Teams External Access

In order for collaboration to truly flourish, platforms need to reach beyond the boundaries of your organization and allow for open collaboration with partners and customers. Unfortunately, those customers and partners might use different team collaboration solutions or they might still use a legacy Unified Communications platform.

You may think that even if there are multiple collaboration platforms within the enterprise, your teams and workers can still communicate across different platforms. Many of the new team collaboration platforms like Microsoft Teams or Slack include guest access, allowing anyone to invite an outside user (outside of a team or an organization) to join the platform and collaborate via chat, join channels, share files, etc.

While these platforms provide some options for connectivity, they are not truly open. And there are limitations, cost considerations and security risks in the current form of interoperability that these platforms provide.

If you want people from outside your organization to collaborate closely with your team, enable guest access for them. On the other hand, if you only want them to chat with your team, grant them external access rights. Use the comments below and tell us more about your external or guest access experience on Teams. Mar 23, 2021 External access (federation) Set up external access if you need to find, call, chat, and set.

  1. Sep 15, 2020 Manage external access (federation) - Microsoft Teams Microsoft Docs. But it only mentions AllowPublicUsers=true and as described below. When set to True (the default value) users will be potentially allowed to communicate with users who have accounts on public IM and presence providers such as Windows Live, Yahoo, and AOL.
  2. Related topics External access is a way for Teams users from an entire external domain to find, call, chat, and set up meetings with you in Teams. You can also use external access to communicate with people from other organizations who are still using Skype for Business (online and on-premises) and Skype (in preview).
  3. Team members will always have access to the SharePoint site because access is not given to individuals, but to the underlying Office 365 Group. So, if my guest access settings in Microsoft Teams and Office 365 Groups is turned on and I add an external user to my guests for that Group, there’s no work that needs to be done on the SharePoint side.

For Microsoft Teams users, Microsoft includes Guest Access, which enables inter-company (outside your organization) collaboration via chat or channels for external partners, customers, suppliers, etc. This means your users can invite ANY external user with a business or consumer email account, such as Gmail, to participate as a guest in Microsoft Teams with full access to team chats, meetings, and files. Though this sounds like an easy way to provide external access to your organization, there are limitations and additional support that IT should be aware of in order to maintain security and control while preventing cost overruns. Below are a few to keep in mind:

User Authorization and Authentication

First and foremost, MS Teams guest accounts require corresponding Azure AD accounts. This means when your users invite their external colleagues to collaborate using an MS Teams guest account, their external colleagues have to create and maintain Azure AD accounts.

However, it’s nearly impossible for you to control whether these external Azure AD accounts have strong security measures like password complexity, password expiration, and Two-Factor Authentication (2FA). Microsoft became aware of these security concerns, and as a result, decoupled guest accounts’ authorization from authentication. Authentication will be managed by the external users, which you cannot control, but the authorization can be controlled by your organization.

Given today’s landscape, hackers can wreak havoc on weak guest accounts and gain access to unsuspecting end-users. Increasingly, IT departments view guest access as an unmitigated risk to their infrastructure.

Once the guest accounts are granted, as the MS Teams admin you need to manage them. However, since these users belong to other companies you cannot disable their guest accounts when they leave their organization. This can create additional security and access control headaches.

End-User Support

A lack of end-user support is another issue that comes up with guest accounts. For example, if your partners decide to block domains on the Microsoft O365 service, their end users cannot accept and use guest accounts to collaborate with workers within your company. In such a scenario, troubleshooting why guest accounts aren’t working is impossible and will create unnecessary support escalations as your end-users become frustrated when they can’t work with their colleagues.

Licensing Limitations and Costs

The number of guest accounts a company can extend is limited. For instance, Microsoft only allows five guest accounts per paid Azure AD license. In other words, a company with 1,000 Microsoft licenses can only send out 5,000 guest account invitations.

Further complicating the issue is that Microsoft guest accounts invites are not limited to MS Teams, but can be sent out for other Microsoft services such as sharing files on One Drive and SharePoint. Moreover, there is no limitation or control on how many guest account invites a user can send, as long as your company stays within its overall limit. So invitations can begin to pile up. If any one user or team goes beyond a company’s limit, this prevents everyone from sending out guest account invites.

Direct Federation

As an alternative to guest access, Microsoft also offers a limited form of Direct Federation. The main difference between guest access and the direct federation is that direct federation only provides presence and one-to-one chat sessions. With guest access, you can grant permissions for external users to participate in channels, share files and access your corporate resources, such as One Drive.

