What Does Microsoft Teams Do

-->

Teams provides a rich set of tools to implement any governance capabilities your organization might require. This article guides IT pros to ask the right questions to determine their requirements for governance, and how to meet them.

Applies to: Microsoft Teams; In this article Network requirements. If you've already optimized your network for Microsoft 365 or Office 365, you're probably ready for Microsoft Teams.In any case - and especially if you're rolling out Teams quickly as your first Microsoft 365 or Office 365 workload to support remote workers - check the following before you begin your Teams rollout.

Think of a “team” as a house. In Microsoft Teams you work in different “teams”. You can think of. Even if you don't have a Teams account, you can still join a Teams meeting on the mobile app. Here's how: In the meeting invite, select Join Microsoft Teams Meeting. If you don't already have the Teams mobile app, you'll be taken to your app store to download it. If you have an Android device, open the app right from the app store page.

Tip

Watch the following session to learn about more about Governance in Microsoft Teams: Governance, management and lifecycle in Microsoft Teams

Group and team creation, naming, classification, and guest access

Your organization might require that you implement strict controls on how teams are named and classified, whether guests can be added as team members, and who can create teams. You can configure these areas by using Azure Active Directory (Azure AD) and sensitivity labels.


---
Decision points
  • Does your organization require a specific naming convention for teams?
  • Do team creators need the ability to assign organization-specific classifications to teams?
  • Do you need to restrict the ability to add guests to teams on a per-team basis?
  • Does your organization require limiting who can create teams?
Next steps
  • Document your organization’s requirements for team creation, naming, classification, and guest access.
  • Plan to implement these requirements as a part of your Teams rollout.
  • Communicate and publish your policies to inform Teams users of the behavior they can expect.

Note

To help you plan ahead, learn more about setting these policies and what licenses they require.

Note

Limiting group and team creation can slow your users’ productivity, because many Microsoft 365 and Office 365 services require that groups be created for the service to function. For additional information, navigate to and expand Why control who creates Microsoft 365 Groups.

Additional information

After you’ve determined your requirements, you can implement them by using Azure AD controls. For technical guidance on how to implement these settings, see:

Group and team expiration, retention, and archiving

Your organization might have additional requirements for setting policies for expiration, retention, and archiving teams and teams data (channel messages and channel files). You can configure group expiration policies to automatically manage the lifecycle of the group and retention policies to preserve or delete information as needed, and you can archive teams (set them to read-only mode) to preserve a point-in-time view of a team that’s no longer active. Note that teams that are archived continue to have the expiration policy applied and may be deleted unless excluded or renewed.

--

Decision points
  • Does your organization require specifying an expiration date for teams?
  • Does your organization require specific data retention policies be applied to teams?
  • Does your organization expect to require the ability to archive inactive teams to preserve the content in a read-only state?

Next steps
  • Document your organization’s requirements for team expiration, data retention, and archiving.
  • Plan to implement these requirements as part of your Teams rollout.
  • Communicate and publish your policies to inform Teams users of the behavior they can expect.

Tip

Use the following table to capture your organization’s requirements.

CapabilityDetailsAzure AD Premium license requiredDecision
Expiration policyManage the lifecycle of Microsoft 365 groups by setting an expiration policy.P1TBD
Retention policyRetain or delete data for a specific time period by setting retention policies for Teams in the Security & compliance center. Note: Using this feature requires licensing of Microsoft 365 or Office 365 Enterprise E3 or above.NoTBD
Archive and restoreArchive a team when it’s no longer active but you want to keep it around for reference or to reactivate in the future.NoTBD

Note

Group expiration is an Azure AD Premium feature. For this feature to be available, your tenant must have a subscription to Azure AD Premium and licenses for the administrator who configures the settings and the members of the affected groups.

Additional information

For technical guidance on how to implement these settings, see:

  • Set up Microsoft 365 groups expiration.

  • Set up Teams retention policies.

  • Archive or restore a team.

