Preparing your organization for Mesh

This page covers the required tasks and suggested functional roles that may need to know about the rollout, but follow your organization's standard rollout process, including change and configuration management.

This content covers requirements for Mesh implementations for Immersive spaces in Mesh and immersive spaces in Teams. At a high level, the steps are:

  1. Gather your deployment team

  2. Verify licenses and policies

  3. Consider tenant selection

  4. Contact owners of supporting teams

  5. Configure service plan to allow user access

  6. Configure your network for Mesh experiences

  7. Work with stakeholders to begin deployment

After planning for your Mesh implementation, learn how set up Microsoft Mesh and set up immersive spaces in Teams.

Gather your deployment team

Executive-level sponsorship is highly advisable to help with any cross-team blocking issues.

You will need access to several administration tools:

  • Teams Admin Center (TAC) is needed to configure avatar and immersive spaces administration.

  • Azure portal is needed to administer Mesh cloud scripting used for custom Mesh environments (if your environments optionally use that form of scripting).

  • Other tasks like permitting URLs and firewall ports will be done in whatever administrative tools are used by your organization.

  • Mesh uses other parts of the Microsoft 365 suite. If your organization restricts access to these resources, parts of Mesh won't work. Talk to whoever has access to the Microsoft 365 Admin tools to determine if there are any restrictions and to test whether those restrictions will interfere with Mesh.

    For example, the table below defines what access is needed for specific actions:

    Mesh Action Access Needed
    Create a Mesh Collection Create Microsoft 365 group
    Be added as a member to a Mesh Collection Access Microsoft 365 groups
    Create a Mesh event Access to Microsoft 365 Calendar
    Be invited to a Mesh event Access to Outlook Mail
    Create a template Access to SharePoint
    Add an image or video top an event or template Access to either SharePoint or OneDrive

Tip

There are some setup tasks that may require cooperation from individuals or departments outside of the individual or team that will be deploying and running Mesh, for example Licensing, Security, and Endpoint Management. Other stakeholders like Help Desk and Human Resources may also need to be consulted.

Verify your licenses and policies

For avatars and immersive spaces in Teams, your users must have licenses for one of the following: Teams Essentials, Microsoft 365 Business Basic, Microsoft 365 Business Standard, Microsoft 365 Business Premium, Microsoft 365 E3/E5, and Office 365 E1/E3/E5.

License requirements for Immersive spaces in Mesh

For Microsoft Mesh, you will need the following:

Subscription requirements

To use Microsoft Mesh, all users (including developers, event organizers, and event attendees/users) are required to have a M365 Office subscription with access to SharePoint, OneDrive, and M365 Calendar.

These are required for:

  • Group creation: Used for Mesh World creation in Mesh on the web.
  • SharePoint/OneDrive: Used for custom event/template creation.
  • Mailbox/Calendar: Used for events creation and/or sending/receipt of event invites.

For help, see the immersive spaces in mesh licensing Troubleshooting and FAQs.

License requirements for Immersive spaces in Teams

Required Licenses

Your users must have a commercial Teams license: Microsoft Teams Enterprise, Teams Essentials, or one of the following M365, O365, or Business SKUs with Teams included: Microsoft 365 Business Basic, Microsoft 365 Business Standard, Microsoft 365 Business Premium, Microsoft 365 E3/E5, and Office 365 E1/E3/E5.

Learn more about how to set up immersive spaces in Teams.

For help, see the immersive spaces in Teams licensing Troubleshooting and FAQs.

Consider which tenant to Provision for Mesh

The two main factors to consider when choosing which tenant(s) to provision for Mesh are:

  1. Which users should be able to access immersive experiences.

    All users who will be participating in immersive experiences together must have native accounts in the same Microsoft Entra ID (formerly Azure Active Directory) - guest access to the tenant does not work.

  2. The tradeoffs between having unlimited control of a domain and having ultimate responsibility for running the domain securely and effectively.

Primary tenant for Mesh

Provisioning up your primary production tenant for Mesh is recommended because it will give you the biggest scope to test with, but it may create overhead work through internal procedures and approvals.

Separate tenant for Mesh

If you want to collaborate with people outside your production tenant, you might want to set up a separate tenant just for Mesh. There is no technical barrier to creating user accounts in a production tenant for people who do not work for that organization, but there may be strong business reasons against doing so.

Note

However, creating additional tenants will increase complexity for admins and users to manage accounts, may also incur additional expenses for licensing and domain management, and may require additional process within your organization.

