Even after setting Automatically admit people to “Everyone in your organization and federated organizations” and Allow dial-in users to bypass the lobby to Off in the meeting policy, External Users or guests are able to bypass the lobby and are able to join the meeting straight through.
I had to open a ticket with Microsoft after one week of troubleshooting and finally found the root cause of this and fixed it for the client. Hope this will help you too if you are facing a similar issue where third party vendor or external guest users are able to bypass the lobby even though the meeting policy is configured correctly.
Below is screenshot of the the meeting policy configured and assigned to all the users. You can check the meeting policy from Teams admin center -> Meetings -> Meeting policies -> Global (Org-wide default). In my case Global (Org-wide) policy is assigned to all the users. If you have created any custom meeting policy which has been assigned to all the users, open that meeting policy and check the Participants & guests section.
Automatically admit people Meeting Policy Setting:
This is a per-organizer policy. This setting controls whether people join a meeting directly or wait in the lobby (for meetings scheduled by the user who is assigned the policy), until they are admitted by an authenticated user. This setting does not apply to dial-in users.
If your tenant is set to Open Federation and enabled External Access for Skype for Business and Teams users outside the organization & you enabled “Everyone in your organization and federated organizations” under “Automatically admit people” from Meeting Policies settings on Teams Admin Center, people you invite into a meeting are considered trusted users from trusted organization, allowing them to bypass the lobby. The meeting invite sent to external people confirms them the ability to do so.
(External Access) Federation in Teams
External users using Skype for Business or Teams can communicate freely with people in your organization so long both parties are federated. This is made possible by enabling external access in Teams Admin Center.
By default, external access is turned on in Teams, which means that your organization can communicate with all external domains. If you add blocked domains, all other domains will be allowed; and if you add allowed domains, all other domains will be blocked. The exception to this rule is if anonymous participants are allowed in meetings.
- Open federation: This is the default setting in Teams, and it lets people in your organization find, call, chat, and set up meetings with people external to your organization in any domain.
In this scenario, your users can communicate with all external domains that are running Teams or Skype for Business AND are using open federation OR have added your domain to their allow list.
- Allow specific domains: By adding domains to an Allow list, you limit external access to only the allowed domains. Once you set up a list of allowed domains, all other domains will be blocked. To allow specific domains, click Add a domain, add the domain name, click Action to take on this domain, and then select Allowed.
- Block specific domains – By adding domains to a Block list, you can communicate with all external domains except the ones you’ve blocked. To block specific domains, click Add a domain, add the domain name, click Action to take on this domain, and then select Blocked. Once you set up a list of blocked domains, all other domains will be allowed.
IF you do not want these external people to have the ability to bypass the lobby, you can either:
- Only Allow Specific Domains for federation to disable open federation. Doing this, meeting participants having a domain that is not listed under allowed domains will have to wait in the lobby. OR
- Change your Meeting Policy for lobby bypass to Organizers Only or Everyone in the Organization so all external users would have to wait in the lobby until they are admitted – again, any authenticated users that are currently in the meeting can admit them in, and it doesn’t have to be an organizer.
To Fix this issue, we added a vendor / partner / trusted domain in the Allowed list so that all other domains are considered blocked and would have to wait in the lobby.