Forum Discussion
External connectivity not working for older Azure AD users
Hello everyone,
As title says we have issues with external connectivity for Azure AD users.
Some time ago we switched to MS Teams, and to make user life a bit easier we integrated on-prem AD with O365, so users can use same password everywhere.
The issue is that accounts made in Active Directory are unable to IM external users (message, add, call basically anything). Those users also does not show up in Teams admin center, only users made in O365 (how long we should wait for the accounts to propogate?). Search user externally dont show up when searching external users.
O365 accounts dont have that issue and connectivity is fully functional. Both types use MS Teams commercial cloud licenses. We tried to manage licenses from Azure (take off Teams license from O365 and add it from Azure). Can anyone advise?
Any additional information can be provided if needed.
EDIT: We created few test onprem accounts that were synced to AzureAD. They are working, for some reason it looks like only fresh accounts work (and show up in Teams admin center). Older dont.
Also we are using onpremise Exhange server.
Hello and thanks to everyone that contributed to this post.
I managed to find the issue. It was indeed related to previously used Skype for Business. When a SFB user is created, a certain attributes are added. And those stay until they change (for example if user migration are used ((didnt work for us since SFB servers were deleted)) or until they are removed.
What happened was there was a conflict with those attributes. Teams "thought" that we still use SFB due to these previous SFB msRTC attributes. Once removed after a while External connectivity appeared.
18 Replies
- If you are trying to external chat with people in other tenants and you set it up in yours, and Teams is working etc. you just can't external chat, I would suggest checking what your Teams upgrade coexistence mode is set to.
In order to use External chat from Teams, you must be in Teams Only mode, you can change individual users to Teams Only as well, but either way, the user initiating must be in Teams Only mode in order to use External chat. Make sure you aren't set to Islands, and or one of the Skype modes. Obviously, only change it if you know the risks involved of changing. If no one is using Skype in your org then just change to Teams Only should be fine :).Hello ChrisWebbTech , thank you for your reply.
External connectivity is enabled and Coexistence to Islands but we are testing connectivity with external Teams users.
As per @Rob Ellis suggestion we created a new AD user and set the routable logon suffix (not .local like it was before) and external connectivity started to work (a few hours later). We changed the logon suffix for some users but for now only the first account is working, so we are waiting for the External connectivity to appear if thats the case (due propagation).
I have a question - why on-prem domain logon suffix fixed connectivity for the first account?
Other thing - when we set routable suffix to other users they still dont appear in the users list in Teams Admin center. First account showed up with status DirSyncTeamsUser.
- I suspect it might be because external federation (e.g. the ability to chat with other organisations) is not supported for users with a company.onmicrosoft.com SIP address - only for those with company.com SIP addresses.
- Do the AD synced users have the same UPN suffix as cloud-only users? e.g. are all users signing into 365 with username@company.com - or do the synced users have username@company.onmicrosoft.com userids?
- I assume you changed the suffix in on-premises AD, then waited for another sync?