If you expect to use immersive spaces in Teams for users in your production version of Teams, you will definitely want to provision your production tenant for Mesh. While you can create other tenants for testing, people who use Teams throughout the day are highly unlikely to want to log out of their main Teams account to log into a different account in a different tenant. A separate tenant is more practical for the Mesh app, where it's simpler to flip between accounts.

Each tenant can have multiple Azure Storage subscriptions, but the Azure Storage subscription used for Mesh cloud scripting must be in the same EntraID as the users who will attend events and the developers who will upload and manage the scripts.

Contact owners of supporting teams

To complete the steps to get Mesh running, you will need to either have various rights and permissions or be in contact with people in your organization who can grant the rights and permissions you will need. Depending on your company structure and policies, this process can be time-consuming, so it helps to start the outreach as soon as possible.

The following section lists organizational roles that you will probably need to work with to complete the required pre-deployment tasks:

Teams apps managers

The administration for immersive spaces and avatars will happen in the Teams admin portal, admin.teams.microsoft.com. You will need the tenant Global Administrator to assign someone on the Mesh team the role of Teams Administrator in Microsoft Entra, or you will need to work closely with a current Teams Apps Manager to make all necessary configurations.

Teams apps policies

Two of the Mesh components you will be using are Teams apps; you should set policy to make sure only approved users have access to them. Modify the Teams app policies at the Global or custom level to allow/block the Mesh apps as needed. If you want your designated users to have the Mesh components installed automatically, you must set the Teams Apps setup policies too. Coordinate with whoever owns Teams app management to plan for appropriate policies. For more information about Teams access control, see https://admin.microsoft.com/Adminportal/Home#/rbac/directory.

Teams feedback policies

Microsoft relies on feedback from users to make better products. The Teams administrator can set whether users can send feedback about Teams to Microsoft. Feedback can be permitted based on Entra ID group membership. If Teams feedback is disabled, users will not be able to send feedback about Mesh features built into Teams. We strongly encourage your org to permit this feedback for Mesh users but consult your company policies before making any changes. For more information about managing feedback, see

Manage feedback policies in Teams

Configure service plan to allow user access

For more information about service plans, see Configure access to Mesh using service plans.

Review endpoint managers

Make sure you know your organization's process for deploying apps. The Mesh app is available in the Microsoft Store and can be depoloyed from there using your MDM (mobile device management) solution like Microsoft Intune to deploy the app and make it show up in the users' Company Portal. If you block access to the Microsoft Store, you can use WinGet instead. For more information about deploying apps with Microsoft Intune, see:

Add Microsoft Store apps to Microsoft Intune

Configure Azure for Cloud Scripting

If your developers plan to build custom Mesh environments that will use Mesh Cloud Scripting, they will require an Azure subscription to which they can deploy their cloud scripting service. An Azure subscription is not required for environments that only use Mesh Visual Scripting.

For more details on the prerequisites for Mesh Cloud Scripting, see Prepare for your first Mesh Cloud Scripting project.

Work with your organization's security team

Before deploying any new app or service, you must consider the security implications and work closely with your security team to make sure you comply with all standard security policies. Discuss the following Mesh requirements in advance with the appropriate Security owners.

Endpoints and firewall configuration

As with all Microsoft products, allowing the endpoints and ports required for Mesh experiences is necessary to achieve full functionality and optimal performance for your users. How you use the network configuration requirements for Mesh depends on your enterprise organization network architecture.

Endpoints and firewall ports for Mesh experiences in Teams

This section outlines the specific endpoints and firewall requirements for the Mesh app in Teams and the Avatars app, which allow users to join an immersive space (3D) while in a Teams meeting and use avatars in meetings.

Avatars in Teams

Configure your enterprise firewall settings to align with the standard set of Microsoft 365 requirements outlined in Microsoft M365 URLs and IP address ranges.

Immersive spaces in Teams

Configure your enterprise firewall settings to align with the standard set of Microsoft 365 requirements for Microsoft Teams, and Microsoft 365 Common outlined in Microsoft M365 URLs and IP address ranges.

As part of this, ensure that you have configured your firewall to enable traffic to *.cloud.microsoft.com, *.office.com, and *.microsoft.com over TCP 443, 80.

Mesh also requires the IP addresses and port ranges detailed in Firewall configuration for Azure Communication Services for media capabilities such as audio, video, and screenshare.

Without access to these, Mesh won't work properly for users in your organization.

