When Microsoft announced its “Slack-killer” conversation-style Teams product, one piece of functionality was glaringly lacking – access into a team for people outside of your own organization. This week, external access was announced, but only partially. You can now invite guests into your teams IF they already have an Azure AD account (which for most people means they are using Office 365, as Azure Ad is the underlying identity service). This is not the external access that everyone was hoping for, but it’s a step in the right direction.
Why external access is a big deal
Part of Slack’s success was the ease in which disparate groups of people with similar interests could come together. Inside an organization, you could connect internal people with subcontractors, suppliers and customers, regardless of their own technology ecosystem. Even Microsoft’s Yammer product allows for external networks. Sharing and collaboration outside of your own four walls has become normal and expected. Realising without this capability caused some organizations to put the brakes on investigating Microsoft Teams at all, especially if they were already using Slack.
Personally, I’ve see great wins where organizations have used Microsoft Teams to move internal conversations out of their Inboxes. The less you email each other, the more your Inbox becomes a workspace for external conversations, instead of a jumbled pile of everything. We’re already complaining about email overwhelm, so let’s start by not emailing each other.
Tackling the security requirements
From Microsoft’s perspective, their strength is in security, compliance, data protection and other Enterprise features. They’d argue that as the Enterprise makes up the majority of their user base, they have to focus on getting this level of protection right, above all else. And they’d be right.
To support their Enterprise security strategy, Microsoft had to create a way of allowing external accounts that fitted in with how identity and access management is handle across all of their products. The first step was Azure Active Directory – an IAM solution that supported both their security requirements and their on-premises Active Directory integration.
Next came Azure Active Directory B2B – a connectivity capability to allow two different Azure AD environments to talk to each other. The biggest benefit with this approach is that I’m not creating a guest account for subcontractor at Company B, with no way of knowing if that subcontractor has left (or worse, been fired). With Azure B2B, the guest account is still primarily in Company B’s environment, with guest access to mine. I can still revoke that access at any time, but if Company B does fire the guy, they’ll cancel his account in their Azure AD system and bang, he’ll no longer have access to my resources either. That’s pretty decent security.
But remember, Azure AD B2B was only made generally available in April 2017. I suspect the timeframes were just too tight to make sure it integrated fully when Microsoft Teams first launched, so instead of delaying the entire product, Microsoft launched without this feature. It’s also worth noting that guest access to Teams isn’t just access to the conversations, it’s also access to the other Teams resources like files, notebook and private chat, some of which live in an Office 365 Group and some of which live in Sharepoint Online, in the back end.
The experience so far
I’m fortunate to know a few people with Office 365, so we were quick to jump into some testing. The first thing that hits you is Microsoft’s tendency to stick to its own jargon. The act of changing to a team in a different organization tells you that you are switching to a different tenant. Tenant means something to Office 365 administrators but it means nothing to everybody else.
Unlike Slack, the list of your teams is maintained under your account switcher and not along a navigational tab. While this takes up less screen real-estate, it also makes the teams less visible. There is a notification badge on your account icon that will increase if there are unread mentions in any of your teams though.
Switching between teams isn’t very snappy, though it has improved in the last few days. It feels very much like I’m being signed out of one environment and into another, though I’m not promoted for my credentials again.
On the security front, the team header gets stamped with a warning that this team includes external guests, to remind me to watch what I say.
Unfortunately, I can’t alter my profile as a guest in another team to change my display name or my avatar/profile pic. The guest display name is whatever the team admin set it to when they added me as a guest in the first place.
There’s also currently no way to switch to another tenant’s teams in the mobile apps, but we’ve been told that updates for Microsoft Teams in iOS and Android are “coming”.
In general, once you are in it’s fairly seamless to chat and collaborate on files.
For a full list of what guests can and can’t do in Microsoft Teams, see this support note: https://support.office.com/en-us/article/Guest-access-in-Microsoft-Teams-bd4cdeec-4044-4b4b-9df1-beb139013a3f?ui=en-US&rs=en-US&ad=US
What we need to see next
Apart from improving the experiences mentioned above, the community has already started a wish list for guest access capabilities. Most notably is the request for guest access to be allowed or restricted at a channel level inside a team, instead of at the top team level. As that functionality is not even available to internal users, I’m not sure it’ll be on the short-term roadmap. You can see the suggestions and add your own here: https://microsoftteams.uservoice.com/forums/555103-public/category/210841-guest-access
It’s no secret that the world is still waiting for non-Azure AD access. This will come from an integration allowing free consumer Microsoft Accounts as the identity service. That’s not a small achievement and it feels like piercing the veil between the consumer and Enterprise identity platforms. With the Azure AD access being announced before Microsoft’s big Ignite conference, you have to wonder if they’re saving the Microsoft Accounts announcement for Orlando.
Aside from these enhancements, the next challenge will be the adoption challenge. How do you convince an organization to move out of email mode and into the world of chat? I’m sure it’s a similar challenge to that faced by the Yammer team and I’d like to think the tide is turning on how we view internal collaboration. Some great real case studies would help, and time will tell. If you have a strong business case for the business problems that are solved by this new way of working, you’ll always be more successful than just throwing in technology because it’s the shiny new thing.