Group and team membership management

Consistently managing members of project based, or restricted groups are necessary for teams that require rapid onboarding and offboarding or users and guests. Your organization may also need to make sure all current members have the business justification to be in a team. Managing members can be hard because team owners can leave and users don’t usually leave groups on their own accord when a project ends or when they change roles. The best way to manage group membership that allows users to get access when needed but ensure the group doesn't have a risk of inappropriate access is through two district processes: entitlement management and access reviews.

Entitlement management allows you to delegate to someone, such as a project manager, to collect all the resources that are needed, including teams memberships, into a single package. They can also define who can make requests: either users in your tenant or from other connected organizations. The project manager will receive access requests in their email and approve or deny requests in the MyAccess portal. Administrators can configure the conditions of access to include an expiry date or period by when the user or guest will be removed from the team unless access is renewed. Administrators can also set up the groups associated with teams to take part in access reviews. For access reviews, the group owners will receive regular reminders to review the members of a team. Access reviews include recommendations, which makes it easier for group owners to go through their regular attestation process.

Does
---
Decision pointsDoes your organization require a consistent process for managing membership of one or more teams?
Does your organization require owners, or the members themselves, to justify their continued membership of one or more teams on a regular basis?
Does your organization require approval for users and guests to request access to resources including teams, groups, SharePoint sites, and apps?
Next steps?Document your organizations requirements for each team or specific teams for membership expiry.
Plan how your organization can bundle teams, groups, SharePoint sites, and apps together in access packages.
Plan which people, such as the requestor's manager, a project manager, a sponsor for a connected organization or a security officer in your organization will need to approve or deny access requests.

Tip

Use the following table to capture your organization’s requirements.

CapabilityDetailsAzure AD Premium license requiredDecision
Access reviewsSetup access reviews to recertify the membership of specific teams at regular intervalP2TBD
Entitlement managementSetup access package to allow users and guests to request access to teamsP2TBD

Note

To help you plan ahead, learn more about what licenses they require.

Additional information

For technical guidance on how to implement these settings, see:

Teams feature management

Another important aspect of governance and lifecycle management for Teams is the ability to control what features your users will have access to. You can manage messaging, meeting, and calling features, either at the Microsoft 365 or Office 365 organization level or per-user.

--

Decision points
  • Does your organization require limiting Teams features for your entire tenant?
  • Does your organization require limiting Teams features for specific users?

Next steps
  • Document your organization’s requirements for limiting Teams features at the tenant and user level.
  • Plan to implement your specific requirements as part of your Teams rollout.
  • Communicate and publish your policies to inform Teams users of the behavior they can expect.

Teams feature management focus areas

Teams provides granular capabilities for controlling messaging, meeting, calling, and live event features and more, via policies. Different policies can be applied to all users by default or per user as required by your organization.

For detailed lists of all settings, including technical guidance on how to implement them for your organization, see the following articles:

Additionally, you can set up moderation for a channel and give moderator capabilities to certain users so that they can control who can create channel posts and respond to them. See Set up and manage channel moderation in Microsoft Teams for more information.

Security and compliance

Teams is built on the advanced security and compliance capabilities of Microsoft 365 and Office 365 and supports auditing and reporting, compliance content search, e-discovery, Legal Hold, and retention policies.

Important

If your organization has compliance and security requirements, review the in-depth content provided about this topic in the article Overview of security and compliance in Microsoft Teams.

Related topics

-->

Important

Teams

The Teams service model is subject to change in order to improve customer experiences. For example, the default access or refresh token expiration times may be subject to modification in order to improve performance and authentication resiliency for those using Teams. Any such changes would be made with the goal of keeping Teams secure and Trustworthy by Design.

Microsoft Teams, as part of the Microsoft 365 and Office 365 services, follows all the security best practices and procedures such as service-level security through defense-in-depth, customer controls within the service, security hardening and operational best practices. For full details, please see the Microsoft Trust Center.

