Teams users have been able to chat and call people in other Teams tenants for some years. This is a very useful capability because it means that you don’t need to have a guest account in a tenant to communicate with its users. Microsoft added the capability to chat with Skype consumer users in 2020. Both features are enabled by external federation, the component which manages user ability to communicate outside the tenant. By default, the tenant external federation configuration allows communication with Teams users in any tenant. Administrators can manage the configuration through the External access section under Users in the Teams admin center. For instance, an organization might decide to limit external federation to a subset of tenants considered necessary for business communications.
Bringing Teams Consumer into the Chat Fold
Message center notification MC296208 (updated January 4, Microsoft 365 roadmap item 88381) expands external federation to cover chat (but not calling) with Teams consumer users. Given the presence of a Teams consumer client in Windows 11 and Microsoft’s fervent hope that people will embrace Teams consumer, it’s unsurprising that consumer and enterprise Teams users should be able to communicate. Up to now, any attempt to chat with a Teams enterprise user from Teams consumer results in an exchange of email, which is not quite the immediate connection delivered by chat.
According to MC296208, roll-out of Teams external access for Teams consumer starts in early January and should complete in mid-January. As always, this timing might change. Unlike external federation with Skype consumer users, Teams consumer supports both 1:1 and group chats. Another interesting aspect is that Teams enterprise users can find Teams consumer users with their email address or phone number (obviously, this must be the phone number registered by the user when they signed up for Teams consumer). But then again, you can also search for Teams enterprise users with their phone number, if you really must…
Tenant Controls for Teams External Access with Teams Consumer
Settings in the tenant’s external federation configuration control the communication with Teams consumer users (also called “Teams accounts not managed by an organization”). Two controls are available in the External access section of the Teams admin center:
People in my organization can communicate with Teams users whose accounts aren’t managed by an organization: Set On to allow your users to communicate with Teams consumer users.
External users with Teams accounts not managed by an organization can contact users in my organization: Set On to allow Teams external users to search for and contact users in your tenant using their SIP address (usually the same as their primary SMTP address and user principal name). Set Off to stop this happening and prevent unsolicited contact from Teams consumer users. Figure 1 shows that this setting is Off.
Figure 1: Options in the Teams admin center to handle external access with Teams consumer users
By default, both settings are On, meaning that if you don’t update them, full bi-directional chat is available between Teams enterprise and consumer users.
You can also update the Teams consumer controls with PowerShell by running the Set-CsTenantFederationConfiguration cmdlet. For example, this command disables both settings.
# Disable both outbound access (AllowTeamsConsumer) and inbound access (AllowTeamsConsumerInbound) for Teams consumer users
Set-CsTenantFederationConfiguration -AllowTeamsConsumer $False -AllowTeamsConsumerInbound $False
Other settings in the external federation configuration include:
AllowFederatedUsers: Set to False to stop chat and calling with Teams users in other tenants.
AllowPublicUsers: Set to False to stop chat and calling with Skype Consumer users.
Per-User Control for External Federation
The Teams external access policy assigned to an account controls the level of external access a user has.
If an external access policy isn’t defined for an account, it uses the tenant settings.
Important settings for federated communications defined in the external access policy are:
EnableFederationAccess: Allow communication with Teams users in other tenants.
EnablePublicCloudAccess: Allow communication with Skype consumer users.
EnableTeamsConsumerAccess: Allow communication with Teams consumer users.
EnableTeamsConsumerInbound: Allow Teams consumer users to initiate communication with this account.
To gain maximum control over how Teams users communicate externally, you might want to create a new external access policy. This is done as follows:
Create a new external access policy with New-CsExternalAccessPolicy.
Update the settings in the new policy with Set-CsExternalAccessPolicy.
Assign the new policy to user accounts.
For example:
New-CsExternalAccessPolicy -Identity "Block Teams Consumer"
Set-CsExternalAccessPolicy -Identity "Block Teams Consumer" -EnableTeamsConsumerAccess $False
Grant-CsExternalAccessPolicy -Identity Jane.Sixsmith@office365itpros.com
Teams External Access with Teams Consumer
Once permitted, it’s easy for a Teams enterprise user to connect with a Teams consumer user by starting a new chat, entering the email address of the consumer user, and searching externally. The initial messages go to the external user, who must decide if they wish to accept or block the connection (Figure 2).
