How to Manage External Access Settings for Communication with Teams Consumer Users

Teams External Access for Chat and Calling

Teams users have been able to chat and call people in other Teams tenants for some years. This is a very useful capability because it means that you don’t need to have a guest account in a tenant to communicate with its users. Microsoft added the capability to chat with Skype consumer users in 2020. Both features are enabled by external federation, the component which manages user ability to communicate outside the tenant. By default, the tenant external federation configuration allows communication with Teams users in any tenant. Administrators can manage the configuration through the External access section under Users in the Teams admin center. For instance, an organization might decide to limit external federation to a subset of tenants considered necessary for business communications.

Bringing Teams Consumer into the Chat Fold

Message center notification MC296208 (updated January 4, Microsoft 365 roadmap item 88381) expands external federation to cover chat (but not calling) with Teams consumer users. Given the presence of a Teams consumer client in Windows 11 and Microsoft’s fervent hope that people will embrace Teams consumer, it’s unsurprising that consumer and enterprise Teams users should be able to communicate. Up to now, any attempt to chat with a Teams enterprise user from Teams consumer results in an exchange of email, which is not quite the immediate connection delivered by chat.

According to MC296208, roll-out of Teams external access for Teams consumer starts in early January and should complete in mid-January. As always, this timing might change. Unlike external federation with Skype consumer users, Teams consumer supports both 1:1 and group chats. Another interesting aspect is that Teams enterprise users can find Teams consumer users with their email address or phone number (obviously, this must be the phone number registered by the user when they signed up for Teams consumer). But then again, you can also search for Teams enterprise users with their phone number, if you really must…

Tenant Controls for Teams External Access with Teams Consumer

Settings in the tenant’s external federation configuration control the communication with Teams consumer users (also called “Teams accounts not managed by an organization”). Two controls are available in the External access section of the Teams admin center:

  • People in my organization can communicate with Teams users whose accounts aren’t managed by an organization: Set On to allow your users to communicate with Teams consumer users.
  • External users with Teams accounts not managed by an organization can contact users in my organization: Set On to allow Teams external users to search for and contact users in your tenant using their SIP address (usually the same as their primary SMTP address and user principal name). Set Off to stop this happening and prevent unsolicited contact from Teams consumer users. Figure 1 shows that this setting is Off.

Options in the Teams admin center to handle external access with Teams consumer users

Teams external access
Figure 1: Options in the Teams admin center to handle external access with Teams consumer users

By default, both settings are On, meaning that if you don’t update them, full bi-directional chat is available between Teams enterprise and consumer users.

You can also update the Teams consumer controls with PowerShell by running the Set-CsTenantFederationConfiguration cmdlet. For example, this command disables both settings.

# Disable both outbound access (AllowTeamsConsumer) and inbound access (AllowTeamsConsumerInbound) for Teams consumer users
Set-CsTenantFederationConfiguration -AllowTeamsConsumer $False -AllowTeamsConsumerInbound $False

Other settings in the external federation configuration include:

  • AllowFederatedUsers: Set to False to stop chat and calling with Teams users in other tenants.
  • AllowPublicUsers: Set to False to stop chat and calling with Skype Consumer users.

Per-User Control for External Federation

The Teams external access policy assigned to an account controls the level of external access a user has.

Get-CsonlineUser -Identity | Select ExternalAccessPolicy  

ExternalAccessPolicy            : FederationAndPICDefault

Get-CsExternalAccessPolicy -Identity FederationAndPICDefault

Identity                          : Global
Description                       :
EnableFederationAccess            : True
EnableXmppAccess                  : False
EnablePublicCloudAccess           : True
EnablePublicCloudAudioVideoAccess : True
EnableOutsideAccess               : True
EnableAcsFederationAccess         : True
EnableTeamsConsumerAccess         : True
EnableTeamsConsumerInbound        : True

If an external access policy isn’t defined for an account, it uses the tenant settings.

Important settings for federated communications defined in the external access policy are:

  • EnableFederationAccess: Allow communication with Teams users in other tenants.
  • EnablePublicCloudAccess: Allow communication with Skype consumer users.
  • EnableTeamsConsumerAccess: Allow communication with Teams consumer users.
  • EnableTeamsConsumerInbound: Allow Teams consumer users to initiate communication with this account.

