Even after configuring the meeting policy to ‘Automatically admit people to “Everyone in your organization and federated organizations” and setting ‘Allow dial-in users to bypass the lobby‘ to Off, external users or guests can still bypass the lobby and join the meeting directly.”
I opened a ticket with Microsoft after a week of troubleshooting, and I’ve identified the root cause of this issue and resolved it for the client.
I hope this information will be helpful to you if you encounter a similar problem where third-party vendors or external guest users can bypass the lobby despite having the meeting policy configured correctly.
Here is a screenshot of the meeting policy configuration that has been assigned to all users. You can review the meeting policy in the Teams admin center by navigating to Meetings -> Meeting policies -> Global (Org-wide default).
In my scenario, the Global (Org-wide) policy is applied to all users. If you’ve created a custom meeting policy and it’s assigned to all users, please open that specific meeting policy and inspect the Participants & guests section.
- Automatically admit people setting: This is a per-organizer policy. It determines whether participants can join a meeting directly or if they must wait in the lobby (for meetings scheduled by the user to whom this policy is assigned) until an authenticated user admits them. Please note that this setting does not apply to dial-in users.
When your tenant is configured with Open Federation and External Access is enabled for Skype for Business and Teams users from outside the organization, and you’ve chosen ‘Everyone in your organization and federated organizations’ under ‘Automatically admit people’ in the Meeting Policies settings within the Teams Admin Center, the people you invite to a meeting are categorized as trusted users from trusted organizations.
This classification permits them to bypass the lobby, and the meeting invites you to send to external participants explicitly grants them this privilege.
Federation in Teams (External Access)
External users using Skype for Business or Teams can communicate freely with people in your organization so long both parties are federated. This is made possible by enabling external access in Teams Admin Center.
By default, external access is turned on in Teams, which means that your organization can communicate with all external domains. If you add blocked domains, all other domains will be allowed; and if you add allowed domains, all other domains will be blocked. The exception to this rule is if anonymous participants are allowed in meetings.
- Open federation: This is the default setting in Teams, and it lets people in your organization find, call, chat and set up meetings with people external to your organization in any domain.
In this scenario, your users can communicate with all external domains that are running Teams or Skype for Business AND are using open federation OR have added your domain to their allow list.
- Allow specific domains: By adding domains to an Allow list, you limit external access to only the allowed domains. Once you set up a list of allowed domains, all other domains will be blocked. To allow specific domains, click Add a domain, add the domain name, click Action to take on this domain, and then select Allowed.
- Block specific domains – By adding domains to a Block list, you can communicate with all external domains except the ones you’ve blocked. To block specific domains, click Add a domain, add the domain name, click Action to take on this domain, and then select Blocked. Once you set up a list of blocked domains, all other domains will be allowed.
If you do not want these external people to have the ability to bypass the lobby, you can either:
- Only Allow Specific Domains for federation to disable open federation. Doing this, meeting participants having a domain that is not listed under allowed domains will have to wait in the lobby. OR
- Change your Meeting Policy for lobby bypass to Organizers Only or Everyone in the Organization so all external users would have to wait in the lobby until they are admitted – again, any authenticated users that are currently in the meeting can admit them in, and it doesn’t have to be an organizer.
To Fix this issue, we added a vendor/partner or trusted domain in the Allowed list so that all other domains are considered blocked and would have to wait in the lobby.