Table of Contents
Teams External Access for Chat and Calling
Teams users have been able to chat and call people in other Teams tenants for some years. This is a very useful capability because it means that you don’t need to have a guest account in a tenant to communicate with its users. Microsoft added the capability to chat with Skype consumer users in 2020. Both features are enabled by external federation, the component which manages user ability to communicate outside the tenant. By default, the tenant external federation configuration allows communication with Teams users in any tenant. Administrators can manage the configuration through the External access section under Users in the Teams admin center. For instance, an organization might decide to limit external federation to a subset of tenants considered necessary for business communications.
Bringing Teams Consumer into the Chat Fold
Message center notification MC296208 (updated January 4, Microsoft 365 roadmap item 88381) expands external federation to cover chat (but not calling) with Teams consumer users. Given the presence of a Teams consumer client in Windows 11 and Microsoft’s fervent hope that people will embrace Teams consumer, it’s unsurprising that consumer and enterprise Teams users should be able to communicate. Up to now, any attempt to chat with a Teams enterprise user from Teams consumer results in an exchange of email, which is not quite the immediate connection delivered by chat.
According to MC296208, roll-out of Teams external access for Teams consumer starts in early January and should complete in mid-January. As always, this timing might change. Unlike external federation with Skype consumer users, Teams consumer supports both 1:1 and group chats. Another interesting aspect is that Teams enterprise users can find Teams consumer users with their email address or phone number (obviously, this must be the phone number registered by the user when they signed up for Teams consumer). But then again, you can also search for Teams enterprise users with their phone number, if you really must…
Tenant Controls for Teams External Access with Teams Consumer
Settings in the tenant’s external federation configuration control the communication with Teams consumer users (also called “Teams accounts not managed by an organization”). Two controls are available in the External access section of the Teams admin center:
- People in my organization can communicate with Teams users whose accounts aren’t managed by an organization: Set On to allow your users to communicate with Teams consumer users.
- External users with Teams accounts not managed by an organization can contact users in my organization: Set On to allow Teams external users to search for and contact users in your tenant using their SIP address (usually the same as their primary SMTP address and user principal name). Set Off to stop this happening and prevent unsolicited contact from Teams consumer users. Figure 1 shows that this setting is Off.
By default, both settings are On, meaning that if you don’t update them, full bi-directional chat is available between Teams enterprise and consumer users.
You can also update the Teams consumer controls with PowerShell by running the Set-CsTenantFederationConfiguration cmdlet. For example, this command disables both settings.
# Disable both outbound access (AllowTeamsConsumer) and inbound access (AllowTeamsConsumerInbound) for Teams consumer users Set-CsTenantFederationConfiguration -AllowTeamsConsumer $False -AllowTeamsConsumerInbound $False
Other settings in the external federation configuration include:
- AllowFederatedUsers: Set to False to stop chat and calling with Teams users in other tenants.
- AllowPublicUsers: Set to False to stop chat and calling with Skype Consumer users.
Per-User Control for External Federation
The Teams external access policy assigned to an account controls the level of external access a user has.
Get-CsonlineUser -Identity Jane.Sixsmith@office365itpros.com | Select ExternalAccessPolicy ExternalAccessPolicy : FederationAndPICDefault Get-CsExternalAccessPolicy -Identity FederationAndPICDefault Identity : Global Description : EnableFederationAccess : True EnableXmppAccess : False EnablePublicCloudAccess : True EnablePublicCloudAudioVideoAccess : True EnableOutsideAccess : True EnableAcsFederationAccess : True EnableTeamsConsumerAccess : True EnableTeamsConsumerInbound : True
If an external access policy isn’t defined for an account, it uses the tenant settings.
Important settings for federated communications defined in the external access policy are:
- EnableFederationAccess: Allow communication with Teams users in other tenants.
- EnablePublicCloudAccess: Allow communication with Skype consumer users.
- EnableTeamsConsumerAccess: Allow communication with Teams consumer users.
- EnableTeamsConsumerInbound: Allow Teams consumer users to initiate communication with this account.
To gain maximum control over how Teams users communicate externally, you might want to create a new external access policy. This is done as follows:
- Create a new external access policy with New-CsExternalAccessPolicy.
- Update the settings in the new policy with Set-CsExternalAccessPolicy.
- Assign the new policy to user accounts.
For example:
New-CsExternalAccessPolicy -Identity "Block Teams Consumer" Set-CsExternalAccessPolicy -Identity "Block Teams Consumer" -EnableTeamsConsumerAccess $False Grant-CsExternalAccessPolicy -Identity Jane.Sixsmith@office365itpros.com -PolicyName "Block Teams Consumer"
Teams External Access with Teams Consumer
Once permitted, it’s easy for a Teams enterprise user to connect with a Teams consumer user by starting a new chat, entering the email address of the consumer user, and searching externally. The initial messages go to the external user, who must decide if they wish to accept or block the connection (Figure 2).