Trustworthy by Design

Teams is designed and developed in compliance with the Microsoft Trustworthy Computing Security Development Lifecycle (SDL), which is described at Microsoft Security Development Lifecycle (SDL). The first step in creating a more secure unified communications system was to design threat models and test each feature as it was designed. Multiple security-related improvements were built into the coding process and practices. Build-time tools detect buffer overruns and other potential security threats before the code is checked in to the final product. Of course, it is impossible to design against all unknown security threats. No system can guarantee complete security. However, because product development embraced secure design principles from the start, Teams incorporates industry standard security technologies as a fundamental part of its architecture.

Trustworthy by Default

Network communications in Teams are encrypted by default. By requiring all servers to use certificates and by using OAUTH, TLS, Secure Real-Time Transport Protocol (SRTP), all Teams data is protected on the network.

How Teams Handles Common Security Threats

This section identifies the more common threats to the security of the Teams Service and how Microsoft mitigates each threat.

Compromised-Key Attack

Teams uses the PKI features in the Windows Server operating system to protect the key data used for encryption for the Transport Layer Security (TLS) connections. The keys used for media encryptions are exchanged over TLS connections.

Network Denial-of-Service Attack

The denial-of-service attack occurs when the attacker prevents normal network use and function by valid users. By using a denial-of-service attack, the attacker can:

  • Send invalid data to applications and services running in the attacked network to disrupt their normal function.
  • Send a large amount of traffic, overloading the system until it stops responding or responds slowly to legitimate requests.
  • Hide the evidence of the attacks.
  • Prevent users from accessing network resources.Teams mitigates against these attacks by running Azure DDOS network protection and by throttling client requests from the same endpoints, subnets, and federated entities.

Eavesdropping

Eavesdropping can occur when an attacker gains access to the data path in a network and has the ability to monitor and read the traffic. This is also called sniffing or snooping. If the traffic is in plain text, the attacker can read the traffic when the attacker gains access to the path. An example is an attack performed by controlling a router on the data path.

Teams uses mutual TLS (MTLS) for server communications within Microsoft 365 and Office 365, and also uses TLS from clients to the service, rendering this attack very difficult or impossible to achieve within the time period in which a given conversation could be attacked. TLS authenticates all parties and encrypts all traffic. This does not prevent eavesdropping, but the attacker cannot read the traffic unless the encryption is broken.

The TURN protocol is used for real time media purposes. The TURN protocol does not mandate the traffic to be encrypted and the information that it is sending is protected by message integrity. Although it is open to eavesdropping, the information it is sending (that is, IP addresses and port) can be extracted directly by simply looking at the source and destination addresses of the packets. The Teams service ensures that the data is valid by checking the Message Integrity of the message using the key derived from a few items including a TURN password, which is never sent in clear text. SRTP is used for media traffic and is also encrypted.

Identity Spoofing (IP Address Spoofing)

Spoofing occurs when the attacker determines and uses an IP address of a network, computer, or network component without being authorized to do so. A successful attack allows the attacker to operate as if the attacker is the entity normally identified by the IP address.

TLS authenticates all parties and encrypts all traffic. Using TLS prevents an attacker from performing IP address spoofing on a specific connection (for example, mutual TLS connections). An attacker could still spoof the address of the DNS server. However, because authentication in Teams is performed with certificates, an attacker would not have a valid certificate required to spoof one of the parties in the communication.

Man-in-the-Middle Attack

A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker's computer without the knowledge of the two communicating users. The attacker can monitor and read the traffic before sending it on to the intended recipient. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all while thinking they are communicating only with the intended user. This can happen if an attacker can modify Active Directory Domain Services to add his or her server as a trusted server or modify Domain Name System (DNS) to get clients to connect through the attacker on their way to the server.

