SOLVED

Lobby Bypass - People in my organization and trusted organization

Copper Contributor

We have a requirement that I can't believe is unique. We have a multi-tenant organization, and our leadership would like the organizations that are part of the broader enterprise to be able to bypass the lobby while ensuring that other trusted external organizations and guests do not bypass the lobby. During conversations with Microsoft regarding other collaboration cross-tenant synchronization came up to improve collaboration and I believe the thought process was that with cross-tenant sync that those formerly guest accounts would be treated more like internal users or "people in my organization.". However, through testing with the lobby bypass set to "people in my organization" it is clear that those cross-tenant synchronized users are still Azure AD B2B guest accounts and are still held in the lobby. 

Does anyone else out there have a similar requirement and if so, how did you accomplish it? So far, I've been told by Microsoft support (third-party) that there is no way to make this work. Also, I'd want to know how Teams determines what an external user is especially with regard to cross-tenant synchronization.

 

8 Replies

Hi @McCranium,

Enabling lobby bypass selectively for specific organizations within a multi-tenant environment can be a complex requirement, and Microsoft Teams does not provide a native solution to achieve this directly. Lobby bypass settings in Teams are based on user identity and membership rather than organizational relationships.

Regarding cross-tenant synchronization and how Teams determines external users, it's important to understand that cross-tenant sync, such as Azure AD B2B guest accounts, allows users from different organizations to collaborate and access shared resources. However, these users are still considered external to each other's organizations.

While there isn't a built-in feature in Teams to differentiate lobby bypass for specific organizations within a multi-tenant environment, you may consider exploring the following options:

1. Custom Development: Explore the possibility of custom development using the Microsoft Teams APIs or Graph API to implement a solution that selectively manages lobby bypass based on specific organizational criteria. This would require custom coding and may require ongoing maintenance.

2. Third-Party Solutions: Investigate third-party solutions that specialize in advanced Teams governance and administration. Some third-party tools offer more granular control over lobby bypass settings and may provide the ability to configure bypass rules based on specific organizational criteria.

3. User Education and Best Practices: Educate users in your organization about the proper use of lobby bypass and establish best practices for inviting and managing external participants in meetings. This can help ensure that participants from trusted organizations join meetings smoothly while maintaining appropriate security measures for external guests.


Kindest regards 

@LeonPavesic - Thank you so much for the reply, it is very thorough! In fact it is much more detailed than any other answers I've received so far.

@McCranium I'm not sure I understand the question. These are the options I have in a meeting policy for lobby control.

 

StevenCollier_0-1688137982236.png

 

People in My Org and Guests would seem to be the option you want if you are going to use Azure AD Cross Tenant Sync to create guest accounts for this other tenant. The story however isn't quite complete, as they will only be joining your meeting as a guest if they have switched to your tenant already before joining the meeting. If they don't switch they aren't treated as a guest. The missing link is in the new Teams 2.1 client that is now in Public Preview, it will always attempt to join using an account in that tenant, so auto-switching that window.

 

The option with Guest and Trusted Organisations might be a better way to go until the new client is fully available, a Trusted Organisation is one you list it's domain for federation under External Access. Combine that with guests and then they should always avoid the lobby.

 

best response confirmed by McCranium (Copper Contributor)
Solution

@McCranium I wouldn't spend too long looking at this, as it's advising about features that simply don't exist. There is no graph api setting to control lobby access so you can't develop or find third party solutions to change the products capabilities in this area.

 

Kinda reads like a ChatGPT response making stuff up to me.

Yes, people in my org and guests would be the easiest way to go except there are other organizations (e.g., our managed services provider) that also have guest accounts in our AAD tenant and so the people in my org and guests if used with cross-tenant sync (which would work) seems to be nullified by these other individuals that have guest accounts, because we don't want them to bypass the lobby.

 

There are two specific tenants (our subsidiaries) that they want to bypass the lobby along with people in our org but everyone else needs to wait in the lobby. This is what we've been asked to do. So, people in my org and two specific other tenants (cross-tenant synced)  but not ALL guests. Seems like this is not an option at the moment.

 

I did do some tests with Teams 2.0 or New Teams and had a cross-tenant sync'd account sign into our tenant and they were no longer treated as a guest or external but in order to achieve this I had to assign them a license for Teams. Also I had my meeting policy bypass setting to "people in my org" and this sync'd user despite logging into our tenant was still held in the lobby. I've got a ticket open with MSFT but I believe there is no solution at the moment.

Thanks for the reply, I really appreciate it.

@McCranium I don't actually know if it makes a difference to lobby settings, but have you tried configuring your cross tenant sync to create external members rather than external guests? Properties of a B2B guest user - Microsoft Entra | Microsoft Learn

 

External member is the preferred config for a subsidiary, I'm not sure it achieves anything right now but there are some new features in the future that will benefit from having External Members.

 

The point around the Teams 2.1 client is that it switches to the local guest or user account when joining a meeting, with the current Teams 1.x client it will use whichever identity the user was currently using, so even if you had a guest account you could still join as an external user if you were using Teams in your home tenant.

Thanks Steven, understood. We've tested cross-tenant sync to set the attribue userType=Member and it has no effect on the lobby setting. I've tested with Teams 2.1 and yes, the only setting that worked was when the guest connected to Teams via our tenant and was able to bypass. Regardless of that, this is not what the leadership expected or wanted so we'll be making some kind of different choice or compromise. Thank you for all of your suggestions and assistance. I have a way forward, it just wasn't what I was expecting. Thank you again.
1 best response

Accepted Solutions
best response confirmed by McCranium (Copper Contributor)
Solution

@McCranium I wouldn't spend too long looking at this, as it's advising about features that simply don't exist. There is no graph api setting to control lobby access so you can't develop or find third party solutions to change the products capabilities in this area.

 

Kinda reads like a ChatGPT response making stuff up to me.

View solution in original post