In Office 365, two of Microsoft's primary collaboration products are Skype for Business Online and Microsoft Teams. Both solutions have the concept of federation or external access, meaning users in your organization can communicate with users in other organizations also using these products (both online and on premises). However, the settings for these options in Office 365 can have unexpected consequences when trying to configure them the same way on premises.
Let's review some concepts before getting started. In their previous on-premises versions, Lync and Skype for Business Server had various types of federation:
- Dynamic/open federation: this allows users to contact any outside organizations by using specific DNS service (SRV) records to find each other's Edge Servers. This does not require either organization to list each other's allowed domains in their external access settings.
- Enhanced federation: in addition to open federation, you can assign Session Initiation Protocol (SIP) domains to the allowed list. This removes some message rate limits applied to open federation to prevent malicious attacks.
- Direct federation: in addition to listing a partner's SIP domain name, you can also specify the Edge Server fully qualified domain name (FQDN) to talk with, removing the ability for your Edge Server to perform DNS SRV record lookups for that domain.
- Closed federation: open federation is not enabled, and you specify only domains your users can contact.
It is not uncommon for server administrators to allow open federation but also maintain an allowed or blocked list of domains. If you or an external partner's user population is large enough, you might list their domain as an allowed domain to remove message rate limitations. However, this concept of being open federated and maintaining an allowed list does not translate to Microsoft Teams or Skype for Business Online. Let's explore their behavior.
Currently, there are four places in various Office 365 admin centers to configure federation:
- Microsoft Office 365 Admin Center > Settings > Services & add-ins > Skype for Business
- Skype for Business Admin Center (legacy portal) > organization > external communications
- Microsoft Teams & Skype for Business Admin Center (modern portal) > Org-wide settings > External access
- PowerShell: Get-CsTenantFederationConfiguration
As you can see, each portal words the external access settings in different ways. The Office 365 and legacy Skype admin centers are a little more explicit in saying either allow all domains, allow external communication but block specific domains, or only allow communication with specific domains.
However, the new modern Teams & Skype admin center is less specific, and if you try to configure open federation with allowed domains (like you may have in on-premises versions), you'll end up changing your federation settings to one of the three options in the other admin centers. Here is my Teams & Skype admin center with external access enabled and contoso.com added as an allowed domain:
If we return to the other admin configuration options, my federation configuration now only allows communication with a specific list of allowed domains and loses open federation in the process:
PowerShell also reflects a single allowed domain but gives no indication that open federation is now disabled:
Subscribe to 4sysops newsletter!
Essentially, Office 365 does not have the concept of having open federation but also specifying an allowed list. Unfortunately, this is a case where configuring a cloud service the same way as its on-premises counterpart does not translate and can lead to unexpected consequences. Even if the concepts are similar, it's always a good idea to review settings and make sure the changes you are about to make are going to lead to the expected result.