How to configure Teams Shared Channel without Tenant Switching

 Teams Shared Channel without Tenant Switching


An new feature to Microsoft Teams was introduced and makes cross-tenant collaboration much easier. The need of switching a tenant, gaining access to Shared Channel, were you are member of with your Guest Account is now obsolete.

With B2B relationships between 2 tenants, the B2B Guest Account can be used within your own organization. This eliminates the tenant switching for efficient collaboration. This feature is available bi-directional.

NOTE:

with this shared channels, NO B2B Guest Account is needed. The trust relationship between those tenants involved, for Teams only (M365 Group with Teams enabled) accessing the SHARED CHANNEL ONLY in TEAMS based on the invite. Opponent users are found and identified based on the their UPN and Tenant ID Trust.


The "embedded" Team Channel is marked with to identifiers:

- @Contoso: this indicated, the Teams and its Channels are located outside of your organization and is naming the partner tenant.

- (External): further identification of a Channel, not located in your home Teams, is the word External.

With those indicators, users are easily aware of the data boundaries where they are working in.


Configuration on Microsoft 365 Tenant Level


Teams Admin Portal

The first step are to be accomplished in Teams Admin Portal. Defining a Policy where the Shared Channel options are activated.


Next step in the User section under External Access, ensure the below option is set to "on" too. This are the Federation settings.

With those defined setting, Shared Channels are available and can be used with the Tenant-Switching-Option.
Making Shared Channel to appear in your "Home Tenant" the organizations must be "trusted", which will accomplished in Entra ID. A relationship needs to be configured.

Entra ID Admin Portal
(Home Tenant)

Navigate to the Entra ID Portal and select the "Cross-Tenant access setting" under "External Identities", 


You need to know your partners organization tenant ID, chose any form of name.onmicrosoft.com or the FQDN.

1. Click the Organizational setting
2. Click Add organization
3. Enter the partner tenant name and click add



Next step, you need to configure the Inbound access. Scroll down and click "Inherited from default" link located next the the added partner tenant name. 

We are now configuring the inbound tenant access setting.

1. In the new configuration page, click "B2B direct connect" 
2. Chose "Customize setting"
3. Select "Allow access"
4. allow all partner B2B user or selected groups


1. Click "Applications", next to the "External user and group" configuration for the step before.
2. Select "Allow access"
3. Chose O365 as application, this enables Teams and other apps from within M365


The configuration for our home tenant is now completed.

Entra ID Admin Portal
(Partner Tenant)

The configuration now must continue on the Partner Tenant Side.
Entra ID Cross-tenant access setting for outbound must now be configured, aligning with your home tenant.

Follow the step from above for your Home Tenant in the Partner Tenant and configure "Outbound access"


NOTE:
If you wish this bi-directionally to be configure, those step must be accomplished for in- and outbound Cross-Tenant access settings in both tenants.


 Click the "Outbound access" 


Click the "B2B direct connect" tab and configure:

1. Click "Customize Settings"
2. Click "Allow access" under "Users and groups"
4. Click "Alle TENANT NAME users", this is the "Home Tenant in the Partner Tenant"


1. Chose the next TAB "External applications"
2. Click "Allow access"
3. Click "Select external applications"


In the now opening window, search and select O365.



The configuration is now completed on both side. 


Remember:

For Bi-Directional Shared Channels, the in- and outbound setting must be configured in Home AND Partner Tenant

This example explains it only from the Partner Tenant Shared Channel!

Comments

Popular posts from this blog

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

How to hide users from GAL if they are AD Connect synchronized

MFA with Guest Access and different tenants settings