Teams Gives Shared Channel Owners New Method to Request Cross-Tenant Trusts

Capture and Redirect Shared Channel Membership Requests

I must admit to being a tad bemused when I read MC635987 (July 11, 2023) on the topic of “capturing requests to use shared channels.” According to Microsoft, the feature will “provide a way for organizations to capture and redirect requests for external collaboration when users attempt to add an external member to a shared channel where B2B direct connect cross-tenant trust has not been mutually configured between the two organizations.” That’s quite a mouthful and it’s not easy to understand.

Parsing things out, the new feature breaks down into displaying and defining a web page for channel owners to go to when they run into problems adding a new member because the domain the member belongs to is not covered by the organization’s cross-tenant access policy. In this case, no trust exists between the two organizations. A tenant-wide setting defines the web page for users to visit if the access check fails and they wish to request support. Ideally, the web page should contain full tenant-specific instructions for how to request the organization to create a trust with the other organization.

Microsoft expects to deploy the update to commercial tenants in early August and complete rollout soon afterwards.

Shared Channels and Trusts

Shared channels depend on trusts between the tenant hosting the channel and the tenants where channel members come from. You can use PowerShell to discover which tenants shared channel members come from for shared channels hosted by your tenant or track access using sign-in logs.

The cross-tenant channel policies that enable the trusts are defined in the External Identities section of the Microsoft Entra admin center. Trusts must be two-way. In other words, it’s not enough for your tenant to trust the Contoso domain: Contoso must trust your tenant too before shared channels can work. An organization can have an open cross-tenant channel policy, meaning that it’s open to connections from any other tenant. Given the recent demonstration of how attackers could exploit external access to compromise Teams, this is not a good idea. It’s more work, but also more secure, to define cross-tenant access policies for each organization you want to collaborate with.

When a Cross-Tenant Access Policy Doesn’t Exist, Shared Channels Don’t Work

Which brings us to the problem Microsoft is trying to solve. Channel owners don’t know (much) about cross-tenant trusts and probably don’t know if a policy exists for a given external tenant. When they go to share a channel with a user, that person might not be able to access the channel because of the lack of trust. The new code check detects when the condition occurs and presents the user with a link to use if they need additional support (Figure 1).

Failure to add a member to a Teams shared channel because of a missing trust
Figure 1: Failure to add a member to a Teams shared channel because of a missing trust

The link can be to any URI (even if it points to a non-existent page). The link is defined in the Teams section of the Teams admin center. Go to Teams settings and scroll to the options for Shared channels. Set the “Provide a link to my support request page” to On and input the page link (Figure 2).

Defining a link for shared channels trust requests in the Teams admin center
Figure 2: Defining a link for shared channel trust requests in the Teams admin center

The page won’t create a cross-tenant access policy (remember, the policy must exist on both sides). It can gather information from the channel owner about why they want to collaborate with people from the target domain to allow administrators to decide if it’s appropriate to create a cross-tenant access policy. The administrators will also need to contact the administrators of the target domain to arrange for them to trust your domain.

Maybe a Guest Account is a Better Idea?

If the administrators decide that they don’t want to trust the target domain, the option still exists to create a guest account for the person and add them to a private channel (shared channels don’t support guest accounts). That is, if the B2B Collaboration policy allows accounts from that domain to join your tenant as a guest. There’s always something that gets in the way.

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new developments as they happen.

One Reply to “Teams Gives Shared Channel Owners New Method to Request Cross-Tenant Trusts”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.