Man-in-the-middle attacks on media traffic between two endpoints participating in Teams audio, video, and application sharing, is prevented by using SRTP to encrypt the media stream. Cryptographic keys are negotiated between the two endpoints over a proprietary signaling protocol (Teams Call Signaling protocol) which leverages TLS 1.2 and AES-256 (in GCM mode) encrypted UDP / TCP channel.

RTP Replay Attack

A replay attack occurs when a valid media transmission between two parties is intercepted and retransmitted for malicious purposes. Teams uses SRTP in conjunction with a secure signaling protocol that protects transmissions from replay attacks by enabling the receiver to maintain an index of already received RTP packets and compare each new packet with those already listed in the index.

Spim

Spim is unsolicited commercial instant messages or presence subscription requests, like spam, but in instant message form. While not by itself a compromise of the network, it is annoying in the least, can reduce resource availability and production, and can possibly lead to a compromise of the network. An example of this is users spimming each other by sending requests. Users can block each other to prevent this, but with federation, if a coordinated spim attack is established, this can be difficult to overcome unless you disable federation for the partner.

Viruses and Worms

A virus is a unit of code whose purpose is to reproduce additional, similar code units. To work, a virus needs a host, such as a file, email, or program. Like a virus, a worm is a unit of code that is coded to reproduce additional, similar code units, but that unlike a virus does not need a host. Viruses and worms primarily show up during file transfers between clients or when URLs are sent from other users. If a virus is on your computer, it can, for example, use your identity and send instant messages on your behalf. Standard client security best practices such as periodically scanning for viruses can mitigate this issue.

Security Framework for Teams

This section gives an overview of fundamental elements that form a security framework for Microsoft Teams.

Core elements are:

  • Azure Active Directory (Azure AD), which provides a single trusted back-end repository for user accounts. User profile information is stored in Azure AD through the actions of Microsoft Graph.
    • Be advised that there may be multiple tokens issued which you may see if tracing your network traffic. This includes Skype tokens you might see in traces while looking at chat and audio traffic.
  • Transport Layer Security (TLS), and mutual TLS (MTLS) which encrypt instant message traffic and enable endpoint authentication. Point-to-point audio, video, and application sharing streams are encrypted and integrity checked using Secure Real-Time Transport Protocol (SRTP). You may also see OAuth traffic in your trace, particularly around negotiating permissions while switching between tabs in Teams, for example to move from Posts to Files. For an example of the OAuth flow for tabs, please see this document.
  • Teams uses industry-standard protocols for user authentication, wherever possible.

The next sections discuss some of these core technologies.

Azure Active Directory

Azure Active Directory functions as the directory service for Microsoft 365 and Office 365. It stores all user directory information and policy assignments.

CRL Distribution Points

Microsoft 365 and Office 365 traffic takes place over TLS/HTTPS encrypted channels, meaning that certificates are used for encryption of all traffic. Teams requires all server certificates to contain one or more Certificate Revocation List (CRL) distribution points. CRL distribution points (CDPs) are locations from which CRLs can be downloaded for purposes of verifying that the certificate has not been revoked since the time it was issued and the certificate is still within the validity period. A CRL distribution point is noted in the properties of the certificate as a URL and is secure HTTP. The Teams service checks CRL with every certificate authentication.

Enhanced Key Usage

All components of the Teams service require all server certificates to support Enhanced Key Usage (EKU) for the purpose of server authentication. Configuring the EKU field for server authentication means that the certificate is valid for the purpose of authenticating servers. This EKU is essential for MTLS.

TLS and MTLS for Teams

TLS and MTLS protocols provide encrypted communications and endpoint authentication on the Internet. Teams uses these two protocols to create the network of trusted servers and to ensure that all communications over that network are encrypted. All communications between servers occur over MTLS. Any remaining or legacy SIP communications from client to server occur over TLS.

