[MUSIC PLAYING] Welcome, everyone, to my session at Virtual TEC. My name is Habib Mankal. This session is up and running with Microsoft Teams Shared Channels. So again, my name is Habib Mankal. I'm a Principal Architect and Founder at WaveCore IT. I'm also a Microsoft 365 Apps and Services MVP. That is my Twitter handle if you wish to follow me. And we also have a podcast with three additional Canadian MVPs, called O365h.com, if you'd like to check us out there as well.
So Teams Connect, also known as Shared Channels for the better part of the community, is a new collaboration feature that Microsoft has announced recently. You know, it became live you know mid-summer, which I'm going to basically go through the session with you, how do you configure it from end-to-end, whether it be it from an Azure Active Directory perspective, Teams administration side of things, and then how to actually use it as the end user perspective as well.
So just a quick recap about Shared Channels, it provides the ability for collaboration outside of your current team. So you can have a Shared Channel within your current team, and you can have different members within that Shared Channel as well. So it is enabled by default, the Shared Channel functionality within Teams is enabled by default. However, it isn't enabled at the external collaboration side of things.
So it is a new channel type. So when you're creating a new channel, you'll have three different options in there. One is called a standard private, in the private channel, which was announced in Ignite 2019. And then the new one is the share channel type. So what it does is it allows you to join a channel without having to context switch, or tenant switch. So if you're using it for external collaboration, I have the ability to share channel with somebody outside my organization, and they can view that channel itself within their team's client, so they don't have to change memberships, or sign out, and sign in to your tenant to see this channel.
So it uses a different type of membership called Federated identities, which is in Azure Active Directory. And it's different than the guest access, or B2B guest, or B2B collaboration that we'll talk about a little bit afterwards, all right? In order to use this functionality outside the organization, the users must be licensed with, or have a Microsoft Teams license assigned to them. Obviously, internally, you have to have a license assigned to them as well. And then just from an availability perspective, it is available in the commercial multi-tenant and GCC. But the GCC High is on the roadmap, and also on the DOD side of things as well.
So I just wanted to quickly talk about the guest access versus shared channels. So primary scenario is for my guest access perspective, or B2B collaboration. External users can use a preferred identity to sign into your Azure ID. So within Microsoft Teams, you'll actually see in the top right hand corner the name of the organization that you are a guest in, and then you'll be able to sign out or switch your account from your tenant to the guest account that you're in.
With the Shared Channels, you use Federated Identity, so you use your own Microsoft 365 Identity to see that shared channel, and you authenticate against another organization's tenant. So we set up something that's called Cross Tenant Collaboration Policies, or Cross Tenant Access Settings, that I'm going to walk you through a little bit later to do that type of technology.
It's intended-- so for guest access, it's intended for business partners or suppliers who may not have an Azure AD account, so that they can actually sign into your tenant and collaborate that way. With the Shared Channels, you can have business partners as well, but they have their own Azure AD account. From a user management perspective, all of the guest access users are managed within your Azure Active Directory. So you create your guest accounts within there, and then from the Shared Channel side of things, you know, there's no management from the user object perspective. So you're not creating the accounts, but you do have the ability to somewhat govern the users and groups that are accessing your tenant through these policies we're going to walk through.
Next, is the top five questions asked, right? So first thing we want to-- I guess one of the first questions are, are consumer accounts supported, such as MSA accounts? So we're talking gmail.com, outlook.com, hotmail.com accounts. So those accounts can be tied to a Microsoft service account or system account.
And then you can be able to log into other Microsoft services. So those are currently not supported. Only Azure AD, or school or work accounts that have a Teams license assigned to them are utilized, or are able to sign in, or use Shared Channels. Bots in and line of business applications are not supported as well.
So the second question are guest accounts. So is guest access, or B2B collaboration supported? So the answer is no. So if you have a team that has multiple channels, and you have multiple guest users within that team, those guest users are not able to access or see the share channel, nor will you be able to add them to that share channel at all. So if you want those members, or those guest users to be able to see that share channels, you need to share it with their external identity if they have one in Azure AD from their particular tenant.
Third, do I need cross tenant policies if I just implement it in more organizations? So if I'm only using share channels within my organization and I don't have no plans of using it externally, then no, I do not need cross tenant policies configured, because it is enabled by default, and I can share it with a person, a group, or a team within my organization. So fourth question, where are all my files stored within the shared channel? So what happens is when you create a channel, just like private channels, it creates a SharePoint site collection. And it has its own site collection, own security, everything like that. So all of your files that are stored within the share channel are stored within the SharePoint site collection of that particular shared channel.
And then lastly is, will my existing governance policy, example, DLP, retention sensitivity labels work within shared channels? Yes. From a governance point of view, the content is governed by the host tenant. So wherever that share channel is created, all of the DLP and retention policies in that host channel will continue to take effect with regards to the team content.
Sensitivity labels also behave the same. And then you can also do some enhanced capabilities within the sensitivity labels in order to stop users from downloading files. And I'll talk about that a little bit shortly.
