Teams Shared Channel Setup Guide
Last updated: May 21, 2026
Microsoft Teams requires administrator configuration on your organization's side to enable shared channels with PressW. This guide provides the exact steps your IT administrator (or MSP) needs to follow.
Important: Your internal Microsoft / Entra ID administrator will need to perform the below operations. If you use an external IT provider (MSP), please forward this guide to them.
Part 1: Entra ID Configuration
Video Walkthrough
Step-by-Step
Login to https://entra.microsoft.com
Navigate to External Identities → Cross-Tenant Access Settings
Click + Add Organization
Search for
pressw.aiYou should see PressW Directory with Tenant ID
6a548927-a7e8-4842-bce5-22513aee69dbIf the domain search doesn't work, paste the Tenant ID directly:
6a548927-a7e8-4842-bce5-22513aee69db
Click Add at the bottom
You should now see a row with PressW in the organizations list
Configure Inbound Access
Click Inherited from default under the Inbound Access column for the PressW row
Important: You must click "Customize settings" at the top — if you skip this, the settings will not actually change even if you toggle them.
Update the following settings:
B2B Collaboration
External Users and Groups: Allow Access
Applications: Allow Access
B2B Direct Connect
External Users and Groups: Allow Access
Applications: Allow Access
Click Save
Configure Outbound Access
Do not skip this section. Both Inbound and Outbound must be configured for shared channels to work.
Go back to the organizations list
Click Inherited from default under the Outbound Access column for the PressW row
Important: Click "Customize settings" at the top.
Update the following settings:
B2B Collaboration
External Users and Groups: Allow Access
Applications: Allow Access
B2B Direct Connect
External Users and Groups: Allow Access
Applications: Allow Access
Click Save
Verify Entra Configuration
Go back to the organizations list
Confirm the PressW row shows Configured (not "Inherited from default") for both Inbound Access and Outbound Access
If either column still says "Inherited from default," repeat the steps above — you likely need to click "Customize settings" before making changes
Note: Cross-tenant access changes can take up to 24 hours to propagate. If everything looks correct but shared channels aren't working yet, wait 24 hours and try again.
Part 2: Conditional Access — Check for MFA / Device Compliance Policies
This step is critical and often overlooked. Conditional Access policies that require MFA or device compliance can silently block shared channels, even when all other settings are correct.
Shared channels use B2B Direct Connect, which behaves differently from regular guest access. If your organization has a Conditional Access (CA) policy that requires MFA or device compliance for external/guest users, B2B Direct Connect users are blocked outright — they do not get prompted for MFA, they are simply denied access with no clear error message.
Check for blocking CA policies
Login to https://entra.microsoft.com
Navigate to Protection → Conditional Access → Policies
Look for any policy that meets all three of these criteria:
Assignments → Users: Targets "Guest or external users" (or "All users")
Assignments → Target resources: Includes "Office 365 SharePoint Online" or "All cloud apps"
Grant: Requires MFA, compliant device, or Microsoft Entra hybrid joined device
If such a policy exists, it will block shared channel access for PressW users unless you configure trust settings (see below)
Option A: Configure Inbound Trust Settings (Recommended)
This tells your tenant to trust MFA and device compliance claims from PressW's tenant, so your CA policies are satisfied without blocking access:
Navigate to External Identities → Cross-Tenant Access Settings
Click on the PressW row → Inbound Access → Trust settings tab
Enable the following as needed:
Trust multifactor authentication from Microsoft Entra tenants — check this if you have a CA policy requiring MFA
Trust compliant devices — check this if you have a CA policy requiring device compliance
Trust Microsoft Entra hybrid joined devices — check this if you have a CA policy requiring hybrid joined devices
Click Save
Option B: Exclude B2B Direct Connect Users from the CA Policy
If you do not want to trust external MFA/device claims, you can exclude B2B direct connect users from the blocking policy:
In the Conditional Access policy, go to Assignments → Users → Exclude
Select Guest or external users → specifically select B2B direct connect users
Save the policy
Why this matters: Unlike regular B2B guest users who get prompted to complete MFA in your tenant, B2B Direct Connect users cannot register for or complete MFA in your tenant. If your CA policy requires MFA and you don't trust their home tenant's MFA, they are silently blocked. This is the most common "invisible" cause of shared channel failures.
Part 3: Teams Channel Policy
Navigate to https://admin.teams.microsoft.com/policies/channels
Select the Teams policy assigned to your users — the default is "Global (Org-Wide Default)"
If your organization uses custom Teams policies, you must also update the policy that is assigned to the specific users who will participate in shared channels
Ensure the following items are all turned On:
Create shared channels — On
Invite external users to shared channels — On
Join external shared channels — On
Part 4: Verify Your Configuration
Once setup is complete, your IT administrator can verify the connection is working correctly before PressW sends any shared channel invites.