You can add a Teams consumer user to a group chat, but you can’t share previous chats as a new chat starts to accommodate the external user.
A similar check before acceptance is used when a Teams consumer user contacts a Teams enterprise user, with the subtle difference that the Teams enterprise user sees the warning that Messages from unknown or unexpected people could be spam or phishing attempts.
Recipients of inbound connections can preview the messages, which is a good reason for clearly stating the intent and purpose of the conversation in the initial messages, unlike those shown in Figure 3. Only a contravention of the don’t say hello in chat rule would be worse!
Some limitations exist in what can happen in a mixed-Teams chat. The biggest loss of functionality is the inability to make calls or share files. Given that Teams users can call Skype consumer users, the loss of calling is surprising (I anticipate this feature will come soon). Not being able to share files is likely because enterprise and consumer Teams use different versions of OneDrive.
From a compliance perspective, the Microsoft 365 substrate captures compliance records for eDiscovery in the enterprise tenant. Teams consumer doesn’t have this capability. On a more serious note, Microsoft documents that Data Loss Prevention (DLP) policies don’t apply to external access chats. If you’ve invested in DLP for Teams (which needs Office 365 or advanced compliance licenses), you’re unlikely to be impressed at the prospect that tenant users can share sensitive information in external chats. This is definitely a hole which Microsoft should close.
Generally, all went as expected. The only issue I ran into was when attempting to connect to an account signed into Teams consumer that I had previously communicated with from Teams using Skype consumer. Teams stubbornly refused to communicate using anything other than Skype consumer. There’s nothing wrong with the Teams consumer account because I was able to connect with it in a group chat when another enterprise account added the consumer account to the chat.
Connections for Those Who Want Them
I’m unsure as to how many Teams consumer accounts are ready to use Teams external access to communicate with enterprise tenants. Sure, the client is in Windows 11 and many people might have kicked the tires of the client but knowing how many persist and use Teams consumer on an ongoing basis is a different question. In any case, for those who use Teams consumer, the pathway to communication with their enterprise connections is now available. That is, if enterprise tenants enable the capability.
Keep up to date with developments in Microsoft Teams by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.
I don’t understand how the functionnality works. We have enabled the same option as showed in Figure 1 but our Teams users enterprise are unable to engage a conversation with a teams personal account, because we can’t find any personnal account with the search bar, Teams find nothing.
I would check for client updates and make sure that you’re running the latest client software. If in doubt, sign out of Teams and sign back in again too. That often “fixes” things…
Have the external access commands been removed? I have the Teams module installed and I can run any options, but for some reason those 3 commands are not recognized as cmdlet, function, etc.
New-CsExternalAccessPolicy
Set-CsExternalAccessPolicy
Grant-CsExternalAccessPolicy
I have the MicrosoftTeams 3.1.1 module installed.
I have them show up .
get-command *externalaccess* -Module MicrosoftTeams
CommandType Name Version Source
———– —- ——- ——
Function Get-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
Function Grant-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
Function New-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
Function Remove-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
Function Set-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
I do as well. But when I execute the command I get the error that says it does not exist
What about an option to allow certain users external access to some certain external domains, so…. different users have access to different external domains? Is it possible? I don’t see any option co configure it that way right now 🙁
I don’t believe such access controls are available.
Hi Tony,
thank you for sharing this! There seems to be a small typo in your PS example to assign a external access policy:
Grant-CsExternalAccessPolicy -Identity Jane.Sixsmith@office365itpros.com
the Parameter “PolicyName” is missing:
-PolicyName “Block Teams Consumer”
Yep. That’s a typo. Fixed now. Thanks!
Is there a way to remove the need for acceptance when a person outside my organization sends the message in Teams?
No.
Hey Tony, just want to confirm this is possible: I want to enable External Access for 10 of my users to be able to chat with Company A and Company B only. I want to block all my other users from have external access with anyone. The way I’m reading the MS Article, is that I need to Allow Company A and Company B under “Teams and Skype for Business users in external organizations.” Then run PS to disable -EnableFederationAccess globally. Create a new policy with -EnableFederationAccess set to true. Then assign the users to that new policy? I was a little confused that if the new policy is only allowed to chat with Company A and B or is it all External Company’s.
https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=user-policies#manage-external-user-profiles
I think you need to run Set-CsExternalAccessPolicy to update the default policy and disable federation with any organization. Then create a new external access policy that allows external fedebration and assign it to the ten users. Finally, set the external federation configuration in the Teams admin center to specific tenants and add those tenants to the configuration.
That’s where I’m a little hazy – “add those tenants to the configuration” I don’t see a way to add the tenants except in the Admin Center GUI. Which made me think that’s where they get added. A bit frustrated since I open a case with Microsoft on this and the engineer said, “it is not possible to only allow certain users, it’s tenant level only.” This was after I sent them the article from MS showing it is possible (me venting)
You can add domains to the extrnal federation configuration via the Teams admin center or with PowerShell (here’s an example explained in an article https://practical365.com/teams-external-access-powershell/)