This article explains how the meeting lobby is applied to different participant types joining a Microsoft Teams meeting from various clients and devices as well as how to control this behavior using various options provided at the tenant, user, and meeting levels. Also covered is newer behavior available in Microsoft’s Cloud Video Interop (CVI) partner-offered services like Poly’s RealConnect for Microsoft Teams which now allows more flexibility in the lobby experience for different sets of standards-based video teleconferencing (VTC) system.
Microsoft Teams will define meeting participants in one of two ways: as either Trusted or Untrusted. There are numerous terms used throughout the Teams configuration options and documentation which in many cases are used interchangeably to denote the same concepts. Any participant connecting to a meeting where they are actively signed-in to a Teams tenant would be considered as Authenticated, and by default also as Trusted unless the participant is part of an explicitly blocked domain and is not an invited guest to a Team where a meeting may be located. This includes users signed into any Teams organization across all native clients and devices as well as a specifically-defined VTC joining through a CVI service which supports defining trusted devices.
Conversely, a meeting participant which is not signed into any Teams tenant is considered by Microsoft Teams as Unauthenticated and thus also as Untrusted. Any VTC connecting through a CVI service which is not treated as trusted by the service will also be defined as untrusted in Teams . An anonymous participant is always treated as untrusted as by definition is not authenticated and the identity cannot be confirmed.
The two areas where this designation is most important are (1) how the meeting lobby may apply to the participant and (2) if they can participate in a Teams Live Event. How meeting attendees are handled in terms of the lobby experience comes down to the options applied for the specific meeting that is being joined. These options are defined by administrator-controlled default global and/or customized user meeting policies, some of which can be overridden by the meeting organizer for individual or reoccurring meetings.
The coloration between these two is easy to understand when one realizes that the inner Live Event meeting is really just a regular Teams meeting yet is lacking any lobby functionality. Thus, only trusted participants can join using the meeting link meant for the event’s Organizer, Producer and any potential Presenters joining. An untrusted, anonymous participant can only attend the event via the Attendee link via some of the native Teams clients or any supported web-browser. When dealing with regular Teams meetings the lobby is always applicable, meaning there is no such concept as a “Teams meeting with no lobby”. It is the fact that if certain participants are able to automatically bypass the lobby in a meeting then they typically never see the lobby and appear to join the meeting directly from their point-of-view.
Teams provides a few options to control lobby behavior which can be found in the Teams Admin Center (TAC) for administrators to control a meeting organizer’s default settings. A meeting organizer can alter some of these settings directly on the meeting itself in some Teams clients or in Outlook. The applicable options control which participants are automatically admitted through the lobby, which participant types are allowed to start a meeting (in the event they are the first participant to join), and a setting which specifically allows anonymous PSTN dial-in callers to be treated differently than other anonymous participants. These options have different names and descriptions depending on if they are being viewed by an administrator in the Teams Admin Center or by a user in the Teams client or Outlook. The individual settings for each option also slightly differ in wording at the moment but this is likely related to a recent change in which the term ‘guests’ has been added to some descriptions.
The three different meeting options all provide some control over which participants types are allowed directly into a meeting by automatically bypassing the lobby. Different participants types can be approved for or prevented from bypassing the lobby when they are the first participants to join the meeting. Also, telephony participants calling into the meeting via the Audio Conferencing dial-in information from the PSTN can be treated differently than other anonymous guests if preferred.
Every participant joining a Teams meeting will fit into one or more of the following categories.
- Everyone – this includes every single participant regardless of their authentication state or what client/device is being used. This includes anonymous PSTN callers, people joining as an unauthenticated guest from the Teams web client, untrusted VTCs through a CVI offering, and all actively registered Teams clients and devices across any tenant in the globally commercial Microsoft 365 cloud. This category is all trusted and untrusted participants.
- Trusted Organizations – these are any participants which are actively authenticated and registered to any Microsoft Teams tenant across any variety of clients or supported devices as long as their tenant’s domain is not specifically added to the block list of the meeting organizer’s tenant configuration. This includes any “guests” from other Teams tenants who are invited members of a Team where the meeting resides. This category can only include trusted participants.
- Same Organization – only those users which are currently signed-in on a supported Teams client or device to the same Microsoft Teams tenant as the meeting’s organizer as well as any invited guests for a Team/Channel meeting. This also includes any “guests” from other Teams tenants who are invited members of a Team where the meeting resides. This category can only include trusted participants.
- Meeting Organizer – only the meeting organizer themselves, from any client or device they are signed-in Teams with. This category can only include trusted participants.
