querying SharePoint. The investigation moved to the SharePoint tenant configuration next. Claude Code queried the external sharing and guest access policy settings through Lokka's Microsoft Graph integration. The misconfiguration was sitting right there: Azure AD B2B integration with SharePoint and OneDrive had never been activated.
This is a specific tenant-level setting that acts as the bridge between Azure AD's identity system and SharePoint's access layer. Without it, SharePoint cannot resolve guest user identities from Azure AD, even when those users have valid accounts and have accepted their invitations. The guest users existed in the directory, but SharePoint had no mechanism to look them up because the integration between the two services was turned off.
The full diagnosis took roughly 20 minutes. A traditional version of this same investigation would involve opening the Azure AD admin centre, checking user properties, switching to the SharePoint admin centre, reviewing tenant settings, cross-referencing the external sharing configuration, and potentially escalating to Microsoft support. Each step means a different browser tab and a different set of menus, with a mental model you have to carry between all of them. With Lokka and Claude Code, the entire diagnostic happened in a single terminal session.
The Fix
The resolution was a single PowerShell command:
Set-SPOTenant -EnableAzureADB2BIntegration $true
This activates the integration layer between SharePoint/OneDrive and Azure AD, allowing the collaboration platform to properly resolve and authenticate guest user identities. Teclara deployed the change during a brief maintenance window with no downtime and no impact on internal users.
The Results
Guest users gained immediate access to Teams channels and SharePoint document libraries, and the authentication errors that had blocked external collaboration for weeks were resolved in under an hour from the start of the diagnostic.
The client's IT team no longer needs to manually grant SharePoint permissions or open a ticket each time an external collaborator gets stuck at login. Every future guest invitation works correctly from the moment it is accepted.
Security improved as well. With Azure AD B2B integration properly configured, the client can now enforce conditional access policies and multi-factor authentication requirements specifically for guest users. Given that the company works with technology partners and occasionally handles sensitive project materials, that was an important secondary win.
All internal user permissions, document access levels, and existing SharePoint configurations remained exactly as they were throughout the process.
Key Takeaway
Microsoft 365 environments have settings spread across Azure AD, SharePoint Online, Exchange, and Teams admin centres. When something breaks at the intersection of two services, the root cause hides behind layers of configuration that no single admin panel shows cleanly. Traditional troubleshooting means opening multiple browser tabs, running Get-SPOTenant in one terminal and querying Azure AD in another, then mentally stitching the results together. The client's team had been stuck for weeks because the root cause sat at the seam between two admin surfaces that most people never look at together.
Lokka collapses that into a single interface. Claude Code queries across services in the same session, carrying context from one query to the next. When it checked the Azure AD guest objects and found them valid, it already had reason to look at the SharePoint tenant settings. When it found the B2B integration flag was disabled, it already had the guest user data to confirm the likely cause. That kind of continuity across Microsoft 365 services is what turned a weeks-long frustration into a 20-minute diagnosis.
Teclara is building this approach, connecting Claude Code to client environments through purpose-built MCP servers, into standard operating procedures for Microsoft 365 investigations. We applied the same thinking when we replaced $12,000 in annual SaaS costs by building four internal tools with Claude Code on existing infrastructure. The method applies to any diagnostic or operational workflow that spans multiple admin surfaces.
If guest users in your Microsoft 365 environment are experiencing access issues, or if you want to explore how AI-assisted tooling can improve your IT operations, contact Teclara.