Share via

Microsoft Teams Graph API: Unable to admit external Gmail users to meetings with lobbyBypassSettings="everyone" - allowedLobbyAdmitters conflict

Muhammed Shanoob 0 Reputation points
2026-03-25T09:22:42.34+00:00

Problem Summary

I'm developing a Teams meeting automation solution that creates online meetings

using the Microsoft Graph API. I'm encountering a situation where external users

(Gmail accounts) are unable to join unattended meetings despite having

lobbyBypassSettings.scope set to "everyone".

Current Configuration

I've successfully created a Teams online meeting with these settings:


{

  "startDateTime": "2026-03-25T05:15:00Z",

  "endDateTime": "2026-03-25T05:25:00Z",

  "subject": "External Meeting",

  

  "lobbyBypassSettings": {

    "scope": "everyone",

    "isDialInBypassEnabled": true

  },

  

  "allowedPresenters": "everyone",

  "allowMeetingChat": "enabled",

  "allowAttendeeToEnableMic": true,

  "allowAttendeeToEnableCamera": true,

  

  "participants": {

    "organizer": {

      "upn": "******@example.onmicrosoft.com",

      "role": "presenter"

    },

    "attendees": [

      {"upn": "piiremoved"},

      {"upn": "piiremoved"}

    ]

  }

}

The API response confirms:


{

  "allowedLobbyAdmitters": "organizerAndCoOrganizersAndPresenters",

  "lobbyBypassSettings": {

    "scope": "everyone",

    "isDialInBypassEnabled": true

  }

}

The Problem

What Happens:

  1. Gmail user clicks meeting join link
  2. The system checks: "Can this person bypass the lobby?" → YES (scope = everyone) ✅
  3. Gmail user enters the meeting lobby
  4. The system checks: "Can this person enter without approval?" → NO (only organizer can admit) ❌
  5. User sees: "We've let people in the meeting know you're waiting"
  6. The organizer is offline (service account created but doesn't join)
  7. Result: Gmail user is STUCK IN LOBBY indefinitely ⏳

Key Questions

I need clarification on the following:

Question 1: Two Conflicting Systems?

Are lobbyBypassSettings.scope and allowedLobbyAdmitters two independent systems?

  • lobbyBypassSettings.scope = "Who can SKIP waiting?" (bypass the lobby)
  • allowedLobbyAdmitters = "Who can APPROVE people?" (manage the lobby)

If this is correct: Setting scope="everyone" means everyone CAN bypass, but

someone still needs to be at the admission gate to actually let them in?

Question 2: Is "everyone" Supported for allowedLobbyAdmitters?

The Microsoft Teams Admin Center UI at https://admin.teams.microsoft.com/policies/meetings

only shows three dropdown options for "Who can admit from the lobby?":

  • Organizers and co-organizers
  • Organizers, co-organizers, and presenters
  • (NO "everyone" option)

Question: Is there a way to set allowedLobbyAdmitters to "everyone" via:

  • Graph API?
  • PowerShell (Set-CsTeamsMeetingPolicy)?
  • Any other method?

Question 3: Is This Intentional Design?

Microsoft's design seems to require that someone authorized (organizer/presenter)

must be PRESENT in the meeting to:

  • Admit external users from the lobby, OR
  • Moderate the lobby

Is this by design? Or is there a supported way to:

  • Auto-admit external/anonymous users without human intervention?
  • Set a meeting to "no lobby" mode for completely open access?

My Use Case

Business Requirement:

  • Service account creates Teams meetings via Graph API
  • Service account does NOT join the meetings
  • External Gmail users should join automatically without waiting
  • No human intervention needed (unattended meetings)

Current Limitation:

Can't achieve this with current settings because lobby admission still requires

an organizer/presenter to be present.

What I've Tried

  1. ✅ Set lobbyBypassSettings.scope = "everyone" (allows bypass)
  2. ✅ Set allowedPresenters = "everyone" (allows presenting)
  3. ❌ Cannot find way to set allowedLobbyAdmitters = "everyone"
  4. ❌ Tenant policy UI has no "everyone" option for lobby admission

What I Need

Clear documentation or confirmation on:

  1. Are these two systems (bypass vs admission) independent?
  2. Is "everyone can admit" supported in Graph API or any other way?
  3. If not: What's the recommended way to allow external users into unattended meetings created via Graph API?
  4. Is there a different API or feature (e.g., virtual events, webinars) that supports unattended external user access?

