This article explains how the meeting lobby is applied to different participant types joining a Microsoft Teams meeting from various clients and devices as well as how to control this behavior using various options provided at the tenant, user, and meeting levels. Also covered is newer behavior available in Microsoft’s Cloud Video Interop (CVI) partner-offered services like Poly’s RealConnect for Microsoft Teams which now allows more flexibility in the lobby experience for different sets of standards-based video teleconferencing (VTC) system.
Microsoft Teams will define meeting participants in one of two ways: as either Trusted or Untrusted. There are numerous terms used throughout the Teams configuration options and documentation which in many cases are used interchangeably to denote the same concepts. Any participant connecting to a meeting where they are actively signed-in to a Teams tenant would be considered as Authenticated, and by default also as Trusted unless the participant is part of an explicitly blocked domain and is not an invited guest to a Team where a meeting may be located. This includes users signed into any Teams organization across all native clients and devices as well as a specifically-defined VTC joining through a CVI service which supports defining trusted devices.
Conversely, a meeting participant which is not signed into any Teams tenant is considered by Microsoft Teams as Unauthenticated and thus also as Untrusted. Any VTC connecting through a CVI service which is not treated as trusted by the service will also be defined as untrusted in Teams . An anonymous participant is always treated as untrusted as by definition is not authenticated and the identity cannot be confirmed.
The two areas where this designation is most important are (1) how the meeting lobby may apply to the participant and (2) if they can participate in a Teams Live Event. How meeting attendees are handled in terms of the lobby experience comes down to the options applied for the specific meeting that is being joined. These options are defined by administrator-controlled default global and/or customized user meeting policies, some of which can be overridden by the meeting organizer for individual or reoccurring meetings.
The coloration between these two is easy to understand when one realizes that the inner Live Event meeting is really just a regular Teams meeting yet is lacking any lobby functionality. Thus, only trusted participants can join using the meeting link meant for the event’s Organizer, Producer and any potential Presenters joining. An untrusted, anonymous participant can only attend the event via the Attendee link via some of the native Teams clients or any supported web-browser. When dealing with regular Teams meetings the lobby is always applicable, meaning there is no such concept as a “Teams meeting with no lobby”. It is the fact that if certain participants are able to automatically bypass the lobby in a meeting then they typically never see the lobby and appear to join the meeting directly from their point-of-view.
Teams provides a few options to control lobby behavior which can be found in the Teams Admin Center (TAC) for administrators to control a meeting organizer’s default settings. A meeting organizer can alter some of these settings directly on the meeting itself in some Teams clients or in Outlook. The applicable options control which participants are automatically admitted through the lobby, which participant types are allowed to start a meeting (in the event they are the first participant to join), and a setting which specifically allows anonymous PSTN dial-in callers to be treated differently than other anonymous participants. These options have different names and descriptions depending on if they are being viewed by an administrator in the Teams Admin Center or by a user in the Teams client or Outlook. The individual settings for each option also slightly differ in wording at the moment but this is likely related to a recent change in which the term ‘guests’ has been added to some descriptions.
The three different meeting options all provide some control over which participants types are allowed directly into a meeting by automatically bypassing the lobby. Different participants types can be approved for or prevented from bypassing the lobby when they are the first participants to join the meeting. Also, telephony participants calling into the meeting via the Audio Conferencing dial-in information from the PSTN can be treated differently than other anonymous guests if preferred.
Every participant joining a Teams meeting will fit into one or more of the following categories.
- Everyone – this includes every single participant regardless of their authentication state or what client/device is being used. This includes anonymous PSTN callers, people joining as an unauthenticated guest from the Teams web client, untrusted VTCs through a CVI offering, and all actively registered Teams clients and devices across any tenant in the globally commercial Microsoft 365 cloud. This category is all trusted and untrusted participants.
- Trusted Organizations – these are any participants which are actively authenticated and registered to any Microsoft Teams tenant across any variety of clients or supported devices as long as their tenant’s domain is not specifically added to the block list of the meeting organizer’s tenant configuration. This includes any “guests” from other Teams tenants who are invited members of a Team where the meeting resides. This category can only include trusted participants.
- Same Organization – only those users which are currently signed-in on a supported Teams client or device to the same Microsoft Teams tenant as the meeting’s organizer as well as any invited guests for a Team/Channel meeting. This also includes any “guests” from other Teams tenants who are invited members of a Team where the meeting resides. This category can only include trusted participants.
- Meeting Organizer – only the meeting organizer themselves, from any client or device they are signed-in Teams with. This category can only include trusted participants.
