Teams External Federation and Presence Privacy

Teams External Federation Enables Chat with Teams and Skype Users

External federation has existed in Microsoft integrated communications applications for a long time. Teams has supported federated chat with users in other Microsoft 365 tenants since 2019 and generally it all works very well, including federation with Teams consumer users and Skype consumer users.

If problems do occur when attempting to chat with a Teams user in another tenant, the usual cause is that the external access configuration for either tenant blocks communication. By default, the external access configuration allows connections to all other tenants, but it can be restricted to specific domains. For instance, one way to block the GIFShell exploit (when an external user sent an infected GIF to a Teams user), is to only permit federation with selected tenants.

Presence States

Presence is an important feature of online chat. It allows other people to know if you’re available. Teams supports several presence states such as Available, Busy, and Do Not Disturb You can even appear to be offline. Presence can have a duration. For instance, you can set presence to be Do Not Disturb for the next two hours, after which Teams resets your presence to Available.

While most people set their presence by clicking the avatar in the top right-hand corner of the Teams desktop or browser client (top left-hand corner for the mobile clients), force of habit means that I like using the command box to input my presence status there. Teams supports the following presence shortcuts:

• /available
• /away
• /busy
• /brb (be right back)
• /dnd (do not disturb)
• /offline

Making Presence Private in Teams External Federation

By default, your presence information is available in a Teams federated chat. This seems like a logical thing to do. After all, you’re communicating with someone for a reason. But an argument exists that it’s not good to let external people know your presence. For instance, if I go to a federated chat and view the person’s profile card (click on their avatar), I see their presence information, which is available even if a chat is inactive (Figure 1).

The Set-CsPrivacyConfiguration cmdlet (which the documentation says goes back to Lync Server 2010) is now part of the Teams PowerShell module. A setting in the cmdlet controls the tenant privacy mode. By default, Teams disables privacy mode. To enable privacy mode, run the cmdlet and set the EnablePrivacyMode parameter to True:

Set-CsPrivacyConfiguration -EnablePrivacyMode $True

It can take several hours for the change to the configuration to propagate across Microsoft 365. When it’s active, presence information doesn’t appear in federated chats (Figure 2).

To revert, run Set-CsPrivacyConfiguration and set the EnablePrivacyMode parameter to False:

Set-CsPrivacyConfiguration -EnablePrivacyMode $False

Enabling privacy mode does not suppress the display of the person’s contact information and Teams never displays photos for federated users. It’s possible to add photos for guest accounts in the local Azure AD but not for federated users. I recommend that you do this for “persistent” guest accounts, those that are likely to remain in your directory for extended periods because of their business relationship with the organization.

Privacy Mode On or Off for All

I don’t think that many organizations will rush to enable privacy mode for Teams federated chat. It’s a feature that’s available but it’s also a mode that applies for the entire tenant. In other words, you cannot enable privacy mode for specific users and leave it off for the remainder. Many Teams policies are per-user for maximum flexibility. I suspect that the age of this policy is a contributing factor to why it’s a simple on/off switch.

---

Learn more about how the Office 365 applications really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.