Configure Microsoft Mesh
This article covers how to setup and deploy the Microsoft Mesh from an IT perspective for the Mesh app on PC, Mesh app on Quest 2, and Mesh on the web. Before setting up Microsoft Mesh, we recommend reading the Preparing your organization for Mesh to ensure your enterprise is prepared to set up and deploy Mesh. If you're looking to manage the Avatars app or Mesh app in Teams, please refer to Manage the avatars app in Microsoft Teams or Manage the Mesh app in Microsoft Teams.
Important
In order to streamline the admin experience, admins will no longer need to configure Mesh in M365 Apps Admin Center. If you had previously restricted Mesh access to users or groups in your organization via the Mesh policy found in the M365 Apps Admin Center, you will need to switch to restricting access via the Mesh service plan instead in the M365 Admin Center (MAC).
Prerequisites
Before deploying Mesh, ensure that the following endpoints and firewall ports are allowed:
License requirements for Immersive spaces in Mesh
For Microsoft Mesh, you will need the following:
Teams Premium license in a tenant for Commercial use. Learn more about Microsoft Teams Premium licensing - Microsoft Teams | Microsoft Learn.
Note
We don't support tenants with worldwide public sector, EDU, or GCC licenses.
Pre-requisite license for Teams Premium, as outlined in Requirements to purchase Teams Premium - Microsoft Teams | Microsoft Learn for all users of Mesh.
Note
All Teams Premium prerequisite licenses include Sharepoint, OneDrive, and M365 Calendar. Learn more about Teams for enterprise and Teams Premium trial license.
(Optional) Unity license(s) and Azure subscription with storage to develop custom immersive spaces and deploy Cloud Scripting for Mesh environments.
Learn more about Mesh Cloud Scripting infrastructure and management.
Subscription requirements
To use Microsoft Mesh, all users (including developers, event organizers, and event attendees/users) are required to have a M365 Office subscription with access to SharePoint, OneDrive, and M365 Calendar.
These are required for:
- Group creation: Used for Mesh World creation in Mesh on the web.
- SharePoint/OneDrive: Used for custom event/template creation.
- Mailbox/Calendar: Used for events creation and/or sending/receipt of event invites.
For help, see the immersive spaces in mesh licensing Troubleshooting and FAQs.
Endpoints and firewall requirements for immersive spaces in Mesh
This section outlines the specific endpoints and firewall requirements for Immersive experiences in Mesh, inclusive of the Mesh application and its features that your organization can leverage to create dynamic corporate events.
In general, the standard set of Microsoft 365 requirements outlined in Microsoft M365 URLs and IP address ranges applies to all Mesh experiences with some extra steps to enable additional Mesh features like larger multi-room events, Cloud Scripting, and embedded content (WebSlate, Video/Image objects).
Step 1: Configure according to Microsoft M365 requirements
First, configure your enterprise firewall settings to align with the standard set of Microsoft 365 requirements outlined in Microsoft M365 URLs and IP address ranges.
Step 2: Configure for additional Mesh features
Larger events (Multi-room)
Note
Currently, there are extra firewall ports required when events in the Mesh app are held with more than 16 people. We are currently working to align with the standards outlined in Microsoft M365 URLs and IP address ranges. We appreciate your patience as we make this infrastructure change.
Important
We are currently rolling out an update to transition multi room events in the Mesh app on PC and Quest to use the same backend infrastructure as Teams for spatial audio. As we roll out this change, the additional Endpoints and Firewall requirements for multi-room will not be required.
To prevent an interruption in service, we recommend continuing to support the full set of URLs/ports listed on this page. We will update this page once the infrastructure transition is complete with a simplified set of URL/port requirements.
When organizing multi-room events, Mesh also requires that outgoing traffic be allowed to IP addresses in the "AzureCloud" service tag over the following protocols and ports:
- TCP: 443, 80
- TCP & UDP: 30,000-30,499
- UDP: 3478-3481
If you need to resolve a service tag to a list of IP ranges, you can periodically use the service tag API or download a snapshot.
For more information about service tags, see the Azure service tags overview.
To learn more about single room vs. multi room events, see Create an event in Mesh.