The following table lists the current names of each lobby option and setting as seen in both the TAC and the meeting options in Teams/Outlook. As mentioned earlier the wording of both the option and setting names do not match exactly between what is shown in the TAC and what is seen by users in the Teams and Outlook client.
|Meeting Policy||Meeting Options|
|Let anonymous people start a meeting||Off||Not Available|
|Automatically admit people||Everyone||Who can bypass the lobby?||Everyone|
|Everyone in your organization and federated organizations||People in my organization, trusted organizations and guests|
|Everyone in your organization||People in my organization and guests|
|Organizer Only||Only me|
|Allow dial-in users to bypass the lobby||Off||Always let callers bypass the lobby||Off|
In the Teams Admin Center, under Meetings > Meeting Policies several default meeting policies will be listed. The Global (Org-wide default) policy will include the following settings by default:
Without any additional customization every Teams meeting organized by all Teams users a tenant will exhibit the same lobby behavior:
- Only trusted participants from within their own organization will be allowed to join meetings directly.
- All anonymous, untrusted participants will be placed in to the lobby when joining and will need to be manually admitted by another participant currently in the meeting.
- Only a trusted participant can start the meeting, which in this overall configuration is redundant as all untrusted participants are forced into the lobby regardless.
When modifying any of these settings in an existing global policy or custom user policy the changes may take some time to apply to the applicable users and will impact both newly created Teams meetings and any existing scheduled meetings where the organizer has not modified the meeting option. This means that any unmodified existing meetings which still point to the default setting will change in behavior to match the new default setting based on the user’s policy.
Some individual meeting settings can be viewed and modified in Outlook using the Meeting Options button available on new and existing meetings. From within in the Teams client itself these options are only available on an existing meeting as the options menu is not available when creating a new meeting.
At the user-level only two of the the three options shown earlier are available:
As outlined in the earlier table the “Who can bypass the lobby?” setting is the same as the “Automatically admit people” option from a user’s meeting policy, and the “Always let callers bypass the lobby” option coincides with the “Allow dial-in users to bypass the lobby” policy setting. There is no meeting option available to the user to alter the behavior of anonymous participants being allowed to start a meeting or not; that can only be controlled by an administrator.
When enabling the setting to always let a PSTN caller to bypass the lobby they will also be allowed to start the meeting even if the organizer’s policy is not configured to let anonymous people start a meeting. Other anonymous users like guests using the Teams web client and untrusted VTCs are not affected by the ‘callers’ option and will only be able to start a meeting if explicitly allowed.
Modifying either of these setting away from their policy-defined values will only apply to the meeting occurrence or series which is being edited. Any new meetings will continue to default to the settings configured on the meeting policy assigned to the meeting organizer.
The following table outlines the lobby enforcement behavior each type of participant will experience when joining a Microsoft Teams meeting. The results depends on the lobby options for each individual meeting which are defined by default values derived from the organizer’s assigned meeting policy and any custom changes possibly applied to the meeting itself directly by the organizer.
|Meeting Options||Meeting Configuration|
|Who can bypass the lobby?||Everyone||People in my organization,
|People in my organization
|Always let callers bypass the lobby||Enabled||Disabled||Enabled||Disabled||Enabled||Disabled|
|Participant||Lobby Enforcement Behavior|
|Trusted VTC (CVI)||Bypass||Bypass||Bypass||Bypass||Bypass||Bypass**|
|Untrusted VTC (CVI)||Bypass*||Lobby||Lobby||Lobby||Lobby||Lobby|
- Among the participant types outlined above there are two different types which Teams confusingly categorizes as “guests”. The Teams Guest represents an authenticated Teams user from another tenant which has specifically been invited as a guest to an existing Team. These participants are treated the same as other participants from the meeting organizer’s own tenant and would override any existing federation configuration which may have blocked that guest’s domain.
- The Anonymous Guest is an unauthenticated, anonymous user joining a Teams meeting from a web browser without signing into Teams in any tenant. Teams will identify this attendee as such in the meeting’s participant list by appending “(Guest)” to whatever display name is provided by the participant when joining.
* One caveat to be aware of is when a meeting is set to allow Everyone to bypass the lobby Teams will still treat trusted and untrusted participants differently in one specific case: when the participant is the first attendee into the meeting. By default, Teams does not allow untrusted participants to start a meeting, so when an anonymous participant is the first attendee into a meeting it will be temporarily held in the meeting lobby. Once the first trusted participant joins the meeting then any untrusted attendees currently in the lobby are automatically admitted into the meeting. If a trusted participant is already in the meeting then all untrusted participants will transparently bypass the lobby and go directly into the meeting.
** Currently there is an anomaly where a Trusted VTC joining via a CVI service will automatically bypass the lobby of a meeting configured to allow only the meeting Organizer to do so. Microsoft plans to fix this so that the Trusted VTC will go into the lobby like other trusted participants currently do.