TLS enables users, through their client software, to authenticate the Teams servers to which they connect. On a TLS connection, the client requests a valid certificate from the server. To be valid, the certificate must have been issued by a Certificate Authority (CA) that is also trusted by the client and the DNS name of the server must match the DNS name on the certificate. If the certificate is valid, the client uses the public key in the certificate to encrypt the symmetric encryption keys to be used for the communication, so only the original owner of the certificate can use its private key to decrypt the contents of the communication. The resulting connection is trusted and from that point is not challenged by other trusted servers or clients.

Server-to-server connections rely on mutual TLS (MTLS) for mutual authentication. On an MTLS connection, the server originating a message and the server receiving it exchange certificates from a mutually trusted CA. The certificates prove the identity of each server to the other. In the Teams service, this procedure is followed.

TLS and MTLS help prevent both eavesdropping and man-in-the middle attacks. In a man-in-the-middle attack, the attacker reroutes communications between two network entities through the attacker's computer without the knowledge of either party. TLS and Teams' specification of trusted servers mitigate the risk of a man-in-the middle attack partially on the application layer by using encryption that is coordinated using the Public Key cryptography between the two endpoints. An attacker would have to have a valid and trusted certificate with the corresponding private key and issued to the name of the service to which the client is communicating to decrypt the communication.

Note

Teams data is encrypted in transit and at rest in Microsoft datacenters. Microsoft uses industry standard technologies such as TLS and SRTP to encrypt all data in transit between users' devices and Microsoft datacenters, and between Microsoft datacenters. This includes messages, files, meetings, and other content. Enterprise data is also encrypted at rest in Microsoft datacenters, in a way that allows organizations to decrypt content if needed, to meet their security and compliance obligations, such as eDiscovery.

Encryption for Teams

Teams uses TLS and MTLS to encrypt instant messages. All server-to-server traffic requires MTLS, regardless of whether the traffic is confined to the internal network or crosses the internal network perimeter.

This table summarizes the protocols used by Teams.

Traffic Encryption

Traffic typeEncrypted by
Server-to-serverMTLS
Client-to-server (ex. instant messaging and presence)TLS
Media flows (ex. audio and video sharing of media)TLS
Audio and video sharing of mediaSRTP/TLS
SignalingTLS

Media Encryption

Media traffic is encrypted using Secure RTP (SRTP), a profile of Real-Time Transport Protocol (RTP) that provides confidentiality, authentication, and replay attack protection to RTP traffic. SRTP uses a session key generated by using a secure random number generator and exchanged using the signaling TLS channel. Client to Client media traffic is negotiated through a Client to Server connection signaling, but is encrypted using SRTP when going direct Client to Client.

Teams uses a credentials-based token for secure access to media relays over TURN. Media relays exchange the token over a TLS-secured channel.

FIPS

Teams uses FIPS (Federal Information Processing Standard) compliant algorithms for encryption key exchanges. For more information on the implementation of FIPS, please see Federal Information Processing Standard (FIPS) Publication 140-2.

User and Client Authentication

A trusted user is one whose credentials have been authenticated by Azure AD in Microsoft 365 or Office 365.

Authentication is the provision of user credentials to a trusted server or service. Teams uses the following authentication protocols, depending on the status and location of the user.

  • Modern Authentication (MA) is the Microsoft implementation of OAUTH 2.0 for client to server communication. It enables security features such as Multi-Factor Authentication and Conditional Access. In order to use MA, both the online tenant and the clients need to be enabled for MA. The Teams clients across PC and mobile, as well as the web client, all support MA.

Note

If you need to brush up on Azure AD authentication and authorization methods, this article's Introduction and 'Authentication basics in Azure AD' sections will help.

Teams authentication is accomplished through Azure AD and OAuth. The process of authentication can be simplified to:

What Does Microsoft Teams Do To Teachers

  • User Login > Token issuance > subsequent request use issued token.
What Does Microsoft Teams Do

Requests from client to server are authenticated and authorized via Azure AD with the use of OAuth. Users with valid credentials issued by a federated partner are trusted and pass through the same process as native users. However, further restrictions can be put into place by administrators.

