Rediger

Del via

Preparing your organization for Mesh

  • Artikkel

This page covers the required tasks and suggested functional roles that may need to know about the rollout, but follow your organization's standard rollout process, including change and configuration management.

This content covers requirements for Mesh implementations for Immersive spaces in Mesh and immersive spaces in Teams. At a high level, the steps are:

  1. Gather your deployment team

  2. Verify licenses and policies

  3. Consider tenant selection

  4. Contact owners of supporting teams

  5. Configure service plan to allow user access

  6. Configure your network for Mesh experiences

  7. Work with stakeholders to begin deployment

After planning for your Mesh implementation, learn how set up Microsoft Mesh and set up immersive spaces in Teams.

Gather your deployment team

Executive-level sponsorship is highly advisable to help with any cross-team blocking issues.

You will need access to several administration tools:

  • Teams Admin Center (TAC) is needed to configure avatar and immersive spaces administration.

  • Azure portal is needed to administer Mesh cloud scripting used for custom Mesh environments (if your environments optionally use that form of scripting).

  • Other tasks like permitting URLs and firewall ports will be done in whatever administrative tools are used by your organization.

  • Mesh uses other parts of the Microsoft 365 suite. If your organization restricts access to these resources, parts of Mesh won't work. Talk to whoever has access to the Microsoft 365 Admin tools to determine if there are any restrictions and to test whether those restrictions will interfere with Mesh.

    For example, the table below defines what access is needed for specific actions:

    Mesh Action Access Needed
    Create a Mesh Collection Create Microsoft 365 group
    Be added as a member to a Mesh Collection Access Microsoft 365 groups
    Create a Mesh event Access to Microsoft 365 Calendar
    Be invited to a Mesh event Access to Outlook Mail
    Create a template Access to SharePoint
    Add an image or video top an event or template Access to either SharePoint or OneDrive

Tip

There are some setup tasks that may require cooperation from individuals or departments outside of the individual or team that will be deploying and running Mesh, for example Licensing, Security, and Endpoint Management. Other stakeholders like Help Desk and Human Resources may also need to be consulted.

Verify your licenses and policies

For avatars and immersive spaces in Teams, your users must have licenses for one of the following: Teams Essentials, Microsoft 365 Business Basic, Microsoft 365 Business Standard, Microsoft 365 Business Premium, Microsoft 365 E3/E5, and Office 365 E1/E3/E5.

License requirements for Immersive spaces in Mesh

For Microsoft Mesh, you will need the following:

Subscription requirements

To use Microsoft Mesh, all users (including developers, event organizers, and event attendees/users) are required to have a M365 Office subscription with access to SharePoint, OneDrive, and M365 Calendar.

These are required for:

  • Group creation: Used for Mesh World creation in Mesh on the web.
  • SharePoint/OneDrive: Used for custom event/template creation.
  • Mailbox/Calendar: Used for events creation and/or sending/receipt of event invites.

For help, see the immersive spaces in mesh licensing Troubleshooting and FAQs.

License requirements for Immersive spaces in Teams

Required Licenses

Your users must have a commercial Teams license: Microsoft Teams Enterprise, Teams Essentials, or one of the following M365, O365, or Business SKUs with Teams included: Microsoft 365 Business Basic, Microsoft 365 Business Standard, Microsoft 365 Business Premium, Microsoft 365 E3/E5, and Office 365 E1/E3/E5.

Learn more about how to set up immersive spaces in Teams.

For help, see the immersive spaces in Teams licensing Troubleshooting and FAQs.

Consider which tenant to Provision for Mesh

The two main factors to consider when choosing which tenant(s) to provision for Mesh are:

  1. Which users should be able to access immersive experiences.

    All users who will be participating in immersive experiences together must have native accounts in the same Microsoft Entra ID (formerly Azure Active Directory) - guest access to the tenant does not work.

  2. The tradeoffs between having unlimited control of a domain and having ultimate responsibility for running the domain securely and effectively.

Primary tenant for Mesh

Provisioning up your primary production tenant for Mesh is recommended because it will give you the biggest scope to test with, but it may create overhead work through internal procedures and approvals.

