Set up modern external Viva Engage networks

Important

An External network is a redesigned external Viva Engage network type that requires and fully supports Microsoft Entra authentication and identity.

Microsoft designs modern external Viva Engage networks to promote collaboration between organizations. Modern networks allow users and teams from different companies, known as external participants, to communicate and share information in an industry-standard secure environment. Enterprise admins allocate these special external networks to partners, consultants, and other outside companies to conduct team discussions, share files, and collaborate on projects.

All Viva Engage networks support a format called M365 Native Mode, which uses Microsoft Entra identities and policies. Native mode operation is required for all Viva Engage networks in the enterprise. It enables users, groups, and content to map directly to their accounts in Microsoft Entra and in Microsoft 365. All parent Viva Engage networks and external Viva Engage networks observe this standard. Native Mode also supports eDiscovery through the Microsoft Purview portal to promote safe and secure collaboration in your Engage networks.

In this procedure, you create a new Microsoft Entra workforce tenant to support the Viva Engage external network. As part of provisioning the new tenant, you also need to provision and enable the same B2B user account and email address that you use in the main Viva Engage network.

Supported features for the modern external network

External Participants: Users can add external participants to public and private Viva Engage communities.

Create and Connect: Users can browse existing external networks or create new networks to connect with external collaborators.

Management: Administrators can manage external networks, set permissions, monitor activity, and ensure compliance with organizational policies.

Note

Modern Viva Engage external networks support the Communities feature, with future expansions to include Campaigns, Events, and Knowledge.

Requirements

Modern external networks must use the following Microsoft 365 requirements:

• Global Administrator privileges
• Microsoft 365 E5 license for at least one user
• Permissions to create new Workforce tenant.

Viva Engage also has the following requirements:

• The active Global Administrator account

The last requirement involves correct user provisioning.

• The B2B user account and email address of your main Viva Engage network gets provisioned in the new workforce tenant network you create in Microsoft Entra.

Set up a modern external network

Take the following steps to perform a modern external network configuration. Complete these tasks in the order shown. Since the role requirements vary by each task, they're called out in each section.

Set up a new Microsoft Entra workforce tenant

Note

Consult the Microsoft Entra documentation QuickStart - Access and create new tenant for information and steps to set up your new workforce tenant for the modern external network. Ensure that the new tenant's Country/Region setting matches the Home tenant's Country/Region value. For example, if the tenant that hosts the Engage Home network is in the United States, the new tenant also must be hosted in the United States. If the Country/Region value doesn't match, the new Engage network won't link to the Home network.

After you create the tenant, copy the new Microsoft Entra Tenant ID to a safe location for later use.

Assign the required license and email address to the tenant admin

The new tenant automatically embeds the creating user as a B2B Guest user, and assigns them the Global Administrator role and privileges.

1. Use the Microsoft Entra admin center to assign the correct license to the B2B Guest user. You assign a Microsoft 365 E5 license to the Global Administrator of the new tenant. Doing so enables the Global Administrator to sign into Viva Engage as the Network Admin.

2. In the Microsoft Entra admin center, make sure to add the creating user's email address to their Entra B2B guest user account in the new tenant. This email address must be the same email that is associated with the user's account for the Viva Engage network.

Note

Enable the Engage Core Service plan for the user in the assigned Microsoft 365 E5 license. Then, the admin needs to confirm that the B2B Guest user account owns the global admin role and the correct Microsoft 365 E5 license.

Connect the new Microsoft Entra tenant to the parent network

Because the legacy external network doesn't yet have a Microsoft Entra tenant that backs it, the legacy network can't communicate with the parent Viva Engage network.

The new tenant also needs to connect to the parent network. The next step is to connect the new Microsoft Entra tenant with the parent Viva Engage network so the parent network knows about its existence.

This process requires two steps:

• Generate a tenant association token.
• Redeem the tenant association token in the parent network. This step connects and links the new Microsoft Entra tenant to the parent Viva Engage network.

Generate the association token

Do the following to create the association token:

1. As the Viva Engage Global Administrator, go to engage.cloud.microsoft and sign into Viva Engage on the new Microsoft Entra tenant.

2. In Viva Engage, select the settings icon, and go to Admin center.

3. In the Admin center, on the Setup and Configuration tab, select External Networks.

4. Select Setup External Network.

   

5. Select the Generate Code tab to generate a one-time tenant association code, and select Generate. You use the code to associate the new Microsoft Entra tenant with the parent Engage network.

   

Make a note of the association code, because you use it in later steps.

Redeem the Token to associate the new external network/tenant with the parent Viva Engage network

This process uses the association token to establish the new Entra tenant with the enterprise parent Viva Engage network.

