How to use Identity Troubleshooter for diagnosing the problems?
Your ticket time resolution is taking too long, new issues are coming, but you are tied by a pile of incidents that ar...
The service was created to work within a single organization. But there are other scenarios.
The beauty and the curse of Microsoft Teams is that it allows you to do all of it… which makes things a bit complicated.
So, let’s make it simple. Here’s the ultimate guide to working with Microsoft Teams across multiple organizations.
Let’s start with a simple Microsoft Accounts 101. There are two types of accounts you can have in Microsoft services:
Microsoft Teams works with both types of accounts, but for working across organizations, we need to use the organizational ones.
Let’s assume you have an organizational account or you manage Azure AD at your business. To enable cross-organization collaboration within Teams, you need to know what a Guest is.
Guest is an Azure AD user invited to your organization from another company. Or, if you are invited to work with another company, you are becoming a Guest in their tenant.
Guests are managed through a mechanism called Azure AD B2B. We cover it in detail in this article. Here are some key facts in a nutshell:
No time to read? Watch the video instead!
There are two perspectives for getting guest access – you can either grant access or be the one getting access.
How can you become a guest in another organization?
It depends on this organization’s policy. If a company has a relaxed approach to it, it can allow every person to invite others as guests. It is as easy as going into a Teams’ settings and adding a new member with an external email address.
If the policy is stricter, it requires the person inviting a guest to have the right permission set. It is done as an administrative task, by creating a Guest account in Azure AD and granting the right access for it, for example to the specific organization’s Teams.
In both cases, the result is that a new object, a guest, is created in the target organization, and they are granted access to the specific Microsoft Teams.
There was an important change this year in the default settings for Microsoft tenants. The change enabled everyone in the organization to invite external users – make sure to check the article where we explain this process in detail.
What does it look like from an end user’s perspective?
If you are invited to another organization, you will get an email invitation. When you redeem it, you will be guided through the process of registration.
Here you might be asked to set up additional security options, but it will depend on the policy of the business that invited you.
How can you switch between organizations in Microsoft Teams?
This is quite easy. Click on the icon with your picture or a representation of an account and select an organization you want to switch to.
Just a couple of seconds, and it is done – you can work with your peers at another company.
Typical problems you may face while using Microsoft Teams
What if you don’t want to do switch between accounts and have separate windows for each organization you work with?
Here it is a bit less easy, but we still have some options. First and foremost – at the moment you can’t do this directly from the desktop app. Instead, you need to run the desktop app multiple times or use a browser extension.
Another typical problem – what if the organization you work with doesn’t permit guest accounts and gives you a separate account to work with them?
Here I strongly encourage you to send to them a link to this article explaining different options, such as using Guest accounts, which is a recommended way to do it. I hope it will change their minds.
If not, you have to live with what you are given. Here are your options:
Go to Microsoft Edge browser and create different account profiles assigned to different Azure AD accounts. Then you can pin the browser with a specific profile to your taskbar, or switch profiles directly in the browser and get access to different organization accounts with just one click.
It is simple and effective if you can’t have the luxury of using a guest account.
As you can imagine, if many people can invite guests, it is easy to lose track of who invited whom and where a given person has access.
What is Entitlement Management?
Entitlement management is a feature of Azure AD where you can create access packages – a set of permissions, which might include specific Teams sites.
Once created, you can delegate access management over this package to users, granting them the right to decide who should have this access. You can also allow people to request access and approve it using a workflow.
This way you can achieve both flexibility and security:
The drawback – this feature requires a more advanced version of Azure AD license – a P2 level (or E5 for Microsoft 365 licenses).
For more technical details about this feature, check out the blog post of our consultant and MVP, Robert: Azure AD Identity Governance – Entitlement Management.
What is Conditional Access?
Another important feature from the security point of view is the ability to control access to Teams across organizations with conditional access. Conditional access is a way for you to define what is your access security policy when using specific applications like Microsoft Teams.
When creating conditional access policies you can specifically target Guest accounts and put additional security restrictions on those accounts in your organization.
Together, Conditional Access and Entitlement Management should allow you to create a secure way to manage Guest accounts in your organization.
Using Microsoft Teams to work with multiple organizations and multiple Teams made a lot of progress. I have to admit that some time ago it wasn’t that easy, especially from an end-user’s perspective.
Now, as you can see, we have easy options to access the resources we need, when we need them. I hope you found this guide useful. And if you have any questions – just reach out!
Read similar articles