September 02, 2020 Understanding external access management in Microsoft Teams Introduction A more enriching and purposeful way of collaboration in Microsoft Teams is its external sharing capability. Leveraging this service, Teams allows customers and business partners interact well to keep them engaged. In Teams, external collaboration restrictions and sharing settings are located in multiple admin centers and hence, configuring settings through different interfaces is little frustrating for administrators. Moreover, security concerns related to external collaboration such as data leaks and uncontrolled information sharing add additional fears to administration. With this regard, let us try to understand how to correctly set up Teams environment before letting external collaborators work with your teams safely. In Teams, external collaboration is broadly categorized into two types – external access and guest access. We will go through each of them one by one: 1. Guest access Users with guest access are called guest users. They have the ability to participate in chats and channel conversations, create channels, make calls, set up meetings and access shared files. Use this feature when you want users from outside of your organization to inherit most of the privileges of a native team member except access to OneDrive for Business and Calendar. To know more about guest user capabilities in Microsoft Teams, click here. Guest user management in Teams Guest access is disabled by default in Microsoft Teams. Any user with a consumer or business email account is authorized to access Teams environment tenant-wide. Once this capability is enabled, teams’ owners can send an email invitation to such users to join their teams and co-work. The invitation email contains a link ‘Open Microsoft Teams’. By clicking the link, guest users can accept the invitation and get added to the team with allotted permissions. Given below are some necessary pointers regarding guest user permissions: 1. Only global administrator or Teams service administrator can manage guest access. 2. It takes around two to twenty hours in Teams to fully reflect the guest settings across Microsoft 365 tenant. 3. You can define the maximum number of guest users in your Teams environment by using Azure Active Directory (Azure AD). 4. Service limits defined in Azure AD and Microsoft 365 governs guest access. 5. Managing guest access in Teams requires four different configuration portals with distinct authorization levels to control the guest experience: Azure Active Directory: Guest access in Microsoft Teams relies on the Azure AD business-to-business (B2B) platform. This authorization level controls the guest experience at the directory, tenant, and application level.Microsoft Teams: This authorization level controls the guest experience in Microsoft Teams only.Microsoft 365 Groups: This authorization level controls the guest experience in Microsoft 365 Groups and Microsoft Teams.SharePoint Online and OneDrive for Business: This authorization level controls the guest experience in SharePoint Online, OneDrive for Business, Microsoft 365 Groups, and Microsoft Teams. As mentioned above, these different authorization levels provide you with flexibility in how you set up guest access for your organization. For example, if you want to disable guest access in Teams but enable it everywhere else in your organization, you simply need to turn off guest access in Microsoft Teams. Also, you can enable guest access at the Azure AD, Teams, and Groups levels, but disable the addition of guest users on selected teams that match one or more criteria such as data classification equals confidential. SharePoint Online and OneDrive for Business have their own guest access settings that don’t rely on Microsoft 365 Groups. Now, to configure guest access in Teams admin center, follow the given steps: First login to the Microsoft Teams admin center. Then navigate to Org-wide settings > Guest access. Now, set Allow guest access in Microsoft Teams to On.Under Calling, Meeting, and Messaging, select On or Off to grant specific capabilities to guest users which include – Private peer-to-peer calls, use of IP video in calls and meetings, screen sharing, Meet Now (users can immediately start a meeting from the context of a conversation), editing of sent messages, chat, giphy (users can share animated GIFs of a specified content rating), and use of meme and sticker in conversations. Click Save to apply the configuration. 2. External access (federation) External access is a way for Teams users from an entire external domain to find, call, chat, and set up meetings with you in Teams. This means that users from two different organizations using Teams as collaboration platforms, can seamlessly connect and communicate using Teams app. You can use external access when: You have users in different domains who need to collaborate. You want users in your organization to use Teams to contact people in specific businesses outside of your organization.You want anyone else in the world who uses Teams to be able to find and contact you, using your email address.You want to enable collaboration with an external user on Skype for Business or to prevent external users from accessing Teams content. Considering the two scenarios of external collaboration, if you want external user domains to find you and communicate with you via chat, calls and meetings, then you should go for external access. But if you want external users to get access to teams and channels, collaborate on files and interact with you with greater privileges, then you should go for guest access. To learn more about the differences between guest access and external access, click here. External user management in Teams The default setting of Open federation allows external access to be fully enabled in Teams tenant-wide. There are three external access configurations that an administrator can choose from to configure external access: Open federation (default setting) – Permits external access from any domain and allows external users to find and contact team members via call, chat, and meetings using an email address.Allow specific domains – Allows external access from the specified domains if only a few business partners need it.Block specific domains – Blocks external access from the specified domains and allows access from all other domains. To change the external access configuration from the default setting, follow these steps: Go to Org-wide settings > External access in the Microsoft Teams admin center.Turn the setting Users can communicate with other Skype for Business and Teams users to On.To allow or block specific domains, click Add domain. Specify the name of the domain and add it to the Allow or Block list.Save your changes. Now, ensure that the other organizations have configured your domain too in the same way. Finally, test the configuration in your Teams app by searching the contact and sending a chat request to a federated external Teams user. If both of you can receive the requests, then the configuration is a success else you need to confirm whether firewall settings are correct on both sides. Conclusion External collaboration is a preeminent functionality in Microsoft Teams. So far, we have seen that with flexible permission policies and a wide range of configuration options, Teams can let us communicate with external users in secure ways. However, there is a lack of an established system to manage external access in Teams. As controls are distributed across different interfaces, multi-step navigation to manage guest access settings or review guest access regularly in Teams becomes a tedious and time-consuming process. To overcome the loopholes in external access management, TeamsHub by Cyclotron brings a unified interface for simplified administration by leveraging the power of automation in Microsoft Teams and other Office 365 workloads. Using TeamsHub by Cyclotron, administrators can manage external or guest users, both on tenant level and individual team level from a single interface without a hitch. To know more about external or guest user management using TeamsHub by Cyclotron, click here. Experience the next-level collaboration in your Teams environment using TeamsHub by Cyclotron and let it bring a great value to your work beyond expectations. To know more about TeamsHub by Cyclotron visit https://teamshub.io or contact sales@cyclotrongroup.com