Attachments / References

Any Workarounds?

If unattended external admission isn't supported, what are the recommended

alternatives for my use case?

Thank you for your help!

Microsoft Teams | Development
Microsoft Teams | Development

Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Steven-N 25,305 Reputation points Microsoft External Staff Moderator
    2026-03-25T10:31:28.7933333+00:00

    Please note that our forum is a public platform, and we will modify your question to hide your personal information in the description. Kindly ensure that you hide any personal or organizational information the next time you post an error or other details to protect personal data.

    Hi Muhammed Shanoob

    Thank you for reaching out and providing such a detailed breakdown of your scenario. This is a common challenge when creating unattended meetings for external/anonymous users via the Graph API.

    I have conducted some research and laid on my own experience to directly address your questions:

    1. Are lobbyBypassSettings.scope and allowedLobbyAdmitters two independent systems?

    Yes, they serve two independent purposes but work together:

    • lobbyBypassSettings.scope determines who can automatically skip the waiting room when entering the meeting.
    • allowedLobbyAdmitters determines who has the authority to admit users that either didn't qualify for bypass or were caught by another security policy (which is exactly what is happening in your scenario).

    However, the reason your external Gmail users are getting stuck in the lobby is not because bypass settings are failing, but rather due to a separate tenant-level security policy.

    By default, Teams requires at least one authenticated user (like the organizer or someone from your tenant) to "start" the meeting before anonymous users can enter. Since your service account never joins, the meeting never officially starts, and the external users are placed in a holding pattern (the lobby) waiting for an authorized user to arrive.

    2. Is "everyone" Supported for allowedLobbyAdmitters?

    Actually**, No**. As per the Graph API OnlineMeeting resource documentation, the only supported values for allowedLobbyAdmitters are:

    • organizerAndCoOrganizersAndPresenters
    • organizerAndCoOrganizers
    • unknownFutureValue

    "Everyone" will only work for the allowedPresenters and lobbyBypassSettings.scope properties.

    3. Is This Intentional Design?

    Yes, this is completely by design. Microsoft implements this behavior to prevent unauthenticated/anonymous users from initiating meetings without a trusted host present. This acts as a security safeguard to prevent bad actors from exploiting compromised meeting join links and utilizing your organization's resources or interacting with other anonymous guests without your tenant's supervision.

    4. Any Workarounds?

    Yes, to achieve your goal of truly unattended meetings for external users, your Teams Administrator will need to adjust a specific Meeting Policy assigned to the service account (the account creating the meetings).

    The admin needs to enable the policy that allows anonymous users to start meetings:

    • Via Teams Admin Center: Go to Meetings > Meeting policies > select the policy assigned to the service account > Navigate to Meeting join & lobby (or Participants & guests) > Turn ON the setting "Anonymous users and dial-in callers can start a meeting".
    • Via PowerShell: Using the Teams PowerShell module, an admin can run the following command to update the policy. Once this policy is enabled for the meeting organizer (your service account), your current Graph API configuration (lobbyBypassSettings.scope set to everyone) will work perfectly, and the external Gmail users will be able to join the unattended meeting immediately without waiting in the lobby.

    For further reading and official guidance on these configurations, please refer to the following Microsoft documentation:

    Hope my answer will help you.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

    1 person found this answer helpful.
  2. Q&A Assist
    2026-03-25T09:23:14.79+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    lobbyBypassSettings and allowedLobbyAdmitters are related to the same lobby concept but control different aspects and are both constrained by tenant-level meeting policies.

    From the available information:

