Forum Discussion
Best practice to add guest to AAD?
- Yeah, working on Desktop now, you used to not be able to pick, not sure when it got added, but it's there now :).
Anyway, so bottom line here, you should be able to chose, having a guest is not required. Test with my tenant if you wish, but if it works, and you can't do that with someone you're trying to reach and you don't get the "search externally for" and it doesn't connect, then they must not have their end configured, but inviting them or adding them as a guest to your tenant allows them to tenant switch to chat, which isn't the same as federation.
Anyway, let us know if you have other questions or need help with more testing.
However if you have added them to a Team and you want to have private chat, you can still do so just by clicking new chat and typing their name, Once a guest is invited to a Team you have the ability to then Chat with them.
Keep in mind this will house the chat in your tenant, and they will have to tenant switch in the client to your tenant to participate in that chat. The only way to prevent this is to not have them as a guest and use the chat federation, but then they can't be in a Team. It's a mess, but Microsoft says they are working on updating this, it'll just be awhile, but those are the 2 situations and how the chat works when dealing with guests.
ChrisWebbTech wrote:
federation(external access needs enabled in admin center on both sides)
they will have to tenant switch in the client to your tenant to participate in that chat. The only way to prevent this is to not have them as a guest and use the chat federation, but then they can't be in a Team. It's a messYour first point on having to enable external access on both ends might well be why the "just add them to chat" didn't work. I'll test this weekend.
Your second point couldn't be truer. The idea of switching tenants makes fine sense in theory, and without pondering too much it probably makes good if not essential sense from a security/access management perspective, but it's extremely cumbersome.
I think the answer to all this is to enter the people in AAD when possible; develop some written or video guide to administratively enabling federated chat and send a link to collaborating entities; and hope for the best.
In this context, is there any point--at all--in entering an external as a mail user? We had to do that for a few guests in order to get them into mail-enabled security groups, but with the ability to add them into AAD as guests it seems that a 'mail user' is no longer necessary or appropriate for externals. Thoughts?
According to my testing, adding an external to the Chat blade in Teams, i.e., not adding them to a team in the Teams blade, only works if they have been pre-added as a guest in AAD (assuming all other settings are correct).
- You do not have to add people to use external federation “chat” tab. If everything is setup properly. You click new chat and type in their email and you should get a “search externally for x” underneath. If you are not getting this then something going on with config somehow.
