As Microsoft has repeatedly mentioned, the Public Preview for Microsoft Teams Public Channels (a.k.a. Teams Connect) is going to hit public preview in the very near future. For you to take advantage of this new feature, Microsoft has released a new concept Azure AD B2B Direct Connect. That is quite a mouthful of a name. Let’s take a moment to discuss what B2B Direct Connect does for you, how to configure and then how to get your tenant ready for Shared Channels.
Azure AD B2B Direct Connect
The marketing team was in full overdrive mode when they came up with this name. I will simply refer to it as B2B Direct Connect or even Direct Connect to keep it simple.
The idea behind Direct Connect (and B2B Collaboration) is to give you more control over your tenant and how you share information. In February of this year, Microsoft announced the first step in this journey. Azure AD B2B Collaboration. This was a precursor to what was needed for Shared Channels. This isn’t a deep dive into B2B Collab but know that these settings allow you to have user, group, and application control for both inbound and outbound access. Think of B2B Collab as a way to invite guest users (not specifically Teams Guest Users) into your Azure AD so you can share resources. You can learn all about B2B Collab via the Docs site.
If B2B Collab is a guest model, B2B Direct Connect is best described as a mutual trust model between your tenant and another tenant.
In today’s traditional Teams guest services, an Azure AD account is created within your tenant when you invite a Teams guest user. This means that when a user wishes to access your resources, they need to “switch tenants” within the Teams client so they can authenticate to your tenant. This tenant switching is one of the major pain points with Guest access today. You are busy working within your production tenant, want to check on the status of that other project (in that other tenant), so you switch tenants and now all context is lost. It is as if you physically left the office building and now no one can walk by or contact you until you walk back into the building.
Hence, born was the idea of Shared Channels. However, we want to make this process as secure as possible. Instead of using guest accounts in Azure, we will instead use this idea of a mutual trust between my tenant and your tenant. The end result is that there are no guest accounts created in either tenant. Instead, because of B2B Direct Connect, I can generate an access token – against your O365 Tenant – while logged into my tenants Teams client. The result is a secure, seamless connection in Teams.
As you can see in the above screen shots, Tenant A has created a Shared Channel named “My Cool Shared Channel” and Tenant B has access to it directly from their Teams client. Under the hood, the Tenant B client did an authentication process under the hood to Tenant A so it could access the resources from Tenant A directly.
How to Setup Azure AD B2B Direct Connect
To prepare for the Shared Channels public preview, the Teams team and the Azure team worked together to get a preview of B2B Direct Connect out to all customers. You can try it out today, as it is publicly available to ALL tenants at this time.
Head over to the Azure AD Portal and click on Azure Active Directory. From there you should see External Identities on the left-hand side.
When you select it, you can then choose Cross-tenant access settings (Preview) to see all the options.
This is where we need to set up access between our tenants. For this demonstration I am using the following:
- Tenant A: masteringlync.com
- Tenant B: gcmts01.onmicrosoft.com
My goal is to set up Shared Channels between these two tenants when it becomes available. Tenant A is my production tenant and Tenant B is one I created specifically for this demo. I’m sure Microsoft LOVES me creating E5 demo tenants all the time.
To enable this collaboration, we will need to create a two-way trust between these organizations. And this is the CRITICAL part of this. It is not enough for me to do this within Tenant A alone. A tenant administration, from Tenant B, will have to make this same configuration from their environment to Tenant A.
As you can see in my above screen shot, there is currently no organization configured. We are going to start by setting up Tenant B -> Tenant A configuration. Therefore, the first step is to click Add Organization. In the flyout window, you can enter the vanity domain name, onmicrosoft.com domain name or even the tenant ID. After you have typed the name, you will see it resolve the Name and Tenant ID below.
Once I have found my domain, click Add at the bottom. This will update the UI and show that I now have one organization set up.
Remember, the name of my tenant is Office. Why? Because it’s fun and confusing.
By default, all sharing for B2B Direct Connect is disabled. Yes, you could change the default settings, but this is not the recommended configuration. The entire purpose of B2B Direct Connect is to ensure you have a safe and secure shared environment.
So instead of using the default settings, we are going to click on the “Inherited from default” on the Organizational Settings tab. On the resulting page, we will see we are editing the Inbound Access settings for “Office”. Remember, that is my Tenant name. You would click on the B2B Direct Connect tab, choose Customize and then Allow Access.
Before you hit save, you MUST click on the applications tab, and choose Allow Access there as well. You cannot have a mismatch between External users and groups, and applications at this time.
Now we have Inbound access, we must do the same thing for Outbound access.
When you go to set up your Outbound access settings, you will follow the same steps you did for the inbound settings above. However, when you click Save you will be met with this message.
Microsoft wants to make it VERY clear that your tenant and its users will be able to share internal information to this external domain. Remember, you are setting this on a tenant-by-tenant basis. This is why you should not just change the defaults.
Now that we have set up Tenant B. You would do these exact same steps from Tenant A -> Tenant B. In my case I have access to both tenants but for many organizations this will not be the case.
Get Teams Ready for Public Preview
The last step in this process is we need to get your tenant and Teams ready for the public preview. Microsoft employees a ring method to track which tenants do and do not have access to features. And even within these rings, there are options to enable specific features per tenant. From the administrator’s perspective, we need to tell Microsoft that we would like to be in the Public Preview.
NOTE: If your tenant is already in a TAP program it is highly likely you do not need to take this step.
NOTE: By setting up your tenant in Public Preview, this means that you will receive other features – including Shared Channels as part of the public preview experience.
To enable this, we are going to head over to the Teams Admin Center (TAC) and click on Teams update policies.
If you have not changed anything, you should only see a single policy Global (org-wide default) and there is a single option. Show preview features. By default, it’s set to Not Enabled. Within the UI there are three options:
You can read all the details on the Microsoft Docs site. The key information is this:
- Not enabled. It’s not setup.
- Follow Office Preview (default): This new default option will automatically enable Teams Public Preview features for any user enrolled in Office Current Channel (Preview). There are no more actions required by the end user.
- Enabled: This option enables Teams Public Preview regardless of whether a user is enrolled in Office Current Channel (Preview). The end user must also opt into Teams public preview in their Teams app.
NOTE: Depending on when your tenant was created, it may be Not enabled or Follow Office Preview.
If you want all users in your organization to use Public Preview, you can update your Global Policy and change it from Not enable / Follow Office Preview to Enabled.
Lastly, the end user will need use the About > Public preview and select the “Switch to Public preview” option from the client.