The following table lists the current names of each lobby option and setting as seen in both the TAC and the meeting options in Teams/Outlook. As mentioned earlier the wording of both the option and setting names do not match exactly between what is shown in the TAC and what is seen by users in the Teams and Outlook client.
|Meeting Policy||Meeting Options|
|Let anonymous people start a meeting||Off||Not Available|
|Automatically admit people||Everyone||Who can bypass the lobby?||Everyone|
|Everyone in your organization and federated organizations||People in my organization, trusted organizations and guests|
|Everyone in your organization||People in my organization and guests|
|Organizer Only||Only me|
|Allow dial-in users to bypass the lobby||Off||Always let callers bypass the lobby||Off|
In the Teams Admin Center, under Meetings > Meeting Policies several default meeting policies will be listed. The Global (Org-wide default) policy will include the following settings by default:
Without any additional customization every Teams meeting organized by all Teams users a tenant will exhibit the same lobby behavior:
- Only trusted participants from within their own organization will be allowed to join meetings directly.
- All anonymous, untrusted participants will be placed in to the lobby when joining and will need to be manually admitted by another participant currently in the meeting.
- Only a trusted participant can start the meeting, which in this overall configuration is redundant as all untrusted participants are forced into the lobby regardless.
When modifying any of these settings in an existing global policy or custom user policy the changes may take some time to apply to the applicable users and will impact both newly created Teams meetings and any existing scheduled meetings where the organizer has not modified the meeting option. This means that any unmodified existing meetings which still point to the default setting will change in behavior to match the new default setting based on the user’s policy.
Some individual meeting settings can be viewed and modified in Outlook using the Meeting Options button available on new and existing meetings. From within in the Teams client itself these options are only available on an existing meeting as the options menu is not available when creating a new meeting.
At the user-level only two of the the three options shown earlier are available:
As outlined in the earlier table the “Who can bypass the lobby?” setting is the same as the “Automatically admit people” option from a user’s meeting policy, and the “Always let callers bypass the lobby” option coincides with the “Allow dial-in users to bypass the lobby” policy setting. There is no meeting option available to the user to alter the behavior of anonymous participants being allowed to start a meeting or not; that can only be controlled by an administrator.
When enabling the setting to always let a PSTN caller to bypass the lobby they will also be allowed to start the meeting even if the organizer’s policy is not configured to let anonymous people start a meeting. Other anonymous users like guests using the Teams web client and untrusted VTCs are not affected by the ‘callers’ option and will only be able to start a meeting if explicitly allowed.
Modifying either of these setting away from their policy-defined values will only apply to the meeting occurrence or series which is being edited. Any new meetings will continue to default to the settings configured on the meeting policy assigned to the meeting organizer.
The following table outlines the lobby enforcement behavior each type of participant will experience when joining a Microsoft Teams meeting. The results depends on the lobby options for each individual meeting which are defined by default values derived from the organizer’s assigned meeting policy and any custom changes possibly applied to the meeting itself directly by the organizer.
|Meeting Options||Meeting Configuration|
|Who can bypass the lobby?||Everyone||People in my organization,
|People in my organization
|Always let callers bypass the lobby||Enabled||Disabled||Enabled||Disabled||Enabled||Disabled|
|Participant||Lobby Enforcement Behavior|
|Trusted VTC (CVI)||Bypass||Bypass||Bypass||Bypass||Bypass||Bypass**|
|Untrusted VTC (CVI)||Bypass*||Lobby||Lobby||Lobby||Lobby||Lobby|
- Among the participant types outlined above there are two different types which Teams confusingly categorizes as “guests”. The Teams Guest represents an authenticated Teams user from another tenant which has specifically been invited as a guest to an existing Team. These participants are treated the same as other participants from the meeting organizer’s own tenant and would override any existing federation configuration which may have blocked that guest’s domain.
- The Anonymous Guest is an unauthenticated, anonymous user joining a Teams meeting from a web browser without signing into Teams in any tenant. Teams will identify this attendee as such in the meeting’s participant list by appending “(Guest)” to whatever display name is provided by the participant when joining.
* One caveat to be aware of is when a meeting is set to allow Everyone to bypass the lobby Teams will still treat trusted and untrusted participants differently in one specific case: when the participant is the first attendee into the meeting. By default, Teams does not allow untrusted participants to start a meeting, so when an anonymous participant is the first attendee into a meeting it will be temporarily held in the meeting lobby. Once the first trusted participant joins the meeting then any untrusted attendees currently in the lobby are automatically admitted into the meeting. If a trusted participant is already in the meeting then all untrusted participants will transparently bypass the lobby and go directly into the meeting.
** Currently there is an anomaly where a Trusted VTC joining via a CVI service will automatically bypass the lobby of a meeting configured to allow only the meeting Organizer to do so. Microsoft plans to fix this so that the Trusted VTC will go into the lobby like other trusted participants currently do.
22 thoughts on “Meeting Lobby Behavior in Microsoft Teams”
As an MVP I hope you can answer this issue. I set Windows 8.1 PRO to the High Contrast Black setting due to visual impairments and blindness in one eye. In Skype I set the appearance to High Contrast Dark, and that allows me to see the Dark Theme in Skype. Now if I go to the Task Manager to quit Skype after already manually quitting Skype, and then restart it; the Dark Theme is not retained and what I see is al all white theme with black writing; totally NOT what I want. I have contacted Skype and did research on the net but nothing I have tried allows me to set the High Contrast DARK theme and most importantly RETAIN it in Skype. Skype simply does not retain the Dark theme. That is extremely frustrating to me because of my visual issues. Please help me to permanently retain the Dark Theme in Skype.