    1. Bypass vs. admission behavior
      • The lobby is controlled primarily by “Who can bypass the lobby” (meeting option / policy setting).
      • At the policy level this is exposed as Who can bypass the lobby with values like:
        • People in my org
        • People in my org and guests
        • People in my org, trusted orgs, and guests
        • Everyone
      • When set to Everyone, “anyone who has access to the meeting link gets into the meeting directly, including people who call in,” subject to tenant policies and trust relationships. However, even with Everyone selected, “people joining without a Teams account, people from untrusted organizations, and people dialing in may be placed in the lobby until someone from your organization or a trusted organization joins the meeting, even if the Everyone option is selected.”
      • This means that even if lobbyBypassSettings.scope = "everyone", external anonymous users can still be forced into the lobby until an authenticated user from the organizer’s or a trusted organization joins.
      The context does not document allowedLobbyAdmitters as a configurable policy or meeting option; what is documented is that organizers, co-organizers, and presenters are the roles that manage the lobby and admit people.
    2. “Everyone can admit” is not exposed as a policy option
      • The documented meeting policy setting is Who can bypass the lobby, not “who can admit from the lobby.”
      • In Teams admin center, the documented options are for bypass, not admission, and the roles that can admit are fixed (organizer/co-organizer/presenter). There is no documented policy or setting that allows all attendees to admit others from the lobby.
      • The context does not show any way—via Teams admin center, meeting options, or policy—to set an “everyone can admit” behavior.
      Therefore, based on the provided documentation, there is no supported way exposed in policy/meeting options to make all attendees lobby admitters. Any allowedLobbyAdmitters behavior is constrained by the fixed roles that can manage the lobby.
    3. Requirement for an authenticated participant to start/admit
      • The Meetings policy includes:
        • Anonymous users can join a meeting (On/Off)
        • Anonymous users and dial-in callers can start a meeting (Off by default)
          • When this is on, “anonymous users and dial-in callers can start a meeting without someone in attendance. When this setting is off, they must wait in the lobby until someone in your organization, a guest, or a user from a trusted organization starts the meeting. This setting only works if Anonymous users can join a meeting is turned on in both the org-wide meeting settings and in this meeting policy and Who can bypass the lobby is set to Everyone.”
      • This confirms the design: even with Who can bypass the lobby = Everyone, anonymous/external users may still be held until a trusted/organizational user joins, unless the combination of policies explicitly allows anonymous users to start the meeting.
      The context does not describe any setting that would allow external anonymous users to always enter and run a meeting completely unattended if tenant policies require a trusted participant to start/admit.
    4. Implications for unattended external meetings
      • To maximize automatic entry for external users, the tenant must be configured so that:
        • Anonymous users can join a meeting is On in org-wide meeting settings and in the meeting policy.
        • Who can bypass the lobby is set to Everyone in the meeting policy (which becomes the default for meeting options, and organizers/co-organizers can still change it per meeting).
        • Optionally, Anonymous users and dial-in callers can start a meeting can be turned On if the organization accepts the risk that anonymous users can start meetings without an internal participant.
      • Even with these settings, the documented behavior still allows the service to place some external/anonymous users in the lobby until someone from the organization or a trusted organization joins, depending on trust and account conditions.
      The provided documentation does not describe any additional API, policy, or feature that guarantees “no-lobby, fully unattended, external-only” meetings beyond these controls.
    5. Answers to the specific questions (within documented scope)
      1. Are bypass vs. admission independent systems?
        • The documentation models the lobby through Who can bypass the lobby and role-based lobby management (organizer/co-organizer/presenter). Bypass and admission are related aspects of the same lobby system, not two fully independent systems. Bypass determines who skips the lobby; admission is handled by specific roles and constrained by tenant policies.
      2. Is “everyone can admit” supported?
        • The context does not document any “everyone can admit” option in Teams admin center, meeting options, or policies. Only organizers, co-organizers, and presenters are described as managing/admitting from the lobby.
      3. Is requiring an authorized person by design? Any way to auto-admit external users?
        • Yes, the documented design is that anonymous/external users are governed by:
          • Anonymous users can join a meeting
          • Anonymous users and dial-in callers can start a meeting
          • Who can bypass the lobby
        • To auto-admit as far as supported, configure the meeting policy so that:
          • Anonymous users can join a meeting = On
          • Who can bypass the lobby = Everyone
          • Optionally, Anonymous users and dial-in callers can start a meeting = On
        • Beyond this, the documentation explicitly states that some external/anonymous users may still be placed in the lobby until someone from the organization or a trusted organization joins, even when Everyone is selected.
      4. Alternatives for unattended external access
        • The provided context does not describe any alternative API or feature (such as webinars or virtual events) that changes these lobby rules for unattended external-only meetings.

    Within the documented scope, the supported approach is to configure meeting policies (especially Who can bypass the lobby, Anonymous users can join a meeting, and Anonymous users and dial-in callers can start a meeting) to minimize lobby use for external users, understanding that some lobby behavior for anonymous/untrusted participants is by design and cannot be fully removed via allowedLobbyAdmitters.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.