For media authentication, the ICE and TURN protocols also use the Digest challenge as described in the IETF TURN RFC.

Windows PowerShell and Team Management Tools

In Teams, IT Admins can manage their service via the Microsoft 365 admin center or by using Tenant Remote PowerShell (TRPS). Tenant admins use Modern Authentication to authenticate to TRPS.

Configuring Access to Teams at your Internet Boundary

For Teams to function properly (for users to be able to join meetings etc.), customers need to configure their internet access such that outbound UDP and TCP traffic to services in the Teams cloud is allowed. For more details, see here: Office 365 URLs and IP address ranges.

UDP 3478-3481 and TCP 443

The UDP 3478-3481 and TCP 443 ports are used by clients to request service for audio visuals. A client uses these two ports to allocate UDP and TCP ports respectively to enable these media flows. The media flows on these ports are protected with a key that is exchanged over a TLS protected signaling channel.

Federation Safeguards for Teams

Federation provides your organization with the ability to communicate with other organizations to share IM and presence. In Teams federation is on by default. However, tenant admins have the ability to control this via the Microsoft 365 admin center.

Addressing Threats to Teams Meetings

There are two options to control who arrives in Teams meetings and who will have access to the information you present.

  1. You can control who joins your meetings through settings for the lobby.

    'Who can bypass the lobby' setting options available in Meeting options pageUser types joining the meeting directlyUser types going to the lobby
    People in my organization- In-tenant
    - Guest of tenant
    - Federated
    - Anonymous
    - PSTN dial-in
    People in my organization and trusted organizations- In-tenant
    - Guest of tenant
    - Federated
    - Anonymous
    - PSTN dial-in
    Everyone- In-tenant
    - Guest of tenant
    - Federated Anonymous
    - PSTN dial-in
  2. The second way is through structured meetings (where Presenters can do about anything that should be done, and attendees have a controlled experience). After joining a structured meeting, presenters control what attendees can do in the meeting.

    ActionsPresentersAttendees
    Speak and share their videoYY
    Participate in meeting chatYY
    Change settings in meeting optionsYN
    Mute other participantsYN
    Remove other participantsYN
    Share contentYN
    Admit other participants from the lobbyYN
    Make other participants presenters or attendeesYN
    Start or stop recordingYN
    Take control when another participant shares a PowerPointYN

Teams provides the capability for enterprise users to create and join real-time meetings. Enterprise users can also invite external users who do not have an Azure AD, Microsoft 365, or Office 365 account to participate in these meetings. Users who are employed by external partners with a secure and authenticated identity can also join meetings and, if promoted to do so, can act as presenters. Anonymous users cannot create or join a meeting as a presenter, but they can be promoted to presenter after they join.

What Does Stream Do In Microsoft Teams

For Anonymous users to be able to join Teams meetings, the Participants meetings setting in the Teams Admin Center must be toggled on.

Note

The term anonymous users means users that are not authenticated to the organizations tenant. In this context all external users are considered anonymous. Authenticated users include tenant users and Guest users of the tenant.

Enabling external users to participate in Teams meetings can be very useful, but entails some security risks. To address these risks, Teams uses the following additional safeguards:

  • Participant roles determine meeting control privileges.

  • Participant types allow you to limit access to specific meetings.

  • Scheduling meetings is restricted to users who have an AAD account and a Teams license.

  • Anonymous, that is, unauthenticated, users who want to join a dial-in conference, dial one of the conference access numbers. If the 'Always allow callers to bypass the lobby' setting is turned On then they also need to wait until a presenter or authenticated user joins the meeting.

    Caution

    If you do not wish for Anonymous users (users you don't explicitly invite) to join a meeting, you need to ensure the Anonymous users can join a meeting is set to Off for the Participant meeting section.

It's also possible for an organizer to configure settings to let Dial-in callers be the first person in a meeting. This setting is configured in the Audio Conferencing settings for users and would apply to all meetings scheduled by the user.