All right. So I want to have this a bit more interactive. So I'm going to be doing a demo of how do we enable, disable external collaboration from start to finish. What are the Teams Admin Center configurations that you'll utilize? And what are the best practices, or good practices I should say, to set them up from a policy perspective, if you want to pilot, and maybe some of the key scenarios that may work within your organization with regards to shared channels and external partners.
So let me switch over here to my demo tenant. OK. So here we go. So I want to start off by logging into my Microsoft 365 Admin Center, and opening up Azure Active Directory. And then the way to access these policies is, I want to go to Azure Active Directory, external identities, cross tenant access settings. And this is where it brings me into these particular settings for external access collaboration.
So you notice that it brought me to the default settings tab. And so here's where I would configure both the B2B collaboration, which is also known as guest access, and the B2B direct connect, which is also known as share channels, or the technology that currently uses shared channels, where I can do these configuration settings. So you notice here that B2B collaboration is allowed from an external users and group perspective, and an application perspective.
So if you notice if you've ever shared a file through SharePoint, or OneDrive, that actually uses guest access, or B2B collaboration technology. And it will create a guest account within your organization for all of those people that have had files or folders shared outside of the organization. So it is also a good practice to do reviews of your Azure Active Directory in order to ensure that you only have the guest accounts that you want within your organizations.
And if you have-- I think it's Azure ABP2, you can also use access reviews within Azure Active Directory to go through those guest accounts to see which ones you want to keep. For this particular session, we're only going to be talking about the B2B direct connect, and how do we configure those. So the default settings you see here are blocked, right? So they're inbound access and outbound access. So they're blocked. So there is no external collaboration through share channels automatically, only internally, because that is enabled by default.
So if you have an organization that wants to collaborate just with anybody, then you can just come into these default settings for B2B direct connect, and allow those B2B direct connect settings within the default settings. Most organizations won't want to do that. They will want to have a white-list of organizations that they wish to have collaboration with, in which you have to communicate with the other partner administrator, right?
So what we're going to do is, we're going to go to organizational settings. And this is where I would go in and start white-listing those other organizations, or partner organizations. So this is where you get on a meeting with the other partner administrator and say, we'd like to go through the process of adding our organizations together.
Now, you may also may not want your users accessing another organization's tenant. So that would be the outbound access. But you may want other users from outside the organization accessing your tenant. And those are the inbound access.
So we're going to add an organization, and the domain name for my tenant. I need to get it from this partner tenants. So I have two tenants that I'm working, with, Contoso one and Contoso two. So this tenant here is Contoso two. So I want to capture the primary domain name, and then I want to go back to my Contoso one tenant and search for that.
So you notice here saying that I want to add an external Azure AD tenant, Contoso tenant two. So I'm going to click Add. So by default, what happens is the organization is now set up within my tenant. And then I'm going to show you how you would do it on the other side, but it's essentially identical, the process that we're going to be talking through.
So from an inbound access perspective, you'll notice here it's inherited by default. So those are the default settings, which means that these particular settings are blocked. So I want to allow inbound access so it defaults to the B2B collaboration tab. So I'm going to just ignore that for now, because I'm going to only work on my B2B direct connect. I don't want to allow guest access from Contoso two.
So I click on the B2B direct connect tab. I click Customize. And then I have a couple of things that I need to do here. One is, I want to allow access, yes. Two, maybe I don't want the entire organization, or maybe I do want the entire organization to be able to be added as a member of a shared channel within my organization. If I want everyone within the organization, I would just select all Contoso two tenant users and groups. But if I only want a specific set of users, then I would select the Add external users in groups. And then it provides me with another list here.
So we have two options, one is user or group. So if you want to add a user, you have to add in their actual object ID. So you cannot use the user'ss UPN. So this is where you need to work with the other partner administrator in order to provide that list to you. So you can keep maybe a shared spreadsheet either within your OneDrive, and this is where you're keeping track of what the object ID correlates to the UPN of the user itself, right?
So you'll have to have an entire list in that sense, or alternately, you can also have a group of users. Again, you also need to have a group ID. But the difference here is that you're not managing the list of users within your Azure AD crossing in access settings. The actual partner administrator is managing that group membership, so you do not know which users that are part of that group. So you're relying on that partner administrator to keep track of the membership and providing you a list of those members within the Azure AD group that are in their tenant. So that's just something to keep aware of is that you may not have visibility to all of the users who are there.
So in this particular case, I'm just going to select all Contoso tenant two users and groups for the demo today. And then I have to select application. So I need to allow which applications to use. So I'm going to allow access. You can say all applications, because currently today, Microsoft Teams is the only technology that allows the use of these cross tenant access settings through share channels.
Now, Microsoft may add in additional applications to use this technology. So maybe you want to restrict it down. So if I select all applications, and then the only one application that we have is actually called Office 365. So you're going to be able to use all Office 365 applications, but again, currently today, Microsoft Teams Shared Channels is the only technology that uses this functionality.