1. Sign out of the new Engage external network. (If you use In-Private, or Saved Profiles, you don't need to sign out.)
2. Sign in to the parent Viva Engage network on engage.cloud.microsoft. (The user must be the same Global Administrator that sets up the new Entra tenant.)
3. To access External Networks Setup in the parent network, select the settings icon, and go to the admin center.
4. In the admin center Setup and Configuration tab, select External Networks.
5. Select Set up external network.
6. Select the Redeem code tab to redeem the association code. Add the association token and the Entra tenant ID you saved from the prior steps.

After the redemption of the association code, you see the following result:

The parent network now connects to the new tenant.

Connect the legacy external network to the new external network

After the new Microsoft Entra tenant associates to the parent network, you set the legacy external network to connect to the new external network. To do so, you use the same association token and Tenant ID that you used in the previous sections.

1. From the parent Engage network, network switch to the legacy external network.
2. To open the external network settings, select the Settings Icon on the external network and choose Network Admin.
3. To associate the legacy external network to your new external network, select External Network Upgrade from the menu.
4. Use the same tenant ID and tenant association token from the previous steps to enter the information in the appropriate fields and select Redeem token.

The legacy Viva Engage external network binds to the new external network and is backed by the new Entra tenant.

Note

The system signs the user out from the legacy network to allow immediate sign in with Entra as the identity provider.

Data Migration from legacy network to new external network

The next phase establishes the legacy network's user database in the new external network. For consistency, always use the user accounts database from your legacy external network. You do so with a CSV file that you export from your legacy external network.

Export users from the legacy external network

1. Sign in (or network switch) to the legacy external network.
2. In Viva Engage, select the Settings icon, and go to Admin center.
3. In the Admin center, select the Governance and Compliance tab, and select Data export.
4. Under Export user list, enter the Start date and select the End date, then select Download CSV file.

Viva Engage uploads the new CSV file in a folder to your designated download location.

Add exported user accounts as guest users in the external network

In the Microsoft Entra admin center, you import the current user accounts CSV from the legacy external network.

1. Sign in to the Microsoft Entra admin center as the Global Admin for the Entra tenant in your parent deployment.

2. Use the exported users CSV file to bulk-invite the users from the legacy external network as guests in the new network.

Run the Native Mode data alignment for the external network

After the legacy external network associates with the new external network, you can run the data move/data alignment process. Doing so aligns the legacy network's resources with Microsoft 365 Entra resources.

After you successfully connect the external network to the parent, the M365 Native Mode feature appears in the Viva Engage admin settings. To complete the Native Mode alignment, select this tab and follow the instructions.

When Native Mode alignment runs, the Native Mode configuration page shows progress and identifies failed steps for which you can take action.

Launch the modern external network

Important

Update the policies of the Entra tenant that hosts your new external network based on your security posture. Pay particular attention to policies that identify, respond to, and recover from security threats.

After the data move completes, the network administrators can take the following steps:

• Confirm that the communities are configured as they were in the legacy Network.
• Notify users of their membership in the new network.

Note

When you bring user accounts to the updated external network, it offers a feature to notify users of the new URL/domain. We recommend that you include the tenant ID of the new External Network in the invite URL. Format it as https://engage.cloud.microsoft/main/org/<Tenant ID>.

FAQ

What's the best way to set up a tenant for a Viva Engage modern external network?

There are three ways to prepare a tenant for modern external networks:

1. Create a new tenant using the add-on tenant flow. Use the same user account that is automatically projected for you into the new tenant. Users created this way may be missing a required email property that needs to be on their Entra user account. During setup, fill in the same email as your home tenant user so Viva Engage can sync that user account.

2. Create a tenant using the add-on tenant flow and invite a different user to the tenant. The process is similar to #1, but has other requirements:

   • The invited user must be given the Global Admin (GA) role
   • The invited user must be set to Member.

   The invited user automatically has the email property set because of the invitation flow.

3. Use a pre-existing tenant. The user has same requirements as #2, but no tenant creation flow is necessary. The same user must be projected into two tenants, and the user account requires the email property to be set to the same value on both user instances.

What happens to my users from the legacy external network?

You can export the list of existing users in your legacy external network in a CSV file from the Native Mode setup flow. You can use the CSV file to bulk invite the users to your new external network through the Microsoft Entra admin center.

Can I use external networks for consumer identities in modern external networks?

External networks provide full support for the Consumer Identities use case.

What's the process for members to join the migrated external network?

The Converted external network continues support for the invitation flow to add members. Additionally, Admins can use Cross-Tenant sync to join users directly into Entra, and those users have access to the external network.