Sunday, March 20, 2022

How-to Join as external attendee an access-controlled Teams Live Event without explicit Teams Guest Access

MS Teams Live Event is current the only service in the Microsoft 365 landscape that enables audience outside the own organization. Teams Live Event supports both full public (anonymous) Live Events without any access control, as well as Live Events with the permission mode 'People and Groups'. In the last mode, also externals can on named base be allowed by applying the Azure AD B2B guest concept. Besides that (1) the external must be known in the identity system of the tenant in which the Teams Live Event is produced, another requirement (2) is that the external must switch in Teams first to that tenant aka 'Organization' before allowed to join the Teams Live Event.
For reference, below the prerequisites to enable external to attend a Teams Live Event in your tenant.
On Organizing part
  • For each external that needs to be granted access, provision an Azure AD B2B guest account
  • Schedule in Teams a Live Event, with permission type: People and Groups
  • Authorize all the externals via their provisioned Azure AD B2B guest account for access to that Teams Live Event
  • Share the attendee link with the invited externals
Per external
  • Redeem the provisioned Azure AD B2B guest account
  • Enroll for Azure MFA via MS Authenticator App; against the organizing tenant
  • In Teams context; first explicit switch to ‘<organizing> tenant’ ⇒ without this, Teams displays message that you are prohibited to access
  • Then click the attendee link ⇒ and the external will be allowed to access
Externals that are authorized via Teams Guest Access concept in any arbitrary team in the organizing tenant, can do this 'tenant-switch' direct in the Teams App and web application, via so-called 'tenant-switcher':
For externals that are not within any team, there is no reason for the Teams App and web application to list that tenant as organization within the 'tenant-switcher'. The easy way out is then to just add all the authorized externals to 'a' team in the organizing tenant. But for multiple reasons this is not always a preferred / good approach. For one, it doesn't "feel right" to add persons to a team with its full set of capabilities, only because they are invited to participate in a temporary digital event. Also as all members of a team instance can 'see' all the other members, and then contact each other; via teams chat, or via the discovered email addresses. For privacy and compliance reasons the event organization might not want this, or even not be allowed to do. Another reason has to do with timing aspect: in the Teams operational model it takes unpredictable yet significant time (can take up to 36 hours) after adding an external to a team instance, before the external sees the effect of this in the 'tenant-switcher' of the own local Teams App.
Luckily there is an alternative approach in which the externals can do the 'tenant-switch'. Namely by visiting in the browser the link "https://teams.microsoft.com/?tenantId=<organizing tenant-id>". The external must then sign-in via his/her Azure AD B2B guest account, and typical also answer on multi-factor authentication challenge (imposed by the organizing / inviting tenant), and if both successful the external is then allowed in the Teams context of the event organization. For the externals that are not member of any team, Teams will display the message "You’re currently not part of any teams…".
And now from this context in Teams, the external can join via the attendee link the Teams Live Event. Be aware that this approach only works from the browser via Teams web application, the external can not watch the live event in the Teams App. But on user experience that makes no difference; Teams App and Teams web application have same behavior wrt Teams Live Event.
Update:It is also possible to achieve both via one single link: making the attendee link of the Teams Live Event tenant-switch enabled. The trick is to insert "/_?tenantId=<organizing tenant-id>" immediate after "https://teams.microsoft.com" and before the "/l/meetup-join/..." part. On navigating to this link, the browser (1) first switches in Teams Web Application to the referred tenant, and (2) next from that context it joins the Teams Live Event in that same tenant.

No comments:

Post a Comment