But you also want to ensure that you're keeping up-to-date with all of the different applications and updates that come with cross tenant access settings, because they may add in maybe specific applications for you to start restricting. So maybe they expand it from just Office 365 to maybe to SharePoint, or OneDrive, or Teams, or Outlook, or something like that. So you just want to keep an eye on this if you restrict it down to the application level.
So I'm going to select Office 365 applications, and then from a trust setting-- sorry, I want to click Save. And then from a trust settings perspective, we have the ability to approve or trust certain things that are coming over from the other tenant. So if a user already has multifactor authentication set up from the other tenant, we can trust that that MFA process, that token comes along with it when a user is signing in to our share channel and our tenant.
If they have devices that are trusted and compliant within their endpoint manager or Intune, if they're marked as compliant devices, do we trust those as well? Or if the device is actually a domain on prem join device that is synchronized to Azure Active Directory, which makes it become a hybrid Azure AD join device, do we want to trust that as well? So there's additional security functionality that you are provided in order to enhance that level of security within your organization, right?
And then there are some enhancements. I think there's a preview now that include these cross tenant access settings for external collaboration and conditional access policies. This is something new that Microsoft has recently added, but I won't be showing today within my presentation. So something to look at as well.
So I have my trust settings configured for my inbound access. So you'll see here now it says configured. I want to configure my outbound access. So I'm going to ignore the B2B collaboration. You notice that we don't have a trust setting because I'm actually going outbound to somebody else's tenant.
So I'm going to click Customize on B2B direct connect. I'm going to allow access. I'm going to select a group of my users. So this is where from the other side, what the administrator would be selecting the specific users. So maybe I'm going to just select three of my users to be able to access Contoso two tenant. And then I'm going to save. Or again, I have the ability to search for a group. And I can add that group.
But I need to also provide the object ID for these three users, or provide the object ID for the group that I'm going to be sharing outside. So I'm going to select Save. There is a disclaimer that you'll have to agree to. So once you're done with that, you'll select yes.
So I'm just going to select, because on the other side I need to set it up. So I'm just going to select all users for this particular tenant. And then we should be good to-- oh sorry-- for applications, I should say. Allow access, I'm going to allow all external applications, say yes again to this, and then we're good to go. So that's just something to remind you as well. So you cannot save just the users in group.
You also have to save the external applications as well. So once I have that done, then I can on the other partner administrator side, I've already gone ahead and added in the Contoso one. So you'll notice here, I previously have configured Contoso one with the same settings that we had before, so inbound access and outbound access as well.
So next, I want to move back into my Contoso one tenant. OK. So then I want to come into here into the Teams Admin Center, and I want to be able to manage the team settings that we have. So as I mentioned before-- sorry-- the team's policies. As I mentioned before, they are enabled by default. So it's essentially enabling these three options within your organization by default. So share channel is enabled by default.
If you do not want to have share channels for everyone just yet, so then I would recommend coming in and disabling, or turning off these policies. If you do want to pilot the shared channels with a group of users, then I would recommend creating a new policy after that, and then enabling those options to create a shared channel, invite external users, or join external channels. And then you would assign this particular policy to the users themselves.
So once the users themselves, or once the users have the policies assigned to them, then they now have the ability to come in, or go into the Teams client and create a share channel, or share a channel as well. So I already have one here, but I would like to show how to create a channel. So you just add a channel from the team perspective that you have, and then you notice here that you have the three different options that we spoke about, right?
So you have a standard channel, private channel, and then share channel you created the exact same way. And then you share the channel with just the usernames or the UPNs of the user. So as you notice here, it has a little icon, kind of like a link perspective that depicts what a share channel is. You have the ability to share a channel with people. So those are specific people from a list.
You can say with a team. So that team can be a team that is inside your organization. So I would send it to a particular user who is an owner of that team, and they would be able to add this particular channel to that one. And then all of those members of that team would be able to access it. Or if I actually own another team, I have the ability to share directly, because I own that team, and I have all the membership capabilities, so I have that ability to do that.
So I just want to go through these type of configuration settings sort of from start to finish, how you would create these shared channels. Some of the I guess, the scenarios that I've been working with some customers, some customers might have like an RFP process where they may create more than one share channel with all of the different vendors that are responding to the RFP. And it keeps all of the documentation and all of the responses in a single location without having to create a shared mailbox of that nature. And then the other option as well, or another scenario that I've been seeing is the ability for organizations, like a construction company, to create a share channel with all the different traits that they have, or organizations that they're working with in order to-- if they're doing a big construction deployment, building houses, or property. They have the ability to utilize this technology, or this feature with all the different vendors that they have within their organization, sorry-- within the vendor organizations, or the boots on the ground, the construction team maybe taking pictures of some issues as well, and sharing that within the shared channel from that perspective.
So then lastly, I just want to come back in to the slides here. Know I'm running up on time, but I did include a couple of links here from a limitation perspective. I also give you the B2B direct connect overview links as well. And then I'd be happy to answer any questions that anyone has on the line as well. And thank you, thank you for joining my session. I hope you really enjoyed it. And I hope you're enjoying Virtual TEC. Thanks again.
[MUSIC PLAYING]