Skip to content

Direct guest join Microsoft Teams Room devices does not work

If you have a Microsoft Teams Room (MTR) device, you can now join Cisco Webex and Zoom Meetings directly. The “Join Cisco WebEx meetings from Teams Rooms with direct guest join” was introduced with Microsoft Teams Room version 4.5.35.0, please see the Release Notes.

Join WebEx on MTR
Join WebEx on MTR
Modify the MTR config
Modify the MTR config

If you use the “Safe Link” AntiSpam/Security Feature in Exchange Online Protection (EOP) or Advanced Threat Protection (ATP) you might want to exclude the URLs for Microsoft Teams, Cisco Webex and Zoom meetings. If you do not exclude the rewrites of these URLs, the Microsoft Teams Room (MTR) is unable to handle the altered URLs and the join will not work.

Guest join is not working
Guest join is not working

The altered/rewritten URLs looks like this: https://eur03.safelinks.protection.outlook.com/?url=https

You can use the Exchange Admin Center (EAC) to change that behaviour.

Where to find it
Where to find it

You will find this in “advanced threats/safe links“.

Modify the Policy
Modify the Policy

I recommend to exclude the following URLs:

'*.webex.com/*'
'*.zoom.us/*'
'zoom.us/*'
'*.teams.microsoft.com/*'
'teams.microsoft.com/*'
'zoom.com/*'
'*.zoom.com/*'
Guest join is working
Guest join is working

If you have multiple Rules, you might want to use PowerShell to automate this process!

# Get your active SafeLinks Policy/Policies
Get-SafeLinksPolicy | Where-Object -FilterScript {
   $_.IsEnabled -eq $true
} | Select-Object -ExpandProperty Identity

# I use the default policy in this example
$SafeLinksPolicyIdentity = 'Recommended safe links policy'

# A list of URLs to exclude from rewriting
$DoNotRewriteUrls = @(
   '*.webex.com/*'
   '*.zoom.us/*'
   'zoom.us/*'
   '*.teams.microsoft.com/*'
   'teams.microsoft.com/*'
   'zoom.com/*'
   '*.zoom.com/*'
)

# I use the default policy in this example
Set-SafeLinksPolicy -Identity $SafeLinksPolicyIdentity -DoNotRewriteUrls $DoNotRewriteUrls
<#
      Note:
      The WhiteListedUrls and ExcludedUrls parameters are deprecated
      Only use the DoNotRewriteUrls parameter
#>

# Remove all URLs from the SafeLinks Policy/Policies
$DoNotRewriteUrls = @()
Set-SafeLinksPolicy -Identity $SafeLinksPolicyIdentity -DoNotRewriteUrls $DoNotRewriteUrls

I also recommend a few more things for the SafeLinks policy/policies:

# Apply my recommended settings to the policy/policies
$paramSetSafeLinksPolicy = @{
   Identity                 = $SafeLinksPolicyIdentity
   DoNotTrackUserClicks     = $false
   DoNotAllowClickThrough   = $true
   ScanUrls                 = $true
   EnableForInternalSenders = $true
   DeliverMessageAfterScan  = $true
}
Set-SafeLinksPolicy @paramSetSafeLinksPolicy

<#
      Identity					    = The Identity parameter specifies the Safe Links policy that you want to modify
      DoNotTrackUserClicks	    = Track user clicks related to links in email messages and Microsoft Teams
      DoNotAllowClickThrough   = Disallow users to click through to the original URL
      ScanUrls					    = Enable real-time scanning of links in email messages
      EnableForInternalSenders = The policy is applied to internal and external senders
      DeliverMessageAfterScan  = Wait until Safe Links scanning is complete before delivering the message
#>

This is fine, no panic:

WARNING: The command completed successfully but no settings of 'Recommended safe links policy' have been modified.

If you let external parties and/or services to invite your Microsoft Teams Room (MTR) directly, you need to tweak the calendar processing for it/them:

# Do this for all your Teams Room Devices that should except external invitations
Set-CalendarProcessing -Identity '<Your Device here>' -ProcessExternalMeetingMessages $true

The code above looks crappy on my Blog, but there is a GIST for all the Code above!

Published inHowTo

Be First to Comment

    Leave a comment

    By posting a comment you consent that I store the submitted information as well as your anonymized IP address on my servers, under the terms of my Privacy Policy. Your email is never shared with anyone else.

    Required fields are marked *.