Option A: PowerShell Verification (Recommended)
Your admin can run this PowerShell script to verify all settings are correct. This requires the Microsoft Graph PowerShell SDK.
Powershell Verification Script
# Install the module if you don't have it
# Install-Module Microsoft.Graph -Scope CurrentUser
# Connect with the required permissions
Connect-MgGraph -Scopes "Policy.Read.All","Policy.Read.ConditionalAccess"
# Check cross-tenant access settings for PressW
$presswTenantId = "6a548927-a7e8-4842-bce5-22513aee69db"
$partner = Get-MgPolicyCrossTenantAccessPolicyPartner -CrossTenantAccessPolicyConfigurationPartnerTenantId $presswTenantId
Write-Host "`n=== PressW Cross-Tenant Access Configuration ===" -ForegroundColor Cyan
# Check Inbound B2B Direct Connect
$inboundDC = $partner.B2bDirectConnectInbound
if ($null -eq $inboundDC) {
Write-Host "[WARNING] Inbound B2B Direct Connect: Not configured (inheriting from default)" -ForegroundColor Yellow
$default = Get-MgPolicyCrossTenantAccessPolicyDefault
$defaultInbound = $default.B2bDirectConnectInbound
if ($defaultInbound.UsersAndGroups.AccessType -eq "allowed") {
Write-Host " -> Default allows inbound B2B Direct Connect (OK)" -ForegroundColor Green
} else {
Write-Host " -> Default BLOCKS inbound B2B Direct Connect (PROBLEM)" -ForegroundColor Red
}
} else {
if ($inboundDC.UsersAndGroups.AccessType -eq "allowed" -and $inboundDC.Applications.AccessType -eq "allowed") {
Write-Host "[OK] Inbound B2B Direct Connect: Allowed" -ForegroundColor Green
} else {
Write-Host "[PROBLEM] Inbound B2B Direct Connect: Not fully allowed" -ForegroundColor Red
Write-Host " Users/Groups: $($inboundDC.UsersAndGroups.AccessType)"
Write-Host " Applications: $($inboundDC.Applications.AccessType)"
}
}
# Check Outbound B2B Direct Connect
$outboundDC = $partner.B2bDirectConnectOutbound
if ($null -eq $outboundDC) {
Write-Host "[WARNING] Outbound B2B Direct Connect: Not configured (inheriting from default)" -ForegroundColor Yellow
if (-not $default) { $default = Get-MgPolicyCrossTenantAccessPolicyDefault }
$defaultOutbound = $default.B2bDirectConnectOutbound
if ($defaultOutbound.UsersAndGroups.AccessType -eq "allowed") {
Write-Host " -> Default allows outbound B2B Direct Connect (OK)" -ForegroundColor Green
} else {
Write-Host " -> Default BLOCKS outbound B2B Direct Connect (PROBLEM)" -ForegroundColor Red
}
} else {
if ($outboundDC.UsersAndGroups.AccessType -eq "allowed" -and $outboundDC.Applications.AccessType -eq "allowed") {
Write-Host "[OK] Outbound B2B Direct Connect: Allowed" -ForegroundColor Green
} else {
Write-Host "[PROBLEM] Outbound B2B Direct Connect: Not fully allowed" -ForegroundColor Red
Write-Host " Users/Groups: $($outboundDC.UsersAndGroups.AccessType)"
Write-Host " Applications: $($outboundDC.Applications.AccessType)"
}
}
# Check Inbound B2B Collaboration
$inboundCollab = $partner.B2bCollaborationInbound
if ($null -eq $inboundCollab) {
Write-Host "[WARNING] Inbound B2B Collaboration: Not configured (inheriting from default)" -ForegroundColor Yellow
} else {
if ($inboundCollab.UsersAndGroups.AccessType -eq "allowed" -and $inboundCollab.Applications.AccessType -eq "allowed") {
Write-Host "[OK] Inbound B2B Collaboration: Allowed" -ForegroundColor Green
} else {
Write-Host "[PROBLEM] Inbound B2B Collaboration: Not fully allowed" -ForegroundColor Red
}
}
# Check Outbound B2B Collaboration
$outboundCollab = $partner.B2bCollaborationOutbound
if ($null -eq $outboundCollab) {
Write-Host "[WARNING] Outbound B2B Collaboration: Not configured (inheriting from default)" -ForegroundColor Yellow
} else {
if ($outboundCollab.UsersAndGroups.AccessType -eq "allowed" -and $outboundCollab.Applications.AccessType -eq "allowed") {
Write-Host "[OK] Outbound B2B Collaboration: Allowed" -ForegroundColor Green
} else {
Write-Host "[PROBLEM] Outbound B2B Collaboration: Not fully allowed" -ForegroundColor Red
}
}
# Check Inbound Trust Settings (for CA policy compatibility)
Write-Host "`n=== Inbound Trust Settings ===" -ForegroundColor Cyan
$trust = $partner.InboundTrust
if ($null -eq $trust) {
Write-Host "[INFO] No inbound trust settings configured" -ForegroundColor Yellow
Write-Host " If you have CA policies requiring MFA or device compliance for external users,"
Write-Host " shared channels WILL be blocked. See Part 2 of the setup guide."