Direct federation is a more secure way for collaboration with external parties. Unlike guest accounts, you can be sure the external user is on a managed UC or collaboration platform and that they don’t have access to any of your corporate resources. On the other hand, it offers limited capabilities. Below is a detailed comparison of both options.

Table 1 – Feature comparison of Guest and Microsoft Direct Federation (source: Technet)

While guest accounts seem like the best option to enable B2B communication between enterprises, it is important to remember that once your organization provides guest access to external users, situations could arise where these guest accounts expose your organization to security risks.

Since guest accounts are normally connected to Azure AD accounts (B2B federation), when your users invite someone, you take a security risk as it is unclear that the Azure AD account with which the guest account is connected effectively managed or not.

A Different Alternative

We believe that inter-company communication should be controlled as much as possible with both organizations participating in full control of their users.

Inter-company collaboration and communication should be seamless and secure. Enterprises should always be able to use their preferred Unified Communications or Team Collaboration tool to maintain control over all communication and collaboration. To eliminate security, support and cost issues, we recommend using a unique API based integration which provides federation capabilities between managed platforms, so the stakeholders of the organizations can be sure that communication to other parties is only done with their explicit consent.

6 Great Options for Microsoft Teams Direct Messaging Federation

Microsoft Teams supports various ways of communicating with external users.

When it comes to direct messaging, you’d have thought it would be simple to send a person-to-person message even if they’re not in your immediate team.

Microsoft Teams direct messaging federation helps support cross-tenant and cross-platform messaging.

In this post, we dig into which option is best for your scenario and explain how to configure each one.

1 – External access (federation)

External access, also called federation, is probably the most common method you will be using when communicating with external users.

It means that you can chat and make calls with users outside your organization that also uses Teams or Skype for Business.

There’s also the possibility for a user in Teams to chat with people that use the consumer version of Skype.

Configuration of external access (federation)

In the Teams Admin Center you can Enable/Disable external federation.

  • Go to https://admin.teams.microsoft.com
  • Select “Org-wide settings” and click “External access” in the left-hand menu

You will have two settings which both are enabled by default.

The first setting must be set to “On” to chat with external Teams and Skype organizations.

Access

The second setting set to “On” enables the same with Skype consumer users.

Further down on the same page you have the option to block or allow external access to and from certain domains.

By default, no domains are present which means you can find, chat and call people external to your organization in any domain.

This is also called “Open federation”.

To add or block a domain click “Add a domain”.

A prompt will appear in where you can type and add a domain and choose to either allow or block it.

Keep in mind that this is either an “allow all except blocked domains” or “block all except allowed domains” configuration.

This means you can’t mix allowed and blocked domains.

You either add the domains for those you want to enable external access and block all others, or you add the domains you want block.

As an example, I added the domain “microsoft.com”.

The outcome of this configuration will be that your organization can communicate with all external domains except those using a microsoft.com user account.

Once complete, Microsoft Teams direct messaging federation is achieved.

Microsoft Teams external access (federation) limitations

There are a few gotchas and limitations to consider using external access.

  • If both sender and recipient use Teams, both users need to be in “Teams Only” co-existence mode for the message to land in teams. Otherwise, it will end up in the receivers Skype for Business client. This can cause confusion and the message won’t be delivered if the Skype client is offline.
  • As explained, Teams users can communicate externally to other Teams clients as well as Skype clients depending on which co-existence mode is configured. When you communicate with a Teams user externally the chat experience lacks several features like sharing files and include them in a group chat.
  • When you communicate with external Skype for business users the chat experience lacks additional features:
  • Using GIFS / Emojis
  • Add to group chat
  • Sharing files

2 – Microsoft Teams guest access

Guest access differentiates from external access in several ways.

Using guest access means you invite a user using the “add member” feature in Microsoft Teams, using their email address.

That user then accepts your invite and become a (guest) member of the team.

You will know which accounts you are a guest in by the “Guest” text in your drop-down options where you change tenants.

Access

This means that a guest user can access your organization’s teams and all its resources like channel conversations, files, Planner etc.

Furthermore, a guest user can use the chat tab in Teams to start direct messages or group messages (and even calls) with your internal users.

For guest access to work, guest access must be enabled in your tenant.

In February 2021, Microsoft is enabling this by default.

Configuration of Microsoft Teams guest access

  • Go to https://admin.teams.microsoft.com
  • Select “Org-wide settings” and click “Guest access” in the left-hand menu

Set “Allow guest access in Teams” to “On”.

The change can take a few hours to take place.

After that, you can invite people outside your organization to your teams.

