Sunday, March 20, 2022

How-to Join as external attendee an access-controlled Teams Live Event without explicit Teams Guest Access

MS Teams Live Event is current the only service in the Microsoft 365 landscape that enables audience outside the own organization. Teams Live Event supports both full public (anonymous) Live Events without any access control, as well as Live Events with the permission mode 'People and Groups'. In the last mode, also externals can on named base be allowed by applying the Azure AD B2B guest concept. Besides that (1) the external must be known in the identity system of the tenant in which the Teams Live Event is produced, another requirement (2) is that the external must switch in Teams first to that tenant aka 'Organization' before allowed to join the Teams Live Event.
For reference, below the prerequisites to enable external to attend a Teams Live Event in your tenant.
On Organizing part
  • For each external that needs to be granted access, provision an Azure AD B2B guest account
  • Schedule in Teams a Live Event, with permission type: People and Groups
  • Authorize all the externals via their provisioned Azure AD B2B guest account for access to that Teams Live Event
  • Share the attendee link with the invited externals
Per external
  • Redeem the provisioned Azure AD B2B guest account
  • Enroll for Azure MFA via MS Authenticator App; against the organizing tenant
  • In Teams context; first explicit switch to ‘<organizing> tenant’ ⇒ without this, Teams displays message that you are prohibited to access
  • Then click the attendee link ⇒ and the external will be allowed to access
Externals that are authorized via Teams Guest Access concept in any arbitrary team in the organizing tenant, can do this 'tenant-switch' direct in the Teams App and web application, via so-called 'tenant-switcher':
For externals that are not within any team, there is no reason for the Teams App and web application to list that tenant as organization within the 'tenant-switcher'. The easy way out is then to just add all the authorized externals to 'a' team in the organizing tenant. But for multiple reasons this is not always a preferred / good approach. For one, it doesn't "feel right" to add persons to a team with its full set of capabilities, only because they are invited to participate in a temporary digital event. Also as all members of a team instance can 'see' all the other members, and then contact each other; via teams chat, or via the discovered email addresses. For privacy and compliance reasons the event organization might not want this, or even not be allowed to do. Another reason has to do with timing aspect: in the Teams operational model it takes unpredictable yet significant time (can take up to 36 hours) after adding an external to a team instance, before the external sees the effect of this in the 'tenant-switcher' of the own local Teams App.
Luckily there is an alternative approach in which the externals can do the 'tenant-switch'. Namely by visiting in the browser the link "https://teams.microsoft.com/?tenantId=<organizing tenant-id>". The external must then sign-in via his/her Azure AD B2B guest account, and typical also answer on multi-factor authentication challenge (imposed by the organizing / inviting tenant), and if both successful the external is then allowed in the Teams context of the event organization. For the externals that are not member of any team, Teams will display the message "You’re currently not part of any teams…".
And now from this context in Teams, the external can join via the attendee link the Teams Live Event. Be aware that this approach only works from the browser via Teams web application, the external can not watch the live event in the Teams App. But on user experience that makes no difference; Teams App and Teams web application have same behavior wrt Teams Live Event.
Update:It is also possible to achieve both via one single link: making the attendee link of the Teams Live Event tenant-switch enabled. The trick is to insert "/_?tenantId=<organizing tenant-id>" immediate after "https://teams.microsoft.com" and before the "/l/meetup-join/..." part. On navigating to this link, the browser (1) first switches in Teams Web Application to the referred tenant, and (2) next from that context it joins the Teams Live Event in that same tenant.

Saturday, March 19, 2022

Best-practices for delivering webcast via Teams Meeting

Complementary to post Bad-Practice: Include 'presentation / video production' as camera input in MS Teams Meeting + Teams Live Event, here some best-practices to apply upon delivering a webcast / digital event via Teams Meeting.
Tips to practice / try-out:
  1. Ensure that the workstation on which you 'produce/present' the digital event, and are including camera, audio and likely also content, is qua CPU and memory sufficient equiped for it. And close all other applications, in particular CPU, memory and/or network intensive, on it during the period of the digital event production.
  2. Be in particular careful with using OBS Studio on that same workstation. I love OBS for its webcast / digital events capabilities, but it puts extensive strain on the workstation. Together with Teams Meeting, this might become a bottleneck; and result that the production in Teams Meeting suffers. Better to have OBS on another workstation, and cast its output to the workstation on which presenting in Teams Meeting.
  3. In the Teams Meeting where the webcast is produced, turn off 'incoming video' of the attendees aka audience.
  4. If possible, connect to wired iso wifi; prevent potential disruption of WIFI signal, hotspots, others consumers.
  5. Dedicate the 'presenter' role to only those persons that will actually present; avoid the role is assigned to everyone in the audience.
  6. In case you need 'access-control' on who is allowed as audience, apply the lobby function (Teams Meeting Options). Note: in case you apply the lobby as manual access-control, there is an additional reason to assign 'presenter' to only event organization; any 'presenter' is namely empowered to allow people in from the lobby. Even external attendees with presenter role can do this, risking the 'access-control' via lobby.
  7. Include 'production' from external device (mixer, encoder) as shared content, do not misuse the possibiliy to include it as 'attendee camera' (see Bad-Practice: Include 'presentation / video production' as camera input in MS Teams Meeting + Teams Live Event).
  8. In case producing without external device, then use PowerPoint Live to include PowerPoint presentation. And leverage Teams Meeeting 'presentation modes' (link) to turn the layout of the digital event in a more professional / (televion) reporter look.

Saturday, March 12, 2022

Bad-Practice: Include 'presentation / video production' as camera input in MS Teams Meeting + Teams Live Event

Via MS Teams Settings you have the option to configure an external camera as device. This can be used to include the video output signal from external mixer (e.g. vMix, OBS Studio) into a Teams Meeting or Teams Live Event, and then to spotlight it for all participants in the Meeting.
But be aware of a serious caveat with such setup. From Teams perspective, that video signal is regarded as the camera display of 'face of a participant'. And Teams will continuous process it for optimal contrast of 'face' against the background. As long as in the video production there is indeed only a face, there will not be a real issue. But in situations where there is not (only) a face in the video production, e.g. slides are presented, the mismatch with Teams understanding results inevitable that the slides are on occassion not sharp rendered but blurry. The correct way to include the produced video signal into a Teams Meeting or Teams Live Event is via 'Share Content'; Teams Meeting prioritizes 'screen / content sharing' above the local 'camera'.
Nice outline on this:

Friday, March 11, 2022

Tip: Reuse authentication of MFA secured account over multiple Connect-PnPOnline calls

A best security practice to connect into SharePoint Online is configure MultiFactor Authentication (MFA). When connecting from PowerShell to SharePoint Online this can give some challenges, as the default 'Credentials' based logon is not MFA aware. Resolution for this is to use either '-Interactive' or '-PnPO365ManagementShell' flag: both result that you are enabled to interactive address the MFA challenge.
Need to address the MFA challenge is acceptable to do one-time. But in an administration context, it might be that you need to execute settings over a set of sitecollections. Then it is not a pleasant experience to everytime need to (re)logon including MFA challenge. Common way to address this is by piping the authenticated SPO connection into the subsequent PnP calls. But Connect-PnPOnline does not support the '-Connection' flag (other PnP cmdlets do support it; PnP is not consistent across all its cmdlets). But I found an alternative that works:
  • $connection = Connect-PnPOnline -Url $spoAdminUrl -PnPO365ManagementShell -ReturnCollection
  • Connect-PnPOnline -Url <Url to other site collection> -Interactive -ClientId $connection.ClientId