Bewerken

Delen via


IT Admins - Manage external meetings and chat with people and organizations using Microsoft identities

With the external access feature in Teams, you can allow users in your organization to chat and meet with people outside the organization who are using Microsoft as an identity provider. You can configure external access with:

  • Other Microsoft 365 organizations (chat and meetings)
  • Teams users not managed by an organization (those users with a Microsoft account) (chat only)
  • Skype users (chat only)

Users in your organization can accept or block incoming chats from people outside the organization. For details, see Accept or block people outside your org who send you a chat.

People from outside your organization won't have access to your teams, sites, or other Microsoft 365 resources. If you want them to have access to your teams and channels, see Collaborate with guests in a team and Collaborate with external participants in a shared channel.

Note

Your users can add apps when they host meetings or chats with people outside your organization. They can also use apps shared by external users when they join meetings or chats hosted externally. The data policies of the hosting user's organization, as well as the data sharing practices of any third-party apps shared by that user's organization, are applied. Learn more about use of apps by people outside your organization.

There are other settings in Teams—including guest access and anonymous access—that affect meetings with people outside your organization. See Plan for meetings with external participants in Microsoft Teams for more information.

The meeting lobby can control how people outside your organization join meetings. For more information, see Control who can bypass the meeting lobby in Microsoft Teams and Configure the Microsoft Teams meeting lobby for sensitive meetings.

Organization settings and user policies for external access

Each external access option has both an organization setting and user policies. The organization settings apply to your entire organization. User policies determine which users can use the options that you've configured at the organization level.

Configure the organization settings to specify which types of external meetings and chat you want to allow. Then configure user policies for the users who should have access to these features. Both the organization settings and user policies are turned on by default.

For a user to use external access, both the organization setting and a user policy must allow it.

Use the procedures on the tabs in this article to configure organization settings and user policies.

In this section, you can configure:

You can also configure these settings by using PowerShell

Specify trusted Microsoft 365 organizations

For meetings and chat with other Microsoft 365 organizations, you can specify which domains you want to trust. By default, all external domains are allowed. You can allow or block certain domains in order to define which organizations your organization trusts for external meetings and chat.

In order to chat and meet with people in external domains, the organizations that you trust must also trust your organization, and their users must be enabled for external access. If not, they won't be able to chat with users in your organization and are considered anonymous when joining meetings hosted by your organization. Learn more about meetings with other Microsoft 365 organizations.

You can specify which domains are allowed or which domains are blocked. If you specify blocked domains, all other domains are allowed; if you specify allowed domains, all other domains are blocked. There are four scenarios for configuring trusted organizations:

  • Allow all external domains - The default setting in Teams, and it lets users in your organization find, call, chat, and set up meetings with people external to your organization in any domain.

    In this scenario, your users can communicate with all external domains that are running Teams or Skype for Business so long as the other organization has also enabled external access.

  • Allow only specific external domains - By adding domains to an Allow list, you limit external access to only the allowed domains. Once you set up a list of allowed domains, all other domains are blocked.

  • Block specific domains - By adding domains to a Block list, you can communicate with all external domains except the ones you've blocked. Once you set up a list of blocked domains, all other domains are allowed.

  • Block all external domains - Prevents users in your organization from finding, calling, chatting, and setting up meetings with people external to your organization in any domain.

Note

People from blocked domains can still join meetings anonymously if anonymous access is allowed. To learn more, see Manage anonymous participant access to Teams meetings.

Screenshot of external domains settings

To allow specific domains

  1. In the Teams admin center, go to Users > External access.

  2. Under Choose which domains your users have access to, choose Allow only specific external domains.

  3. Select Allow domains.

  4. In the Domain box, type the domain that you want to allow and then click Done.

  5. If you want to allow another domain, click Add a domain.

  6. Click Save.

To block specific domains

  1. In the Teams admin center, go to Users > External access.

  2. Under Choose which domains your users have access to, choose Block only specific external domains.

  3. Select Block domains.

  4. In the Domain box, type the domain that you want to allow and then click Done.

  5. If you want to block another domain, click Add a domain.

  6. Click Save.

By default, when you block domains, subdomains aren't blocked. For example, if you block contoso.com, marketing.contoso.com isn't blocked. If you want to block all subdomains, you can use the Set-CsTenantFederationConfiguration PowerShell cmdlet with the -BlockAllSubdomains parameter. For example:

Set-CsTenantFederationConfiguration -BlockAllSubdomains $True

Block federation with Teams trial-only tenants

A new admin control is being introduced to block federation with Teams trial-only tenants. Currently, trial tenants have access to the full feature set of Teams for about 30 days before being billed. However, this control can be exploited by malicious actors to launch phishing or abuse attacks against Teams users. To embrace the secure-by-default mindset for our customers, we'll disable trial tenant federation by default for all tenants and require explicit tenant action if a tenant wants or needs to federate with any trial tenants.