Separate tenant for Mesh

If you want to collaborate with people outside your production tenant, you might want to set up a separate tenant just for Mesh. There is no technical barrier to creating user accounts in a production tenant for people who do not work for that organization, but there may be strong business reasons against doing so.

Note

However, creating additional tenants will increase complexity for admins and users to manage accounts, may also incur additional expenses for licensing and domain management, and may require additional process within your organization.

If you expect to use immersive spaces in Teams for users in your production version of Teams, you will definitely want to provision your production tenant for Mesh. While you can create other tenants for testing, people who use Teams throughout the day are highly unlikely to want to log out of their main Teams account to log into a different account in a different tenant. A separate tenant is more practical for the Mesh app, where it's simpler to flip between accounts.

Each tenant can have multiple Azure Storage subscriptions, but the Azure Storage subscription used for Mesh cloud scripting must be in the same EntraID as the users who will attend events and the developers who will upload and manage the scripts.

Contact owners of supporting teams

To complete the steps to get Mesh running, you will need to either have various rights and permissions or be in contact with people in your organization who can grant the rights and permissions you will need. Depending on your company structure and policies, this process can be time-consuming, so it helps to start the outreach as soon as possible.

The following section lists organizational roles that you will probably need to work with to complete the required pre-deployment tasks:

Teams apps managers

The administration for immersive spaces and avatars will happen in the Teams admin portal, admin.teams.microsoft.com. You will need the tenant Global Administrator to assign someone on the Mesh team the role of Teams Administrator in Microsoft Entra, or you will need to work closely with a current Teams Apps Manager to make all necessary configurations.

Teams apps policies

Two of the Mesh components you will be using are Teams apps; you should set policy to make sure only approved users have access to them. Modify the Teams app policies at the Global or custom level to allow/block the Mesh apps as needed. If you want your designated users to have the Mesh components installed automatically, you must set the Teams Apps setup policies too. Coordinate with whoever owns Teams app management to plan for appropriate policies. For more information about Teams access control, see https://admin.microsoft.com/Adminportal/Home#/rbac/directory.

Teams feedback policies

Microsoft relies on feedback from users to make better products. The Teams administrator can set whether users can send feedback about Teams to Microsoft. Feedback can be permitted based on Entra ID group membership. If Teams feedback is disabled, users will not be able to send feedback about Mesh features built into Teams. We strongly encourage your org to permit this feedback for Mesh users but consult your company policies before making any changes. For more information about managing feedback, see

Manage feedback policies in Teams

Configure service plan to allow user access

Important

In order to streamline the admin experience, admins will no longer need to configure Mesh in M365 Apps Admin Center. If you had previously restricted Mesh access to users or groups in your organization via the Mesh policy found in the M365 Apps Admin Center, you will need to switch to restricting access via the Mesh service plan instead in the M365 Admin Center (MAC) by the end of February, 2024.

For more information about service plans, see Configure access to Mesh using service plans.

End user license agreement

Your users must enter a separate agreement directly with Microsoft to enable spatial audio for Mesh experiences. That agreement is presented to your users before the user's first use of Mesh. If a user does not wish to enter into that agreement, the user cannot use Mesh.

If an admin does not agree to the license agreement terms, then admins can disable Mesh for users via Service Plans described above.

For more info about service plans and the end user license agreement, see End user license agreement.

Review endpoint managers

Make sure you know your organization's process for deploying apps. The Mesh app is available in the Microsoft Store and can be depoloyed from there using your MDM (mobile device management) solution like Microsoft Intune to deploy the app and make it show up in the users' Company Portal. If you block access to the Microsoft Store, you can use WinGet instead. For more information about deploying apps with Microsoft Intune, see:

Add Microsoft Store apps to Microsoft Intune

Configure Azure for Cloud Scripting

If your developers plan to build custom Mesh environments that will use Mesh Cloud Scripting, they will require an Azure subscription to which they can deploy their cloud scripting service. An Azure subscription is not required for environments that only use Mesh Visual Scripting.