To gain maximum control over how Teams users communicate externally, you might want to create a new external access policy. This is done as follows:

  • Create a new external access policy with New-CsExternalAccessPolicy.
  • Update the settings in the new policy with Set-CsExternalAccessPolicy.
  • Assign the new policy to user accounts.

For example:

New-CsExternalAccessPolicy -Identity "Block Teams Consumer"
Set-CsExternalAccessPolicy -Identity "Block Teams Consumer" -EnableTeamsConsumerAccess $False
Grant-CsExternalAccessPolicy -Identity

Teams External Access with Teams Consumer

Once permitted, it’s easy for a Teams enterprise user to connect with a Teams consumer user by starting a new chat, entering the email address of the consumer user, and searching externally. The initial messages go to the external user, who must decide if they wish to accept or block the connection (Figure 2).

Starting a chat with a Teams consumer user
Figure 2: Starting a chat with a Teams consumer user

You can add a Teams consumer user to a group chat, but you can’t share previous chats as a new chat starts to accommodate the external user.

A similar check before acceptance is used when a Teams consumer user contacts a Teams enterprise user, with the subtle difference that the Teams enterprise user sees the warning that Messages from unknown or unexpected people could be spam or phishing attempts.

Recipients of inbound connections can preview the messages, which is a good reason for clearly stating the intent and purpose of the conversation in the initial messages, unlike those shown in Figure 3. Only a contravention of the don’t say hello in chat rule would be worse!

Previewing the initial messages from a Teams consumer user
Figure 3: Previewing the initial messages from a Teams consumer user

Some limitations exist in what can happen in a mixed-Teams chat. The biggest loss of functionality is the inability to make calls or share files. Given that Teams users can call Skype consumer users, the loss of calling is surprising (I anticipate this feature will come soon). Not being able to share files is likely because enterprise and consumer Teams use different versions of OneDrive.

From a compliance perspective, the Microsoft 365 substrate captures compliance records for eDiscovery in the enterprise tenant. Teams consumer doesn’t have this capability. On a more serious note, Microsoft documents that Data Loss Prevention (DLP) policies don’t apply to external access chats. If you’ve invested in DLP for Teams (which needs Office 365 or advanced compliance licenses), you’re unlikely to be impressed at the prospect that tenant users can share sensitive information in external chats. This is definitely a hole which Microsoft should close.

Generally, all went as expected. The only issue I ran into was when attempting to connect to an account signed into Teams consumer that I had previously communicated with from Teams using Skype consumer. Teams stubbornly refused to communicate using anything other than Skype consumer. There’s nothing wrong with the Teams consumer account because I was able to connect with it in a group chat when another enterprise account added the consumer account to the chat.

Connections for Those Who Want Them

I’m unsure as to how many Teams consumer accounts are ready to use Teams external access to communicate with enterprise tenants. Sure, the client is in Windows 11 and many people might have kicked the tires of the client but knowing how many persist and use Teams consumer on an ongoing basis is a different question. In any case, for those who use Teams consumer, the pathway to communication with their enterprise connections is now available. That is, if enterprise tenants enable the capability.

Keep up to date with developments in Microsoft Teams by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

14 Replies to “How to Manage External Access Settings for Communication with Teams Consumer Users”

  1. I don’t understand how the functionnality works. We have enabled the same option as showed in Figure 1 but our Teams users enterprise are unable to engage a conversation with a teams personal account, because we can’t find any personnal account with the search bar, Teams find nothing.

    1. I would check for client updates and make sure that you’re running the latest client software. If in doubt, sign out of Teams and sign back in again too. That often “fixes” things…

  2. Have the external access commands been removed? I have the Teams module installed and I can run any options, but for some reason those 3 commands are not recognized as cmdlet, function, etc.


    I have the MicrosoftTeams 3.1.1 module installed.

    1. I have them show up .

      get-command *externalaccess* -Module MicrosoftTeams

      CommandType Name Version Source
      ———– —- ——- ——
      Function Get-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
      Function Grant-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
      Function New-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
      Function Remove-CsExternalAccessPolicy 3.1.1 MicrosoftTeams
      Function Set-CsExternalAccessPolicy 3.1.1 MicrosoftTeams

      1. I do as well. But when I execute the command I get the error that says it does not exist

  3. What about an option to allow certain users external access to some certain external domains, so…. different users have access to different external domains? Is it possible? I don’t see any option co configure it that way right now 🙁

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.