Microsoft Teams went viral during the pandemic. It became one of the key tools used for collaboration and teamwork. The service was created to work within a single organisation. But there are other scenarios.
- What if someone works across many companies?
- What if you need to allow people from other companies to work with your teams?
- What if you are a consultant and use Microsoft Teams to work with different customers?
The beauty and the curse of Microsoft Teams is that it allows you to do all of it... which makes things a bit complicated. So, let's make it simple. Here's the ultimate guide to working with Microsoft Teams across multiple organizations.
Types of accounts in Azure AD
Let's start with a simple Microsoft Accounts 101. There are two types of accounts you can have in Microsoft services:
- Organisational account - this is an account created for you, or by you, if you are an administrator in Office 365 (or actually, an administrator in Azure AD)
- Personal account - the one everyone can create to get access to Xbox or OneDrive for personal use.
Microsoft Teams works with both types of accounts, but for working across organizations, we need to use the organisational ones.
What is a Guest in Microsoft Teams?
Let's assume you have an organisational account or you manage Azure AD at your business. To enable cross-organisation collaboration within Teams, you need to know what a Guest is. Guest is an Azure AD user invited to your organisation from another company. Or, if you are invited to work with another company, you are becoming a Guest in their tenant. Guests are managed through a mechanism called Azure AD B2B. We cover it in detail in this article. Here are some key facts in a nutshell:
- Azure AD B2B is a function of a directory under Office 365, not a separate product
- It allows you to grant access to people from other companies to your organisation, or lets you, as a user, to access other organisation services like Teams
- You can get access without creating additional login and password - you use only a single set of credentials from your original organization
- It lets each organisation handle its own security and still allows people to work together.
How to create a guest account?
There are two perspectives for getting guest access – you can either grant access or be the one getting access. How can you become a guest in another organisation? It depends on this organisation's policy. If a company has a relaxed approach to it, it can allow every person to invite others as guests. It is as easy as going into a Teams' settings and adding a new member with an external email address. If the policy is stricter, it requires the person inviting a guest to have the right permission set. It is done as an administrative task, by creating a Guest account in Azure AD and granting the right access for it, for example to the specific organisation's Teams. Creating a guest account in Azure AD[/caption]In both cases, the result is that a new object, a guest, is created in the target organisation, and they are granted access to the specific Microsoft Teams. There was an important change this year in the default settings for Microsoft tenants. The change enabled everyone in the organisation to invite external users - make sure to check the article where we explain this process in detail. What does it look like from an end user's perspective? If you are invited to another organisation, you will get an email invitation. When you redeem it, you will be guided through the process of registration. Here you might be asked to set up additional security options, but it will depend on the policy of the business that invited you. How can you switch between organisations in Microsoft Teams? This is quite easy. Click on the icon with your picture or a representation of an account and select an organisation you want to switch to. Just a couple of seconds, and it is done - you can work with your peers at another company.
Typical problems you may face while using Microsoft Teams
What if you don't want to do switch between accounts and have separate windows for each organisation you work with? Here it is a bit less easy, but we still have some options. First and foremost – at the moment you can't do this directly from the desktop app. Instead, you need to run the desktop app multiple times or use a browser extension. Another typical problem – what if the organisation you work with doesn't permit guest accounts and gives you a separate account to work with them? Here we strongly encourage you to send to them a link to this article explaining different options, such as using Guest accounts, which is a recommended way to do it. We hope it will change their minds. If not, you have to live with what you are given. Here are your options:
- You can use multiple desktop windows with a workaround for a script we mentioned above, or
- You can use Microsoft Edge browser (or another browser) to create multiple profiles.
Go to Microsoft Edge browser and create different account profiles assigned to different Azure AD accounts. Then you can pin the browser with a specific profile to your taskbar, or switch profiles directly in the browser and get access to different organisation accounts with just one click. It is simple and effective if you can't have the luxury of using a guest account.
Security of guest accounts
As you can imagine, if many people can invite guests, it is easy to lose track of who invited whom and where a given person has access. What is Entitlement Management? Entitlement management is a feature of Azure AD where you can create access packages - a set of permissions, which might include specific Teams sites. Once created, you can delegate access management over this package to users, granting them the right to decide who should have this access. You can also allow people to request access and approve it using a workflow. This way you can achieve both flexibility and security:
- There is an easy way to request and grant access,
- It is fully accountable who granted access and when, and what type of access was granted,
- But it is not available for all across all company's resources.
The drawback - this feature requires a more advanced version of Azure AD license - a P2 level (or E5 for Microsoft 365 licenses). For more technical details about this feature, check out this blog post: Azure AD Identity Governance – Entitlement Management. What is Conditional Access? Another important feature from the security point of view is the ability to control access to Teams across organisations with conditional access. Conditional access is a way for you to define what is your access security policy when using specific applications like Microsoft Teams. When creating conditional access policies you can specifically target Guest accounts and put additional security restrictions on those accounts in your organisation. Together, Conditional Access and Entitlement Management should allow you to create a secure way to manage Guest accounts in your organisation. Conditional access setup in Azure Portal[/caption]Using Microsoft Teams to work with multiple organisations and multiple Teams made a lot of progress. Some time ago it wasn't that easy, especially from an end-user's perspective. Now, as you can see, we have easy options to access the resources we need, when we need them. We hope you found this guide useful. And if you have any questions – just reach out!
Author