For more details on the prerequisites for Mesh Cloud Scripting, see Prepare for your first Mesh Cloud Scripting project.

Work with your organization's security team

Before deploying any new app or service, you must consider the security implications and work closely with your security team to make sure you comply with all standard security policies. Discuss the following Mesh requirements in advance with the appropriate Security owners.

Endpoints and firewall configuration

As with all Microsoft products, allowing the endpoints and ports required for Mesh experiences is necessary to achieve full functionality and optimal performance for your users. How you use the network configuration requirements for Mesh depends on your enterprise organization network architecture.

Endpoints and firewall ports for Mesh experiences in Teams

This section outlines the specific endpoints and firewall requirements for the Mesh app in Teams and the Avatars app, which allow users to join an immersive space (3D) while in a Teams meeting and use avatars in meetings.

Note

Currently, there are extra firewall ports required for immersive spaces in Teams beyond the standard set of Microsoft 365 requirements. We are working to align with the standards outlined in Microsoft M365 URLs and IP address ranges and appreciate your patience as we make this infrastructure change.

Avatars in Teams

Configure your enterprise firewall settings to align with the standard set of Microsoft 365 requirements outlined in Microsoft M365 URLs and IP address ranges.

Immersive spaces in Teams

  1. First, ensure you have configured your enterprise firewall settings to align with the standard set of Microsoft 365 requirements outlined in Microsoft M365 URLs and IP address ranges.

  2. In addition to the endpoints listed above, Mesh Immersive Spaces in Teams currently requires that outgoing traffic also be allowed to IP addresses in the "AzureCloud" service tag over the following protocols and ports:

    • TCP: 443, 80
    • TCP & UDP: 30,000-30,499
    • UDP: 3478-3481

If you need to resolve a service tag to a list of IP ranges, you can periodically use the service tag API or download a snapshot.

For more information about service tags, see the Azure service tags overview.

Endpoints and firewall requirements for immersive spaces in Mesh

This section outlines the specific endpoints and firewall requirements for Immersive experiences in Mesh, inclusive of the Mesh application and its features that your organization can leverage to create dynamic corporate events.

In general, the standard set of Microsoft 365 requirements outlined in Microsoft M365 URLs and IP address ranges applies to all Mesh experiences with some extra steps to enable additional Mesh features like larger multi-room events, Cloud Scripting, and embedded content (WebSlate, Video/Image objects).

Step 1: Configure according to Microsoft M365 requirements

First, configure your enterprise firewall settings to align with the standard set of Microsoft 365 requirements outlined in Microsoft M365 URLs and IP address ranges.

Step 2: Configure for additional Mesh features

Larger events (Multi-room)

Note

Currently, there are extra firewall ports required when events in the Mesh app are held with more than 16 people. We are currently working to align with the standards outlined in Microsoft M365 URLs and IP address ranges. We appreciate your patience as we make this infrastructure change.

Important

We are currently rolling out an update to transition multi room events in the Mesh app on PC and Quest to use the same backend infrastructure as Teams for spatial audio. As we roll out this change, the additional Endpoints and Firewall requirements for multi-room will not be required.

To prevent an interruption in service, we recommend continuing to support the full set of URLs/ports listed on this page. We will update this page once the infrastructure transition is complete with a simplified set of URL/port requirements.

When organizing multi-room events, Mesh also requires that outgoing traffic be allowed to IP addresses in the "AzureCloud" service tag over the following protocols and ports:

  • TCP: 443, 80
  • TCP & UDP: 30,000-30,499
  • UDP: 3478-3481

If you need to resolve a service tag to a list of IP ranges, you can periodically use the service tag API or download a snapshot.

For more information about service tags, see the Azure service tags overview.

To learn more about single room vs. multi room events, see Create an event in Mesh.

Step 3: Enable attendee access to scripts and content over time

Cloud scripting

If you or your development team plans to use Cloud scripting to display dynamic and rich data in Mesh environments by interfacing with Azure, you'll need to allow traffic to the Azure resources that your enterprise hosts for cloud scripting.

