Jun 29 2023 01:06 PM
We have a requirement that I can't believe is unique. We have a multi-tenant organization, and our leadership would like the organizations that are part of the broader enterprise to be able to bypass the lobby while ensuring that other trusted external organizations and guests do not bypass the lobby. During conversations with Microsoft regarding other collaboration cross-tenant synchronization came up to improve collaboration and I believe the thought process was that with cross-tenant sync that those formerly guest accounts would be treated more like internal users or "people in my organization.". However, through testing with the lobby bypass set to "people in my organization" it is clear that those cross-tenant synchronized users are still Azure AD B2B guest accounts and are still held in the lobby.
Does anyone else out there have a similar requirement and if so, how did you accomplish it? So far, I've been told by Microsoft support (third-party) that there is no way to make this work. Also, I'd want to know how Teams determines what an external user is especially with regard to cross-tenant synchronization.
Jun 30 2023 03:11 AM
Hi @McCranium,
Enabling lobby bypass selectively for specific organizations within a multi-tenant environment can be a complex requirement, and Microsoft Teams does not provide a native solution to achieve this directly. Lobby bypass settings in Teams are based on user identity and membership rather than organizational relationships.
Regarding cross-tenant synchronization and how Teams determines external users, it's important to understand that cross-tenant sync, such as Azure AD B2B guest accounts, allows users from different organizations to collaborate and access shared resources. However, these users are still considered external to each other's organizations.
While there isn't a built-in feature in Teams to differentiate lobby bypass for specific organizations within a multi-tenant environment, you may consider exploring the following options:
1. Custom Development: Explore the possibility of custom development using the Microsoft Teams APIs or Graph API to implement a solution that selectively manages lobby bypass based on specific organizational criteria. This would require custom coding and may require ongoing maintenance.
2. Third-Party Solutions: Investigate third-party solutions that specialize in advanced Teams governance and administration. Some third-party tools offer more granular control over lobby bypass settings and may provide the ability to configure bypass rules based on specific organizational criteria.
3. User Education and Best Practices: Educate users in your organization about the proper use of lobby bypass and establish best practices for inviting and managing external participants in meetings. This can help ensure that participants from trusted organizations join meetings smoothly while maintaining appropriate security measures for external guests.
Kindest regards
Jun 30 2023 05:02 AM - edited Jun 30 2023 10:10 AM
@LeonPavesic - Thank you so much for the reply, it is very thorough! In fact it is much more detailed than any other answers I've received so far.
Jun 30 2023 08:19 AM
@McCranium I'm not sure I understand the question. These are the options I have in a meeting policy for lobby control.
People in My Org and Guests would seem to be the option you want if you are going to use Azure AD Cross Tenant Sync to create guest accounts for this other tenant. The story however isn't quite complete, as they will only be joining your meeting as a guest if they have switched to your tenant already before joining the meeting. If they don't switch they aren't treated as a guest. The missing link is in the new Teams 2.1 client that is now in Public Preview, it will always attempt to join using an account in that tenant, so auto-switching that window.
The option with Guest and Trusted Organisations might be a better way to go until the new client is fully available, a Trusted Organisation is one you list it's domain for federation under External Access. Combine that with guests and then they should always avoid the lobby.
Jun 30 2023 08:22 AM
Solution@McCranium I wouldn't spend too long looking at this, as it's advising about features that simply don't exist. There is no graph api setting to control lobby access so you can't develop or find third party solutions to change the products capabilities in this area.
Kinda reads like a ChatGPT response making stuff up to me.
Jun 30 2023 09:57 AM - edited Jun 30 2023 10:08 AM
Yes, people in my org and guests would be the easiest way to go except there are other organizations (e.g., our managed services provider) that also have guest accounts in our AAD tenant and so the people in my org and guests if used with cross-tenant sync (which would work) seems to be nullified by these other individuals that have guest accounts, because we don't want them to bypass the lobby.
There are two specific tenants (our subsidiaries) that they want to bypass the lobby along with people in our org but everyone else needs to wait in the lobby. This is what we've been asked to do. So, people in my org and two specific other tenants (cross-tenant synced) but not ALL guests. Seems like this is not an option at the moment.
I did do some tests with Teams 2.0 or New Teams and had a cross-tenant sync'd account sign into our tenant and they were no longer treated as a guest or external but in order to achieve this I had to assign them a license for Teams. Also I had my meeting policy bypass setting to "people in my org" and this sync'd user despite logging into our tenant was still held in the lobby. I've got a ticket open with MSFT but I believe there is no solution at the moment.
Jun 30 2023 09:58 AM
Jul 02 2023 04:07 AM
@McCranium I don't actually know if it makes a difference to lobby settings, but have you tried configuring your cross tenant sync to create external members rather than external guests? Properties of a B2B guest user - Microsoft Entra | Microsoft Learn
External member is the preferred config for a subsidiary, I'm not sure it achieves anything right now but there are some new features in the future that will benefit from having External Members.
The point around the Teams 2.1 client is that it switches to the local guest or user account when joining a meeting, with the current Teams 1.x client it will use whichever identity the user was currently using, so even if you had a guest account you could still join as an external user if you were using Teams in your home tenant.
Jul 05 2023 05:43 AM
Jun 30 2023 08:22 AM
Solution@McCranium I wouldn't spend too long looking at this, as it's advising about features that simply don't exist. There is no graph api setting to control lobby access so you can't develop or find third party solutions to change the products capabilities in this area.
Kinda reads like a ChatGPT response making stuff up to me.