There are 4 Partners Certified for Microsoft Teams are : (Poly | Pexip | BlueJeans | Cisco) which means all these are consider as Trusted VTC (CVI) right? then can you put some more light on , what do you mean by Untrusted VTC (CVI). Thank you.
This article refers to how an individual meeting attendee is treated, it has nothing to do with if a partner’s CVI service is ‘trusted’ by Teams. All four CVI offerings are officially certified for Teams.
The behavior can vary between the different CVI services depending o if they can support trusted devices or not. For example the Poly RealConnect Service initially treated everything as untrusted, then added the Lobby Bypass feature to allow a tenant to have all systems treated as trusted or all as untrusted, and more recently the service can now allow some to be trusted and other to be untrusted. You’d need to check with the other CVI providers to see what level of support and or control they provide.
Looking for a way to post a new question and perhaps get a login for your blog.
You have my E-mail address. (Not published, but you cn obviously retrieve it).
Thanks so much.
Hi Jeff, great article!
About your last note: “Currently there is an anomaly where a Trusted VTC joining via a CVI service will automatically bypass the lobby of a meeting configured to allow only the meeting Organizer to do so. Microsoft plans to fix this so that the Trusted VTC will go into the lobby like other trusted participants currently do.”
do you please have a Microsoft reference (bug ID, KB, URL, etc.) for this issue? I am very interested to understand when this will be fixed.
I’m not aware of any reference or timeline for this. I’ll update my article when it has been addressed though.
This page is so helpful. Trying to discern between a Teams guest and untrusted guest in that last grid, can you clarify that please?
Yeah, you can thank Microsoft for using the for ‘guest’ in 3 different ways in Teams now 🙂
The “Teams Guest” is an authenticated Teams user from another organization/tenant who has been added as a guest to the Team/Channel where a meeting is being hosted from. The “Anonymous Guest” is an unauthenticated participant using the Teams web client, like when someone joins a Teams meeting and they just put in “Bob” as their name.
One question. Is there any option to set the owner (meeting organizer) as the only person who can grant access to people waiting in the Lobby?
I think this is not possible, but not sure.
Thanks in advance !
Yes, this is exactly what the “Only Me” option is for.
Jeff, I cannot test this but the ‘Only Me’ option would have the unwanted effect of forcing trusted participants through the lobby. The behaviour I, and perhaps Elio, am looking for is to allow participants to bypass the lobby but only the organizer can admit anonymous users from the lobby. Possible?
The “People in my organization, trusted organizations, and guests” option will allow trusted participants to bypass the lobby while untrusted participants will be placed into the lobby. There is no granular control of lobby admittance though, anyone whos is a participant in the meeting can admit/deny anyone in the lobby while meeting attendees have no lobby control. Teams does not provide the ability to limit lobby controls to a single meeting participant.
Only Organizers and Presenters can admit from the lobby. Attendees can’t. It can appear that anyone in the meeting can admit it because the Presenter is the default role.
Does Teams allow you to admit everyone at the same time who’s currently waiting in the lobby? If so, how (Admit All checkbox or something)? If it doesn’t, can I highlight multiple people and admit those at the same time? Thank you!
I do not recall seeing an ‘Admit All’ option in Teams like Skype for Business had, but then again most of the meetings I join are typically setup with lobby bypass enabled for all attendees.
is there any way to admit Teams guests – who are waiting in the Lobby – via VTC endpoint (e.g. using VTC remote control)?
Thank you so much for your great articles!
No, a native Teams client is required to review/manage the meeting lobby. This is not possible through a Cloud Video Interop solution.
I read your description of Guest access and I understand what you are saying, however the experience we have is different:
When a Teams meeting is set to “People in my organization and guests” Guests on the Tenant are held in the lobby. When I select “People in my organization and trusted organizations, and guests” Guests are allowed in.
Why would this be the case? Both allow guests and the guest account is an invited accepted guest account on our tenant.
We have no black or white lists on the tenant (not that that should may any difference as it is the guest bit of the setting that we are expecting to allow user to enter without the lobby.
Any thoughts ? BTW I raised a call with MS support and all they could suggest is to use the more lax trusted org setting!
To be clear you’re saying that authenticated guests who have already been invited to the Team/Channel where the meeting is scheduled/hosted are not skipping the lobby? (This would not apply to anonymous guests.)
Great reference article Jeff. I’ve just been testing the Guest bypass and it only works if the Guest has used the Tenant switch to change the context of their meetings to the Guest context. This uses the embedded Guest identity in Azure and NOT the home ID of their parent tenant.
If they remain in their own tenant and don’t switch, they get put in the lobby.
Hello, very interesting article, do you have any idea when this issue will be fixed? I want all participants, except the organiser, to wait in a lobby but even when set to ‘only me’ some get past the lobby. Thanks
At this point I don’t think Microsoft is going to fix that behavior. If it’s causing problems open a support ticket directly with them to see if you can get some traction there.