You can do this as new environments using cloud scripting are published by allowing traffic on TCP port 443 (HTTPS) to that environment's hosted app: <app>.azurewebsites.net.

Embedded content (WebSlate, video/image)

The Mesh app enables dynamic content experiences leveraging the web and Azure. This empowers event organizers to place Video and Image Objects with a no-code event customization experience, and developers to add web interactivity with WebSlates.

Dynamically loaded, embedded content have unique requirements for immersive experiences due to the unique permissions required to access resources while within Mesh experiences.

Important

There are two considerations to ensure that embedded content is accessible in immersive spaces in Mesh:

  • If stored in SharePoint, the content will follow M365 requirements: Organizers must ensure attendees have access to URL. Attendees must have permissions to the specified file or Share link.
  • If not in SharePoint, the content will follow firewall rules: Organizers must ensure the URL domain is in the firewall/allowlist for TCP Port 443 (HTTPS). Attendee client devices will download from this URL directly.
Content type How it works
WebSlate

Embed interactive web content in Mesh environments or templates.

 WebSlates display web content using a client WebView on each attendee's device. If their target URLs are blocked for an attendee in a browser, then they will also be blocked in Mesh.
Video & Image Objects Embed videos and images into Mesh environments. The Mesh app enables organizers to customize experiences for their Mesh Event by referencing image and video URLs.

If these URLs are blocked for an attendee in a browser, then they will also be blocked in Mesh.

Tip

In addition to firewall allow lists, WebSlates require that environment developers add the URL's domain to the Unity WebSlate component's allow list as well.

For more information about WebSlate security and allowlisting, see how to Display and interact with Web content in Microsoft Mesh | Microsoft Learn.

Conditional Access & Quest

Conditional access is an important part of a zero-trust approach to helping secure your network and resources. As part of zero trust, many companies use conditional access features policies with Microsoft Entra and Microsoft Intune to restrict the types of devices that are permitted to access company resources, and even the operating system version and configuration on those devices; devices that meet the defined profile are allowed in, and any other device that is not specified is denied access. Meta has released a beta GA version MDM support for Quest that works with Intune. Each company using Mesh in pre-release will have to work with their security and endpoint management teams to decide if a policy can be constructed that is acceptable to the company's risk profile while still permitting access to Quest devices.

There is one solution currently: In order to access Mesh on Quest with conditional access policies that may block Mesh on Quest, the solution is to create a custom conditional access policy in Microsoft Entra to exclude Microsoft Mesh Services and Office 365.

For more information about Conditional Access, see:

Work with Stakeholders That Communicate Change

The stakeholders listed above all have active steps that will impact the setup of your Mesh environment, but there may be other parts of your org that will be impacted by the deployment or might have policies or guidelines that need to be considered early in your planning process. Here are some areas of your organization you might need to reach out to before you deploy.

  • Change Communications: If you have a standard process for contacting users about pending changes, make sure Mesh is part of those communications.

  • Help Desk: Have a support plan in place for users who experience issues using Mesh. Make sure your Mesh admins have a way to review issues experienced by users so they can be communicated to Microsoft as needed.

  • Human Resources: While Mesh does not require any specific action from Human Resources for deployment or operations, HR may be interested that Mesh is about creating immersive experiences for users. Check with your HR department for any policies that may impact your Mesh meeting experience.

  • Company Branding: If you decide to create custom meeting experiences for your users, you should check with your company branding experts to make sure any meeting assets meets branding standards.

Preparing Users for Mesh Avatars

When you first roll out the avatar feature in Teams, some users may need guidance on when it's good to use them, and not good to use them. Microsoft has published a blog on Avatar etiquette: How Microsoft employees are using avatars in Microsoft Teams in their meetings. This doc can help inform materials you might want to share with your users.

Summary

Microsoft Mesh offers many powerful features that enhance communication and collaboration in remote and hybrid workplaces. Because this service provides experiences that span services, make sure you plan for all necessary stakeholders to provide input, both those mentioned here and others specific to your organization.

Next steps with Mesh

Set up Microsoft Mesh

Set up immersive spaces in Teams

Set up avatars for Teams