Note

For more information on Guest and External Access in Teams, see this article. It covers what features guest or external users can expect to see and use when they login to Teams.

If you're recording meetings and want to see a permissions matrix around accessing the content, consult this article and its matrix.

Participant Roles

Meeting participants fall into three groups, each with its own privileges and restrictions:

  • Organizer The user who creates a meeting, whether impromptu or by scheduling. An organizer must be an authenticated in-tenant user and has control over all end-user aspects of a meeting.
  • Presenter A user who is authorized to present information at a meeting, using whatever media is supported. A meeting organizer is by definition also a presenter and determines who else can be a presenter. An organizer can make this determination when a meeting is scheduled or while the meeting is under way.
  • Attendee A user who has been invited to attend a meeting but who is not authorized to act as a presenter.

A presenter can also promote an attendee to the role of presenter during the meeting.

Participant Types

Meeting participants are also categorized by location and credentials. You can use both of these characteristics to decide which users can have access to specific meetings. Users can be divided broadly into the following categories:

  1. Users that belong to the tenant These users have a credential in Azure Active Directory for the tenant.a. People in my organization – These users have a credential in Azure Active Directory for the tenant. People in my organization includes invited Guest accounts.b. Remote users – These users are joining from outside the corporate network. They can include employees who are working at home or on the road, and others, such as employees of trusted vendors, who have been granted enterprise credentials for their terms of service. Remote users can create and join meetings and act as presenters..
  2. Users that do not belong to the tenant These users do not have credentials in Azure AD for the tenant.a. Federated Users - Federated users have valid credentials with federated partners and are therefore treated as authenticated by Teams, but are still external to the meeting organizer tenant. Federated users can join meetings and be promoted to presenters after they have joined the meeting, but they can't create meetings in enterprises with which they are federated.b. Anonymous Users - Anonymous users do not have an Active Directory identity and are not federated with the tenant.

Many meetings involve external users. Those same customers also want reassurance about the identity of external users before allowing those users to join a meeting. The next section describes how Teams limits meeting access to those user types that have been explicitly allowed, and requires all user types to present appropriate credentials when entering a meeting.

Participant Admittance

Caution

If you do not wish for Anonymous users (users you don't explicitly invite) to join a meeting, you need to ensure the Anonymous users can join a meeting is set to Off for the Participant meeting section.

In Teams, anonymous users can be transferred to a waiting area called the lobby. Presenters can then either admit these users into the meeting or reject them. When these users are transferred to the lobby, the presenter and attendees are notified, and the anonymous users must then wait until they are either accepted or rejected, or their connection times out.

What Does Microsoft Teams Do To Kids

By default, participants dialing in from the PSTN go directly to the meeting once an authenticated user joins the meeting, but this option can be changed to force dial-in participants to go to the lobby.

Meeting organizers control whether participants can join a meeting without waiting in the lobby. Each meeting can be set up to enable access using any one of the following methods:

The defaults are:

What Does Microsoft Teams Do To Students

  • People in my Organization - Everyone external to the organization will wait in the lobby until admitted.
  • People from my organization and trusted organizations - Authenticated users and external users from Teams and Skype for Business domains that are in the external access allow list can bypass the lobby. All other users will wait in the lobby until admitted.
  • Everyone - All meeting participants bypass the lobby once an authenticated user has joined the meeting.

Presenter Capabilities

Meeting organizers control whether participants can present during a meeting. Each meeting can be set up to limit presenters to any one of the following:

  • People in my organization - All in tenant users, including guests, can present
  • People in my organization and trusted organizations - All in tenant users, including guests, can present and external users from Teams and Skype for Business domains that are in the external access allow list can present.
  • Everyone - All meeting participants are presenters.

Modify While Meeting is Running

It's possible to modify the meeting options while a meeting is on-going. The change, when saved, will impact the running meeting within seconds. It also effects any future occurrences of the meeting.

Related topics