This change will be rolled out globally starting June 17, 2024, and is expected to complete by June 30, 2024. There will be a 30-day period for tenants to review and update the default setting before it's enforced. If no action is taken, the default value Blocked will be applied after this time.

How block federation will affect your organization

Teams PowerShell will support a new Tenant Federation setting, -ExternalAccessWithTrialTenants, with the values Allowed or Blocked.

When set to Blocked, all external access with users from Teams subscriptions that contain only trial licenses will be blocked. This means users from these trial-only tenants won't be able to search and contact your users via chats, Teams calls, and meetings (using the users' authenticated identities) and your users won't be able to reach users in these trial-only tenants.

If this setting is set to Blocked, users from the trial-only tenant will also be removed from existing chats.

More information
  • A trial tenant is defined as a tenant with a Teams service plan that has only Trial subscriptions (0 purchased seats).
  • Shared Channels and Anonymous Meeting joins won't be affected by this setting.
  • The feature supports the tenant admin control only for same-cloud external communication. For cross-clouds and Skype for Business Server on-premises deployments, external communication with trial tenants will be disabled by default, with no option to override by the admin setting.
  • If your tenant has disabled external access by default and is using a specific domain Allowlist instead, trial tenants will still be blocked even if they are in the organization's Allowlist.
What you need to do to prepare
  • Tenant admins need to install the latest PowerShell package (6.2.2) and use the Set-CsTenantFederationConfiguration command to set the desired value for the federation with trial tenants:
    • Download or upgrade to the latest PowerShell package: PowerShell Gallery | MicrosoftTeams 6.2.0
    • To allow external communication with trial-only tenants, use this command:     Set-CsTenantFederationConfiguration -ExternalAccessWithTrialTenants "Allowed"
    • To block external communication with trial-only tenants, use this command:     Set-CsTenantFederationConfiguration -ExternalAccessWithTrialTenants "Blocked"

Important

If you want to restrict external access for most trial tenants, but still allow a few legitimate trial-tenants with which you need to federate, you'll need to purchase a license for those specific accounts.

Diagnostic Tool

If you're an administrator, you can use the following diagnostic tool to validate if a Teams user can communicate with a Teams user in a trusted organization:

  1. Select Run Tests below, which populates the diagnostic in the Microsoft 365 Admin Center.

  2. In the Run diagnostic pane, enter the Session Initiation Protocol (SIP) Address and the Federated tenant's domain name, and then select Run Tests.

  3. The tests return the best next steps to address any setting or policy configurations that are preventing communication with the external Teams user.

Skype for Business Online

If you want chats and calls to arrive in the user's Skype for Business client, configure your users to be in any mode other than TeamsOnly. For more information, see Understand Microsoft Teams and Skype for Business coexistence and interoperability.

Manage chats and meetings with external Teams users not managed by an organization

You can choose to enable or disable chat with external unmanaged Teams users (users not managed by an organization, such as Microsoft Teams (free)). If you allow chat with unmanaged Teams users, you can further control how your users communicate with them:

  • You can control if unmanaged Teams users can initiate the communication with your users.
  • You can create a list of external user profiles that users can communicate with.
  • You can restrict communication to the external user profiles list if needed.

Note

Chats and meetings with external unmanaged Teams users isn't available in GCC, GCC High, or DOD deployments, or in private cloud environments.

To allow chats and meetings with unmanaged Teams accounts:

  1. In the Teams admin center, go to Users > External access.

  2. Turn on the People in my organization can communicate with Teams users whose accounts aren't managed by an organization setting.

  3. If you want to allow external unmanaged Teams users to start the conversation, select the External users with Teams accounts not managed by an organization can contact users in my organization checkbox.

  4. If you want to restrict communication with people with unmanaged Teams accounts to a specific list of user profiles, select the Restrict communication to the list of external user profiles added to extended directory checkbox and select Manage external user profiles to add the user profiles that you want to allow. (See manage external user profiles below.)

    Note

    Parent Connection in Microsoft Teams for Education does not support restricting communication to the list of external user profiles added to extended directory.

  5. Select Save.

Screenshot of external accounts settings

If External users with Teams accounts not managed by an organization can contact users in my organization is turned off, unmanaged Teams users can't search by email address to find users in your organization. All communications with unmanaged Teams users must be initiated by users in your organization.