Endpoints and firewall requirements for immersive spaces in Mesh

This section outlines the specific endpoints and firewall requirements for Immersive experiences in Mesh, inclusive of the Mesh application and its features that your organization can leverage to create dynamic corporate events.

In general, the standard set of Microsoft 365 requirements outlined in Microsoft M365 URLs and IP address ranges applies to all Mesh experiences with some extra steps to enable additional Mesh features like larger multi-room events, Cloud Scripting, and embedded content (WebSlate, Video/Image objects).

Step 1: Configure according to Microsoft M365 requirements

Configure your enterprise firewall settings to align with the standard set of Microsoft 365 requirements for Microsoft Teams, and Microsoft 365 Common outlined in Microsoft M365 URLs and IP address ranges.

As part of this, ensure that you have configured your firewall to enable traffic to *.cloud.microsoft.com, *.office.com, and *.microsoft.com over TCP 443, 80.

Mesh also requires the IP addresses and port ranges detailed in Firewall configuration for Azure Communication Services for media capabilities such as audio, video, and screenshare.

Without access to these, Mesh won't work properly for users in your organization.

Step 2: Enable attendee access to scripts and content over time

Cloud scripting

If you or your development team plans to use Cloud scripting to display dynamic and rich data in Mesh environments by interfacing with Azure, you'll need to allow traffic to the Azure resources that your enterprise hosts for cloud scripting.

You can do this as new environments using cloud scripting are published by allowing traffic on TCP port 443 (HTTPS) to that environment's hosted app: <app>.azurewebsites.net.

Embedded content (WebSlate, video/image)

The Mesh app enables dynamic content experiences leveraging the web and Azure. This empowers event organizers to place Video and Image Objects with a no-code event customization experience, and developers to add web interactivity with WebSlates.

Dynamically loaded, embedded content have unique requirements for immersive experiences due to the unique permissions required to access resources while within Mesh experiences.

Important

There are two considerations to ensure that embedded content is accessible in immersive spaces in Mesh:

  • If stored in SharePoint, the content will follow M365 requirements: Organizers must ensure attendees have access to URL. Attendees must have permissions to the specified file or Share link.
  • If not in SharePoint, the content will follow firewall rules: Organizers must ensure the URL domain is in the firewall/allowlist for TCP Port 443 (HTTPS). Attendee client devices will download from this URL directly.
Content type How it works
WebSlate

Embed interactive web content in Mesh environments or templates.

WebSlates display web content using a client WebView on each attendee's device. If their target URLs are blocked for an attendee in a browser, then they will also be blocked in Mesh.
Video & Image Objects Embed videos and images into Mesh environments. The Mesh app enables organizers to customize experiences for their Mesh Event by referencing image and video URLs.

If these URLs are blocked for an attendee in a browser, then they will also be blocked in Mesh.

Tip

In addition to firewall allow lists, WebSlates require that environment developers add the URL's domain to the Unity WebSlate component's allow list as well.

For more information about WebSlate security and allowlisting, see WebSlate performance and security.

Network bandwidth requirements

Bandwidth requirements for Mesh events

The following network bandwidth requirements are designed to help users in your organization have the best possible experience with Mesh immersive experiences.

While we are constantly working on improving how Mesh works even in poor network conditions, you may want to further optimize your network if users in your organization report poor audio quality, audio cutting out, or delayed or jerky avatar movement.

Mesh immersive experiences build on top of Microsoft Teams network bandwidth requirements for capabilities such as screenshare, with additional bandwidth needed for immersive capabilities such as avatar movement and spatial audio, and to be able to visualize users in other rooms.

Bandwidth requirements for all events

Modality Minimum (kbps) Recommended (kbps) Best performance (kbps)
Avatar movement & audio 30/370 80/700 100/850
Screenshare (Same as Teams) 250/250 2,500/2,500 4,000/4,000

Additional bandwidth requirements for multi-room events

Modality Minimum (kbps) Recommended (kbps) Best performance (kbps)
Broadcast presenters 30/110 80/160 100/180
Visualizing users in other rooms 65/65 - -

As an example, a multi-room event such as a team all hands with screenshare, broadcasted presenters, and visualization for users in other rooms will require a minimum of 375 kbps downstream, and 795 kbps upstream, and a maximum of 4,265 kbps downstream and 5,095 kbps upstream.

