Microsoft offers with Azure AD B2B Direct Connect for shared channels in Microsoft Teams a feature that simplifies management for collaboration with external partners in teams.
Until the release of Azure AD B2B Direct Connect, an external partner was invited to the tenant as a guest and authorized in Microsoft Teams (Azure AD B2B Collaboration). The external partner then received an email with instructions for further steps.
When looking in to the own Azure Active Directory everyone notes: each external user gets a guest account in our own Azure Active Directory. Whether the guest account is still in use or not, it will always remain in Azure Active Directory until it is manually deleted.
For the external partner as well as the administrator, this resulted in a considerable effort of time and cost. This effort can now be reduced with Azure AD B2B Direct Connect.
Azure AD B2B Direct Connect establishes a mutual trust relationship between two Microsoft tenants. Due to the trust relationship, the guest account does not have to be managed in the own Azure Active Directory. No additional steps need to be performed for the external partner.
Prerequisites and Licensing
No paid license is required for the feature “Azure AD B2B Direct Connect”.
It is sufficient if Azure Active Directory is licensed with “Azure AD Free”.
Shared channels are configured in Teams Policies in the Teams Admin Center (https://admin.teams.microsoft.com/).
- “Teams” > “Teams policies”
- Select “Global” policy (or any other policy that should use shared channels)
- Shared channels are enabled with the following options:
Create shared channels
Team owners can create shared channels.
Invite external users to shared channels
Team owners can share shared channels with people outside the organization.
Join external shared channels
Users can be invited to shared channels in other organizations.
In order to allow users from external organizations to participate in meetings and to display the presence of external users in the channel, the following option must be enabled.
- “Users” > “External access”
- Select “Allow all external domains”
On the remote Microsoft tenant, the configuration must also be done.
Configure Trust Relationship
For the configuration of the trust relationship, sign in to the Azure Portal (https://portal.azure.com) and select “Azure Active Directory” > “External Identities” > “Cross-tenant access settings”.
The default settings are now displayed. By default, all incoming and outgoing connections are blocked for Azure AD B2B Direct Connect. For safety reasons, this default setting can be left as is.
In the “Organizational settings”, the trust relationship can be configured for each organization with the corresponding security guidelines.
- Select “Organizational settings”
- Select “Add organization”
- Add TenantID or a Domainname
The trust relationship is now configured with the default settings. The default settings can now be adjusted to your own security policies. The configuration for inbound and outbound access is similar to a firewall policy.
Azure AD B2B Direct Connect Inbound Access
Azure AD B2B Direct Connect Inbound Trust Settings
The Trust Settings require an active Azure AD Premium 1 license.
This allows further security features such as device compliance and multi-factor authentication to be controlled via conditional access.
Azure AD B2B Direct Connect Outbound Access
On the remote Microsoft tenant, the trust relationship must also be configured.
A shared channel is created for collaboration in the team with external partners.
Only team owners can create a shared channel.
- Select the properties of the “Team”
- Select “Add channel”
- Assign a name for channel
- Select “Shared”
- Activate this option, if the channel should be shared with everyone on the team from the parent team.
In the next step, the external partners can be invited to the shared channel.
Note: after configuring the trust relationship, it takes up to 1 hour until the external partners are displayed for selection.
The invited external partner now has access to the shared channel in teams.
The partner does not need to change tenants to collaborate. The channel is displayed in the home tenant of the user.
When creating a shared channel, the “Shared” option under “Privacy” is not available.
The reason is the permissions. Only team owners can create a shared channel.
After the user get team owner permissions, the channel can be created as “Shared”.
Follow me on LinkedIn and get informed about my latest posts.