Increases Tenant Control Over Anonymous Users Joining Meetings
Up to now, the only control organizations have over the ability of anonymous users (people with a valid email address who don’t belong to another Office 365 tenant) to join Teams meetings is the tenant-level control available in the Meeting settings section of the Teams admin center (Figure 1). The control is either On or Off, the default being On.
Figure 1: Tenant-level anonymous join setting in the Teams admin center
New Per-User Control
Documented in MC297030 (updated November 18, Microsoft 365 roadmap item 87503), Microsoft is introducing a per-user level setting to control the ability of individual meeting organizers to allow anonymous users to join their meetings. The new setting is available in Teams meeting policies now and Microsoft plans to complete the roll-out of the feature to all tenants by the end of November.
Microsoft is taking a two-phase approach to the introduction of per-user control. In the first phase, tenant administrators can create and assign meeting policies to user accounts to allow or deny the accounts the ability to let anonymous users join their meetings. The existing tenant-wide setting remains in place. If the tenant-level setting prohibits anonymous join, it doesn’t matter what the per-user controls as the tenant-level setting takes precedence.
In phase two, Microsoft will remove the tenant-level setting and the only control over anonymous meeting joins will be the settings in meeting policies applied to users.
Managing Per-User Control
Microsoft will eventually update the policy management functionality in the Teams admin center to support management of the per-user setting. Until that happens, you can update the setting using the Set-CsTeamsMeetingPolicy cmdlet in V2.6.0 or above of the Microsoft Teams PowerShell module.
By default, all meeting organizers are allowed to have anonymous users join their meeting. To restrict this capability, either update the Global (default) policy or a custom meeting policy and assign the policy to accounts. Updating the Global policy is a big step when it comes to applying restrictions and it is preferable to use a custom policy for this purpose. My tenant has a meeting policy called RestrictedFunctionality for this reason. To stop people having anonymous users join their meetings, I updated the policy to set the AllowAnonymousUsersToJoinMeeting control to False:
After updating the policy, the new control is picked up and respected by accounts already assigned the policy. To assign the restricted policy to a new account, run the Grant-CsTeamsMeetingPolicy cmdlet:
Like any change made to a Teams policy, it might take a few hours before the new settings are effective. You’ll know that the block exists by doing this simple test.
Create a Teams meeting.
Copy the meeting link from the meeting invitation.
Open a private browser session and paste the link into it.
Attempt to join the meeting. Because your connection is unauthenticated, Teams prompts you for a name. Add anything you like and then join.
If the policy block is effective, you’ll see an error like that shown in Figure 2.
Figure 2: An attempt to join a Teams meeting anonymously fails
Per-User Always Better Than Tenant-Wide
Per-user control over features is better than employing tenant-wide settings. If you want to use tenant-wide settings for anonymous join, don’t change the global meeting policy to allow anonymous join or set AllowAnonymousUsersToJoinMeeting to False to disable anonymous join for all meetings. Later, you can introduce more granular control using extra meeting policies. It’s your choice.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
One argument for turning Anonymous on is when (e.g.) HR is interviewing a potential hire, and the person is using a personal email address. Or if you are working with town hall type situations. You end up having to open up Anonymous access because that invitee does not use Teams normally, and does not sign into a tenant.
What Microsoft should do is allow you to lock down each invite to the invitees’ email addresses. When they try to join the meeting, a one time code gets sent to the email address of the invitee from the invite, which verifies that user is coming into the meeting, not some stranger.
If they would do this, vs force login to Teams, you wouldn’t have to allow [anyone in the world] to show up at your meeting.
If anyone has clout with MS, please get some momentum on this! 😀
Microsoft does listen to opinions which gather support there. In fact, they have a complete team of people who monitor and filter customer suggestions.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
One argument for turning Anonymous on is when (e.g.) HR is interviewing a potential hire, and the person is using a personal email address. Or if you are working with town hall type situations. You end up having to open up Anonymous access because that invitee does not use Teams normally, and does not sign into a tenant.
What Microsoft should do is allow you to lock down each invite to the invitees’ email addresses. When they try to join the meeting, a one time code gets sent to the email address of the invitee from the invite, which verifies that user is coming into the meeting, not some stranger.
If they would do this, vs force login to Teams, you wouldn’t have to allow [anyone in the world] to show up at your meeting.
If anyone has clout with MS, please get some momentum on this! 😀
Go ahead and make your case at the Teams feedback portal https://office365itpros.com/2021/10/29/microsoft-releases-preview-new-teams-feedback-portal/
Microsoft does listen to opinions which gather support there. In fact, they have a complete team of people who monitor and filter customer suggestions.
Thanks Tony, will do!