Note: these metrics are calculated based on maximum room, presenter, and event capacities as documented in Mesh limitations and specifications, to help you best prepare your organization's network for Mesh. Smaller event sizes will have lower network requirements, for example due to there being fewer avatars, speakers, and rooms.

Custom content such as videos added through Mesh event customization may require further bandwidth. For events with custom content, we recommend testing your event beforehand with a representative network connection to make sure that content loads correctly and experience performance is adequate.

Bandwidth requirements for Immersive spaces in Teams

The following network bandwidth requirements are designed to help users in your organization have the best possible experience with Mesh immersive experiences.

While we are constantly working on improving how Mesh works even in poor network conditions, you may want to further optimize your network if users in your organization report poor audio quality, audio cutting out, or delayed or jerky avatar movement.

Mesh immersive experiences build on top of Microsoft Teams network bandwidth requirements for capabilities such as video and screenshare, with additional bandwidth needed for immersive capabilities such as avatar movement and spatial audio.

Immersive participants

Modality Minimum (kbps) Recommended (kbps) Best performance (kbps)
Avatar movement & audio 30/370 80/700 100/850

Non-immersive participants

Modality Minimum (kbps) Recommended (kbps) Best performance (kbps)
Audio (Same as Teams) 30/370 80/700 100/850
Video (Same as Teams) 150/200 2,500/4,000 4,000/4,000
Screenshare (Same as Teams) 250/250 2,500/2,500 4,000/4,000

As an example, a meeting with some participants in immersive, some participants not in immersive with their video on, and screenshare will require a minimum of 440 kbps downstream, and 830 kbps upstream, and a maximum of 8,176 kbps downstream and 8,926 kbps upstream.

Note: these metrics are calculated based on immersive spaces being at its 16-person capacity, to help you best prepare your organization's network for Mesh. Smaller event sizes will have lower network requirements, for example due to there being fewer avatars and speakers.

Conditional Access & Quest

Note

Conditional Access policies should be modified only by someone in your organization with a clear understanding of the implications of the changes. Consult your security team or other expert in your company security policies before making any changes.

Note

Mesh does not currently support Mobile Application Management (MAM) which would be needed in situations where your organization supports the use of Personal Quest devices (BYOD).

Conditional access is an important part of a zero-trust approach to helping secure your network and resources. As part of zero trust, many companies use conditional access features policies with Microsoft Entra and Microsoft Intune to restrict the types of devices that are permitted to access company resources, and even the operating system version and configuration on those devices; devices that meet the defined profile are allowed in, and any other device that is not specified is denied access. Meta has released a beta GA version MDM support for Quest that works with Intune. Each company using Mesh in pre-release will have to work with their security and endpoint management teams to decide if a policy can be constructed that is acceptable to the company's risk profile while still permitting access to Quest devices.

There is one solution currently: In order to access Mesh on Quest with conditional access policies that may block Mesh on Quest, the solution is to create a custom conditional access policy in Microsoft Entra to exclude Microsoft Mesh Services and Office 365.

For more information about Conditional Access, see:

Work with Stakeholders That Communicate Change

The stakeholders listed above all have active steps that will impact the setup of your Mesh environment, but there may be other parts of your org that will be impacted by the deployment or might have policies or guidelines that need to be considered early in your planning process. Here are some areas of your organization you might need to reach out to before you deploy.

  • Change Communications: If you have a standard process for contacting users about pending changes, make sure Mesh is part of those communications.

  • Help Desk: Have a support plan in place for users who experience issues using Mesh. Make sure your Mesh admins have a way to review issues experienced by users so they can be communicated to Microsoft as needed.

  • Human Resources: While Mesh does not require any specific action from Human Resources for deployment or operations, HR may be interested that Mesh is about creating immersive experiences for users. Check with your HR department for any policies that may impact your Mesh meeting experience.

  • Company Branding: If you decide to create custom meeting experiences for your users, you should check with your company branding experts to make sure any meeting assets meets branding standards.

Preparing Users for Mesh Avatars

When you first roll out the avatar feature in Teams, some users may need guidance on when it's good to use them, and not good to use them. Microsoft has published a blog on Avatar etiquette: How Microsoft employees are using avatars in Microsoft Teams in their meetings. This doc can help inform materials you might want to share with your users.

Summary

Microsoft Mesh offers many powerful features that enhance communication and collaboration in remote and hybrid workplaces. Because this service provides experiences that span services, make sure you plan for all necessary stakeholders to provide input, both those mentioned here and others specific to your organization.

Next steps with Mesh