Step 3: Enable attendee access to scripts and content over time
Cloud scripting
If you or your development team plans to use Cloud scripting to display dynamic and rich data in Mesh environments by interfacing with Azure, you'll need to allow traffic to the Azure resources that your enterprise hosts for cloud scripting.
You can do this as new environments using cloud scripting are published by allowing traffic on TCP port 443 (HTTPS) to that environment's hosted app: <app>.azurewebsites.net.
Embedded content (WebSlate, video/image)
The Mesh app enables dynamic content experiences leveraging the web and Azure. This empowers event organizers to place Video and Image Objects with a no-code event customization experience, and developers to add web interactivity with WebSlates.
Dynamically loaded, embedded content have unique requirements for immersive experiences due to the unique permissions required to access resources while within Mesh experiences.
Important
There are two considerations to ensure that embedded content is accessible in immersive spaces in Mesh:
- If stored in SharePoint, the content will follow M365 requirements: Organizers must ensure attendees have access to URL. Attendees must have permissions to the specified file or Share link.
- If not in SharePoint, the content will follow firewall rules: Organizers must ensure the URL domain is in the firewall/allowlist for TCP Port 443 (HTTPS). Attendee client devices will download from this URL directly.
| Content type | How it works |
|---|---|
| WebSlate Embed interactive web content in Mesh environments or templates. |
WebSlates display web content using a client WebView on each attendee's device. If their target URLs are blocked for an attendee in a browser, then they will also be blocked in Mesh. |
| Video & Image Objects Embed videos and images into Mesh environments. | The Mesh app enables organizers to customize experiences for their Mesh Event by referencing image and video URLs. If these URLs are blocked for an attendee in a browser, then they will also be blocked in Mesh. |
Tip
In addition to firewall allow lists, WebSlates require that environment developers add the URL's domain to the Unity WebSlate component's allow list as well.
For more information about WebSlate security and allowlisting, see how to Display and interact with Web content in Microsoft Mesh | Microsoft Learn.
Configure access to Mesh using service plans
The Mesh app is by default available to all users in the M365 Admin Center. Admins can block the app for specific users or user groups by turning off the Microsoft Mesh service plan.
This covers access to the following experiences:
- Mesh app on PC
- Mesh app on Quest 2
- Mesh on the web
By default, these Mesh experiences will be available to all users if a service plan or policy does not restrict access. Follow the Configure access to Mesh using service plans or Configure access to Mesh using policies steps below to block specific groups or people.
To configure access to Mesh in your tenant, you must have one of the following roles in Azure Active Directory:
- Global Administrator
- Security Administrator
- Office Apps Admin
Important
In order to streamline the admin experience, admins will no longer need to configure Mesh in M365 Apps Admin Center. If you had previously restricted Mesh access to users or groups in your organization via the Mesh policy found in the M365 Apps Admin Center, you will need to switch to restricting access via the Mesh service plan instead in the M365 Admin Center (MAC) by the end of February, 2024.
Sign into M365 Admin Center with an admin account with at least Global, License, or User level permissions and open the left navigation panel to the Users section.
Select a user or group and select Licenses and apps to manage the user's or group's active licenses and service plans.
Ensure that you have enabled the appropriate licenses for Microsoft Mesh in order for the service plan to show up in the Apps section.
Toggle the Microsoft Mesh service plan off to disable Mesh for the selected user or group.
For additional guidance for assigning licenses in M365, see:
For more complex and larger group license management, you can do so in Entra ID:
Assign licenses to a group - Microsoft Entra ID | Microsoft Learn
End user license agreement
Your users must enter a separate agreement directly with Microsoft to enable spatial audio for Mesh experiences. That agreement is presented to your users before the user's first use of Mesh. If a user does not wish to enter into that agreement, the user cannot use Mesh.
If an admin does not agree to the license agreement terms, then admins can disable Mesh for users via Service Plans described above.
Tilbakemeldinger
Kommer snart: Gjennom 2024 faser vi ut GitHub Issues som tilbakemeldingsmekanisme for innhold, og erstatter det med et nytt system for tilbakemeldinger. Hvis du vil ha mer informasjon, kan du se: https://aka.ms/ContentUserFeedback.
Send inn og vis tilbakemelding for