Microsoft Teams and Skype for Business Online are both capable of federation, which allows people to contact other users outside their company. However, configuring these Office 365 options the same way as Lync or Skype for Business Server on premises can lead to unexpected results.
Latest posts by Jeff Brown (see all)

In Office 365, two of Microsoft's primary collaboration products are Skype for Business Online and Microsoft Teams. Both solutions have the concept of federation or external access, meaning users in your organization can communicate with users in other organizations also using these products (both online and on premises). However, the settings for these options in Office 365 can have unexpected consequences when trying to configure them the same way on premises.

Let's review some concepts before getting started. In their previous on-premises versions, Lync and Skype for Business Server had various types of federation:

  • Dynamic/open federation: this allows users to contact any outside organizations by using specific DNS service (SRV) records to find each other's Edge Servers. This does not require either organization to list each other's allowed domains in their external access settings.
  • Enhanced federation: in addition to open federation, you can assign Session Initiation Protocol (SIP) domains to the allowed list. This removes some message rate limits applied to open federation to prevent malicious attacks.
  • Direct federation: in addition to listing a partner's SIP domain name, you can also specify the Edge Server fully qualified domain name (FQDN) to talk with, removing the ability for your Edge Server to perform DNS SRV record lookups for that domain.
  • Closed federation: open federation is not enabled, and you specify only domains your users can contact.

It is not uncommon for server administrators to allow open federation but also maintain an allowed or blocked list of domains. If you or an external partner's user population is large enough, you might list their domain as an allowed domain to remove message rate limitations. However, this concept of being open federated and maintaining an allowed list does not translate to Microsoft Teams or Skype for Business Online. Let's explore their behavior.

Currently, there are four places in various Office 365 admin centers to configure federation:

  1. Microsoft Office 365 Admin Center > Settings > Services & add-ins > Skype for Business
  2. Skype for Business Admin Center (legacy portal) > organization > external communications
  3. Microsoft Teams & Skype for Business Admin Center (modern portal) > Org-wide settings > External access
  4. PowerShell: Get-CsTenantFederationConfiguration
Admin portal federation settings (1 of 2)

Admin portal federation settings (1 of 2)

Admin portal federation settings (2 of 2)

Admin portal federation settings (2 of 2)

As you can see, each portal words the external access settings in different ways. The Office 365 and legacy Skype admin centers are a little more explicit in saying either allow all domains, allow external communication but block specific domains, or only allow communication with specific domains.

However, the new modern Teams & Skype admin center is less specific, and if you try to configure open federation with allowed domains (like you may have in on-premises versions), you'll end up changing your federation settings to one of the three options in the other admin centers. Here is my Teams & Skype admin center with external access enabled and added as an allowed domain:

External access enabled with an allowed domain

External access enabled with an allowed domain

If we return to the other admin configuration options, my federation configuration now only allows communication with a specific list of allowed domains and loses open federation in the process:

Federation limited to allowed domains only

Federation limited to allowed domains only

PowerShell also reflects a single allowed domain but gives no indication that open federation is now disabled:

Subscribe to 4sysops newsletter!

Updated PowerShell configuration

Updated PowerShell configuration

Essentially, Office 365 does not have the concept of having open federation but also specifying an allowed list. Unfortunately, this is a case where configuring a cloud service the same way as its on-premises counterpart does not translate and can lead to unexpected consequences. Even if the concepts are similar, it's always a good idea to review settings and make sure the changes you are about to make are going to lead to the expected result.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account