Teams federation between two 365 tenants

Question

Teams federation between two 365 tenants

Allan Stark 1

We have two dedicated MS365 tenants. One of them has sync with on-prem local AD.
Once there was Exchange, but mailboxes were migrated a few years ago to the 365/ExO cloud and since then synchronization has been configured only for password hashes in both directions (not a hybrid).
Also no any SfB and never was in both tenants.
Users in both tenants have MS365BP and MS365E3 subscriptions.

I need to federate MS Teams between these 2 tenants, so that users can communicate in several Teams in both tenants.
I have followed all the recommendations described in this article: https://learn.microsoft.com/en-us/microsoftteams/communicate-with-users-from-other-organizations

All settings (except that Org-wide settings have been moved) have already been set by default.
I tried to create a new team in first tenant and add users from second tenant to it by their main email address / UPN, but it just doesn't find them.
The same and vice versa.
I tried to explicitly specify the allowed tenant domains in the External access settings in both Teams Admin Centers and even waited more than 24 hours. But with same result.
Team owners also cannot invite users from another tenant to their Teams.

After that I tried to add guest users in both tenants and after that these users can be added to teams and channels.
But this is very inconvenient for users, because in their Teams apps they have to switch to the second (guest) account in order to communicate with users of another 365 tenant.

We have more than 200 users in the first tenant and ~100 in second and more than half of them must communicate with each other in teams in another tenant...

Paul van Berlo 826 Reputation points

2021-10-01T19:21:43.45+00:00

External users cannot directly be added into teams. You can only invite guest users into a team. You should however be able to chat with external users. You either need to set external access to fully be allowed, or you need to whitelist/blacklist domains. Also, I've seen issues with the coexistence mode, are all these users set to 'Teams Only' in both tenants?
Allan Stark 1 Reputation point

2021-10-01T19:30:45.073+00:00

I have no coexistence mode, here is all my current settings in both tenants:
Paul van Berlo 826 Reputation points

2021-10-01T19:43:25.477+00:00

Just to be sure:

1) Can users chat with each other between tenants?
2) Can users invite a new guest into a team from the other tenant? Just checking because based on your original post it seems that you manually added the guests into your tenant first?

If the answer to both questions is YES, then it's basically working as expected. If the answer to either one is NO, then something else is wrong and this needs to be investigated in more detail. Based on your screenshots, I do not see any immediate concerns with those settings and federation should be open. Also check to make sure guest access is enabled:
Allan Stark 1 Reputation point

2021-10-01T20:04:38.943+00:00
No, users in one tenant can't find users from the another tenant in their Teams search string ("We didn't find any matches.").

No, they can't

I added guests in an explicit way for checking, but now for the sake of testing, I removed them completely (and from the deleted ones too).

3 answers

Your answer

Paul van Berlo 826 Reputation points

2021-10-01T19:21:43.45+00:00

External users cannot directly be added into teams. You can only invite guest users into a team. You should however be able to chat with external users. You either need to set external access to fully be allowed, or you need to whitelist/blacklist domains. Also, I've seen issues with the coexistence mode, are all these users set to 'Teams Only' in both tenants?
Allan Stark 1 Reputation point

2021-10-01T19:30:45.073+00:00

I have no coexistence mode, here is all my current settings in both tenants:
Paul van Berlo 826 Reputation points

2021-10-01T19:43:25.477+00:00

Just to be sure:

1) Can users chat with each other between tenants?
2) Can users invite a new guest into a team from the other tenant? Just checking because based on your original post it seems that you manually added the guests into your tenant first?

If the answer to both questions is YES, then it's basically working as expected. If the answer to either one is NO, then something else is wrong and this needs to be investigated in more detail. Based on your screenshots, I do not see any immediate concerns with those settings and federation should be open. Also check to make sure guest access is enabled:
Allan Stark 1 Reputation point

2021-10-01T20:04:38.943+00:00

No, users in one tenant can't find users from the another tenant in their Teams search string ("We didn't find any matches.").

No, they can't

I added guests in an explicit way for checking, but now for the sake of testing, I removed them completely (and from the deleted ones too).

Answer 1

JimmyYang-MSFT 58,646 Microsoft External Staff

@Allan Stark

According to your description, it seems this problem is related to external access in Microsoft Teams. By default, external access is turned on in Teams, which means that your organization can communicate with all external domains. If you add blocked domains, all other domains will be allowed; and if you add allowed domains, all other domains will be blocked. So we recommend you check if you add the domains in the blocked domains.

If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Paul van Berlo 826 Reputation points

2021-10-04T09:08:03.537+00:00

Hi @JimmyYang-MSFT ,

@Allan Stark already mentioned he tried this, plus, the screenshot shows there are currently no domains configured. Do you have any other recommendations?
JimmyYang-MSFT 58,646 Reputation points Microsoft External Staff

2021-10-08T05:45:56.47+00:00

@Allan Stark

Does anyone else have the same problem in your organization?

Have you tried to use Teams web client to see if this issue can be reproduced?

It is really strange. I did a test in my environment by following your setting and in two different tenant, users can search it each other with no issue.
JimmyYang-MSFT 58,646 Reputation points Microsoft External Staff

2021-10-15T10:19:11.167+00:00

@Allan Stark

It has been a while, how is everything going?
If you have any update about this issue, please feel free to post back.

Answer 2

Mr Sb 371

What you are looking for is only possible by using Azure AD B2B collaboration. It's too much to explain in a single post so I would recommend to read the following article:

https://learn.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b

----------

Answer 3

Allan Stark 1

Thanks to all who responded.
One additional question.
In both variants of inter-tenant Teams interaction (federation and guests), do we need to pre-add users as guests to both 365 tenants? Because in a scenario when there are several hundred users in each of the 365 tenants, this is quite time consuming.

Paul van Berlo 826 Reputation points

2021-10-04T11:16:54.827+00:00

No, but it depends on how settings are configured in Azure AD. At the highest level, this will allow or disallow guest access. If I were you I would check those settings, people sending out the invites will need to be allowed to invite guests.

Share via

Teams federation between two 365 tenants

3 answers

Your answer