To prevent chat with unmanaged Teams accounts:

  1. In the Teams admin center, go to Users > External access.
  2. Turn off the People in my organization can communicate with Teams users whose accounts aren't managed by an organization setting.
  3. Select Save.

Manage external user profiles

External user profiles are based on phone numbers. You can add the name and phone numbers of people outside your organization and they'll be invited to communicate with people in your organization by using Teams on their mobile device. If they don't have Teams installed, they will receive a link to install it via SMS. Once they have created a Teams account, they can also use Teams on the desktop. You can delegate management of the user profiles by using the Extended Directory User Administrator role in Azure AD.

When a profile is added for someone outside your organization, it's available to your users via search by name or phone number within 24 hours. Users can start a 1:1 or group chat with the external users and can see the external users' profile cards with the information that you specify.

When a user starts a chat with an external user, the external user can allow or block the connection.

Important

Your organization is the Data Controller for the external user profiles that you add. This may have GDPR implications. For more information, see General Data Protection Regulation Summary.

To add an external user profile:

  1. Select Manage external user profiles.
  2. Select Add.
  3. Type a Display name for the contact. (Users will be able to search for this name in Teams.)
  4. Type a Country or region code and Phone number.
  5. Add any additional information that you want to include.
  6. Read the Data Controller statement and select the check box to agree.
  7. Select Save.

You can remove an existing profile by selecting the profile and then selecting Delete.

Import a list of profiles

If you want to upload a list of users via .csv file, you can download a template file, add the people you want to include and their phone numbers, and upload the file.

To download the .csv template:

  1. On the Manage external user profiles page, select Import on the command bar.
  2. Select download a template.

Required fields in the template are DisplayName and PhoneNumber. Other fields are optional.

To upload a completed template file:

  1. On the Manage external user profiles page, select Import on the command bar.
  2. Select Select a file.
  3. Select the file that you want to upload and then select Open.
  4. If you want to update the profile information for existing profiles, select the Update existing external users checkbox.
  5. Read the Data Controller statement and select the check box to agree.
  6. Select Import.

Use PowerShell to restrict communication to the user profiles in extended directory

You can also configure the Restrict communication to the list of external user profiles added to extended directory setting in PowerShell by using the Set-CsExternalAccessPolicy cmdlet with the RestrictTeamsConsumerAccessToExternalUserProfiles parameter. For example:

Set-CsExternalAccessPolicy -Identity Global -RestrictTeamsConsumerAccessToExternalUserProfiles $true

This cmdlet restricts communication to the list of user profiles in extended directory for the default global external access policy.

Manage chat and calls with Skype users

Follow these steps to let Teams users in your organization chat with and call Skype users. Teams users can then search for and start a one-on-one text-only conversation or an audio/video call with Skype users and vice versa.

Meetings aren't supported with Skype users. If invited to a meeting, they're considered anonymous when joining.

Note

External communication with Skype users isn't available in GCC, GCC High, or DOD deployments, or in private cloud environments.

To configure chat and calls with Skype users:

  1. In the Teams admin center, go to Users > External access.
  2. Turn the Allow users in my organization to communicate with Skype users setting on or off. Screenshot of Skype users setting.
  3. Select Save.

To learn more about the ways that Teams users and Skype users can communicate, including limitations that apply, see Teams and Skype interoperability.

Configure organization settings by using PowerShell

Trusted organizations can be configured by using the Set-CSTenantFederationConfiguration cmdlet.

The following table shows the cmdlet parameters used for configuring trusted organizations.

Configuration Parameter
Allow or prevent meetings and chat with other Teams organizations and Skype for Business -AllowFederatedUsers
Specify allowed domains -AllowedDomains
Specify blocked domains -BlockedDomains
Block subdomains -BlockAllSubdomains

Chat with Teams users not managed by an organization and Skype users can be configured by using the Set-CSTenantFederationConfiguration cmdlet.

The following table shows the cmdlet parameters used for configuring chat with Skype and unmanaged Teams users.

Configuration Parameter
Allow or prevent chat with Teams users that aren't managed by an organization -AllowTeamsConsumer
Allow or prevent Teams users not managed by an organization starting conversations -AllowTeamsConsumerInbound
Allow or prevent chat with Skype users -AllowPublicUsers

Before you can run these cmdlets you must be connected to Microsoft Teams PowerShell. For more information, see Manage Teams with Microsoft Teams PowerShell.

Compliance and external access

See the following references to understand how external access works with compliance features in Microsoft 365.

Use guest access and external access to collaborate with people outside your organization

Search the audit log for events in Microsoft Teams