Add the guest by clicking “Add member” in the chosen team’s settings.

Cached

Type the whole email address of the person you want to invite and click “Add”.

An invitation is now sent to the email address entered.

As soon as they accept it, they can chat with your internal users and Microsoft Teams direct messaging federation is achieved.

Microsoft Teams guest access limitations

As a guest user in Teams you have several benefits over using External access for communication, but there are still limitations.

  • File sharing in one-to-one and group chat is disabled
  • Users must switch to the inviting organization in Teams to access teams and chat.
  • A different experience compared to internal users in a team.

3 – Federation Gateway for Microsoft Teams and Skype for Business

Mindlink provides an XMPP Federation Gateway to enable Microsoft Teams direct messaging federation with Skype for Business 2019.

It supports bi-directional instant messaging and presence modalities allowing federated partners to communicate between platforms.

MindLink XMPP Federation Gateway supports Skype for Business 2019 (On-Premise and Online) and Microsoft Teams for the following modalities:

  • One-to-one instant messaging
  • Multi-party instant messaging
  • Presence
  • Contact cards
  • Contact list subscription notifications
  • Typing notifications
  • Rich chat Content

The federation gateway is not currently self-service.

If you need to set up Microsoft Teams direct messaging federation specifically for Skype for Business 2019, you can contact the MindLink team here.

4 – Microsoft Teams direct messaging federation with Slack

When you need to collaborate with people outside your organization, they’ll likely be using Slack or Microsoft Teams, but not necessarily the same instance as you.

It’s hard to chat with freelancers, contractors, and suppliers when you’re not on the same platform.

When this is the case, it becomes unproductive moving out of your app to accommodate your guest.

To remedy switching between platforms, Mio has created universal channels for Microsoft Teams with Slack.

Once you create a universal channel and invite Slack users, you can then break out of the channel and send direct messages between Slack and Microsoft Teams.

You can stay in Teams and send messages to your contractors, suppliers, or clients that use Slack.

They stay in their platform too and Mio translates the messages across platform.

And it’s not just messages that are supported. GIFs, emojis, channels, DMs, and message edits/deletes are all supported too.

If this sounds like something you need, add your first Microsoft Teams universal channel for free here.

5 – Microsoft Teams direct messaging federation with Webex

The amount of Cisco Webex endpoints in the world is almost uncountable.

So, the likelihood of your external contacts using Webex is pretty high.

When this is the case, it becomes unproductive moving out of Teams, into your external contact’s choice of app, and starting the conversation again.

That’s why Mio has created universal channels for Microsoft Teams with Webex…

Blocking External Access In Microsoft Teams

You can stay in Teams and send messages to your contractors, suppliers, or clients that use Webex.

They stay in their platform too and Mio translates the messages across platform.

And it’s not just messages that are supported! GIFs, emojis, channels, DMs, and message edits/deletes are all supported too.

When you need to message someone privately, you can send a direct message from Microsoft Teams to Webex.

If this sounds like something you need, install a universal channel to either Microsoft Teams or Webex.

6 – Microsoft Teams direct messaging federation with Zoom Chat

Teams External Access Domain

2021 not only saw Microsoft Teams users grow to 145 million but saw Zoom’s customer base increase exponentially too.

While people at home were hosting quizzes on Zoom, businesses were embracing the video conferencing tool for Zoom Phone and Zoom Chat too.

The result?

Instances of both Zoom and Teams everywhere. But, chatting between the two platforms a challenge.

Mio syncs the conversations your employees have on Microsoft Teams and Zoom.

Once installed behind the scenes, the interoperability tech translates your Teams messages to Zoom Chat – and vice versa.

It grabs messages sent from Microsoft Team to Zoom users, and delivers them on the other app.

By embracing message interoperability between your two favorite platforms, your users can:

  • Stop switching apps to communicate: Everyone can use the messaging app they prefer. No-one has to switch to new software or risk being out of the loop.
  • Reduce information silos: There’s less risk of files and conversations going missing. Mio connects your conversations and people. Everyone stays on the same page.
  • Browse and join any channel: Synchronize channels so you and your colleagues are always on the same page.

This means you’ll be able to stay in Microsoft Teams and send messages to users in Zoom Chat.

And the same is true vice versa! Your users who prefer Zoom Chat can stay in Zoom and message users on Microsoft Teams.

You can join the waitlist below to be the first to know when Teams and Zoom interoperability goes live.

How To Configure External Access In Microsoft Teams

For early access, join the waitlist here.

Teams External Access

You must be logged in to post a comment.