Using Teams External Access for Federated Chats

Teams Communication with Users in other Microsoft 365 Tenants

Updated 1 June 2023.

In the context of a messaging application like Teams, federation means that your tenant allows connections with people belonging to other organizations. For example, if my tenant is federated with Microsoft’s tenant, I can use Teams federated chat to message and call users belonging to the Microsoft tenant.

Being able to reach outside the boundaries of your tenant is a big thing for a communications client. Teams was slow to make this happen, but now External Access (the term Teams uses for federation) works well if you enable the feature in your tenant by turning it on in the org-wide setting section of the Teams Admin Center. You can also set up a list of allowed or blocked domains. If no list exists, any user in another Office 365 tenant can connect to users in your tenant.

Finding an External User

External access is not the same as the access enjoyed by Azure AD guest accounts. It’s much more limited (think chats and calls) whereas guest access can allow someone to have extensive access to tenant resources (groups, teams, sites, individual documents). Along with the ability to chat and call (on an individual basis), external users can see presence information for other people. And most important, they can search your tenant directory to find people.

An external user can’t browse your directory. Searching means that they can input an email address (or SIP address) into the search box to instruct Teams to look up the name in the tenant owning the domain name part of the email address (Figure 1). And if a match is found, Teams launches a 1:1 chat. The trick is to have Teams search externally (see below). If you don’t see this option, you know external access isn’t enabled in your tenant.

Searching for an external user in another Microsoft 365 tenant with Teams federated chat (external access)
Figure 1: Searching for an external user in another Microsoft 365 tenant

A Potential Lack of Emojis in Teams Federated Chat

Once the chat starts, you’ll discover other limitations. Most importantly, you can’t share files with an external user (you can upload a file to OneDrive or another sharing site and then send a link). Somewhat less critically, you can’t use emojis or reactions (like) in a response unless both tenants are configured in “TeamsOnly” mode. Both the iOS and Android clients support emojis in their native keyboards and it’s possible to insert them with the desktop client using the Windows + ; (Windows key plus semi-colon) combination.

Fewer text formatting options are available too. Teams gives a visible indicator (Figure 2) that you’re using a federated communication by displaying the address of the external user in the title bar.

How Teams shows that you're communicating with an external user in a federated chat (external access)
Figure 2: How Teams shows that you’re communicating with an external user

Apart from these restrictions, a chat with an external user is much the same as with a tenant or guest user. Apart from a potential lack of emojis, it’s as easy to communicate externally with Teams as it was with Skype for Business.

Controlling Teams Federated Chat

At the organization level, the Teams admin center (Figure 3) offers these options to control Teams external access/federated chat:

  • Allow all external domains. This is the default, chosen because Microsoft wants to encourage organizations to communicate and collaborate together.
  • Block all external domains.
  • Block only specific external domains.
  • Allow only specific external domains. This is the option I suggest organizations adopt, if only to avoid potential attacks like the GIFShell demonstration. It’s possible to update the allowed external domains list with PowerShell. I show how to do this in an article explaining how to add external domains for guest accounts present in the tenant.

Controlling Teams external access in the Teams admin center

Teams federated chat
Figure 3: Controlling Teams external access in the Teams admin center

For more information about Teams, read Chapter 13 of Office 365 for IT Pros. Teams meetings are covered in Chapter 16.

2 Replies to “Using Teams External Access for Federated Chats”

  1. Things become a bit messy when you want to chat with a person that is also a guest with extensive access to your tenant resources (groups, teams, sites, individual documents). You have two options then, either use full chat options but the guest has to access your tenant to read and reply to the chats or chat with the external user (which is the same person) with limited chat options.

    1. That’s true. However, if the person you need to chat to is a guest, they’ll be found in the first search (internal) and you wouldn’t need to look externally. I bounce between both options, depending on which tenant I am connected to at the time.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.