Figure 2: Starting a chat with a Teams consumer user
You can add a Teams consumer user to a group chat, but you can’t share previous chats as a new chat starts to accommodate the external user.
A similar check before acceptance is used when a Teams consumer user contacts a Teams enterprise user, with the subtle difference that the Teams enterprise user sees the warning that Messages from unknown or unexpected people could be spam or phishing attempts.
Recipients of inbound connections can preview the messages, which is a good reason for clearly stating the intent and purpose of the conversation in the initial messages, unlike those shown in Figure 3. Only a contravention of the don’t say hello in chat rule would be worse!
Figure 3: Previewing the initial messages from a Teams consumer user
Some limitations exist in what can happen in a mixed-Teams chat. The biggest loss of functionality is the inability to make calls or share files. Given that Teams users can call Skype consumer users, the loss of calling is surprising (I anticipate this feature will come soon). Not being able to share files is likely because enterprise and consumer Teams use different versions of OneDrive.
From a compliance perspective, the Microsoft 365 substrate captures compliance records for eDiscovery in the enterprise tenant. Teams consumer doesn’t have this capability. On a more serious note, Microsoft documents that Data Loss Prevention (DLP) policies don’t apply to external access chats. If you’ve invested in DLP for Teams (which needs Office 365 or advanced compliance licenses), you’re unlikely to be impressed at the prospect that tenant users can share sensitive information in external chats. This is definitely a hole which Microsoft should close.
Generally, all went as expected. The only issue I ran into was when attempting to connect to an account signed into Teams consumer that I had previously communicated with from Teams using Skype consumer. Teams stubbornly refused to communicate using anything other than Skype consumer. There’s nothing wrong with the Teams consumer account because I was able to connect with it in a group chat when another enterprise account added the consumer account to the chat.
Connections for Those Who Want Them
I’m unsure as to how many Teams consumer accounts are ready to use Teams external access to communicate with enterprise tenants. Sure, the client is in Windows 11 and many people might have kicked the tires of the client but knowing how many persist and use Teams consumer on an ongoing basis is a different question. In any case, for those who use Teams consumer, the pathway to communication with their enterprise connections is now available. That is, if enterprise tenants enable the capability.
Keep up to date with developments in Microsoft Teams by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.
I don’t understand how the functionnality works. We have enabled the same option as showed in Figure 1 but our Teams users enterprise are unable to engage a conversation with a teams personal account, because we can’t find any personnal account with the search bar, Teams find nothing.
I would check for client updates and make sure that you’re running the latest client software. If in doubt, sign out of Teams and sign back in again too. That often “fixes” things…
Have the external access commands been removed? I have the Teams module installed and I can run any options, but for some reason those 3 commands are not recognized as cmdlet, function, etc.
CommandType Name Version Source
———– —- ——- ——
Function Get-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
Function Grant-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
Function New-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
Function Remove-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
Function Set-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
What about an option to allow certain users external access to some certain external domains, so…. different users have access to different external domains? Is it possible? I don’t see any option co configure it that way right now 🙁
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
I don’t understand how the functionnality works. We have enabled the same option as showed in Figure 1 but our Teams users enterprise are unable to engage a conversation with a teams personal account, because we can’t find any personnal account with the search bar, Teams find nothing.
I would check for client updates and make sure that you’re running the latest client software. If in doubt, sign out of Teams and sign back in again too. That often “fixes” things…
Have the external access commands been removed? I have the Teams module installed and I can run any options, but for some reason those 3 commands are not recognized as cmdlet, function, etc.
New-CsExternalAccessPolicy
Set-CsExternalAccessPolicy
Grant-CsExternalAccessPolicy
I have the MicrosoftTeams 3.1.1 module installed.
I have them show up .
get-command *externalaccess* -Module MicrosoftTeams
CommandType Name Version Source
———– —- ——- ——
Function Get-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
Function Grant-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
Function New-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
Function Remove-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
Function Set-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
I do as well. But when I execute the command I get the error that says it does not exist
What about an option to allow certain users external access to some certain external domains, so…. different users have access to different external domains? Is it possible? I don’t see any option co configure it that way right now 🙁
I don’t believe such access controls are available.