} else {
if ($trust.IsMfaAccepted) {
Write-Host "[OK] Trust MFA from PressW: Yes" -ForegroundColor Green
} else {
Write-Host "[WARNING] Trust MFA from PressW: No" -ForegroundColor Yellow
}
if ($trust.IsCompliantDeviceAccepted) {
Write-Host "[OK] Trust compliant devices from PressW: Yes" -ForegroundColor Green
} else {
Write-Host "[WARNING] Trust compliant devices from PressW: No" -ForegroundColor Yellow
}
if ($trust.IsHybridAzureADJoinedDeviceAccepted) {
Write-Host "[OK] Trust hybrid joined devices from PressW: Yes" -ForegroundColor Green
} else {
Write-Host "[WARNING] Trust hybrid joined devices from PressW: No" -ForegroundColor Yellow
}
}
# Check for Conditional Access policies that may block B2B Direct Connect
Write-Host "`n=== Conditional Access Policy Check ===" -ForegroundColor Cyan
try {
$policies = Get-MgIdentityConditionalAccessPolicy -All
$potentialBlockers = @()
foreach ($policy in $policies) {
if ($policy.State -ne "enabled") { continue }
$targetsExternalUsers = $false
$requiresMfaOrDevice = $false
# Check if policy targets guest/external users or all users
$includeUsers = $policy.Conditions.Users.IncludeUsers
$includeGuestsOrExternal = $policy.Conditions.Users.IncludeGuestsOrExternalUsers
if ($includeUsers -contains "All" -or $null -ne $includeGuestsOrExternal) {
$targetsExternalUsers = $true
}
# Check if policy requires MFA, compliant device, or hybrid join
$grantControls = $policy.GrantControls.BuiltInControls
if ($grantControls -contains "mfa" -or $grantControls -contains "compliantDevice" -or $grantControls -contains "domainJoinedDevice") {
$requiresMfaOrDevice = $true
}
if ($policy.GrantControls.BuiltInControls -contains "block") {
$requiresMfaOrDevice = $true
}
if ($targetsExternalUsers -and $requiresMfaOrDevice) {
$potentialBlockers += $policy
}
}
if ($potentialBlockers.Count -eq 0) {
Write-Host "[OK] No CA policies found that would block B2B Direct Connect users" -ForegroundColor Green
} else {
Write-Host "[WARNING] Found $($potentialBlockers.Count) CA policy(ies) that may block shared channels:" -ForegroundColor Yellow
foreach ($p in $potentialBlockers) {
Write-Host " - $($p.DisplayName) (requires: $($p.GrantControls.BuiltInControls -join ', '))" -ForegroundColor Yellow
}
Write-Host ""
Write-Host " These policies will BLOCK B2B Direct Connect users unless:" -ForegroundColor Yellow
Write-Host " 1. You configure Inbound Trust to accept MFA/device claims from PressW, OR" -ForegroundColor Yellow
Write-Host " 2. You exclude B2B direct connect users from these policies" -ForegroundColor Yellow
}
} catch {
Write-Host "[SKIPPED] Could not read CA policies (requires Policy.Read.ConditionalAccess permission)" -ForegroundColor Yellow
}
Write-Host "`n=== Summary ===" -ForegroundColor Cyan
Write-Host "If any items show [PROBLEM], shared channels will NOT work."
Write-Host "If items show [WARNING], shared channels may be blocked depending"
Write-Host "on your Conditional Access configuration. See the setup guide for details."
Disconnect-MgGraphOption B: Manual Verification Checklist
If PowerShell is not available, have your admin verify the following in the Entra portal:
[ ] PressW (
pressw.ai/6a548927-a7e8-4842-bce5-22513aee69db) is listed in Cross-Tenant Access Settings → Organizations[ ] Inbound Access for PressW shows "Configured" (not "Inherited from default")
[ ] Inbound → B2B Direct Connect → Users and Groups: Allow Access
[ ] Inbound → B2B Direct Connect → Applications: Allow Access
[ ] Outbound Access for PressW shows "Configured" (not "Inherited from default")
[ ] Outbound → B2B Direct Connect → Users and Groups: Allow Access
[ ] Outbound → B2B Direct Connect → Applications: Allow Access
[ ] Teams Admin Center → Channel Policies → Create shared channels: On
[ ] Teams Admin Center → Channel Policies → Invite external users to shared channels: On
[ ] Teams Admin Center → Channel Policies → Join external shared channels: On
[ ] No Conditional Access policy blocks B2B Direct Connect users (requiring MFA/device compliance for external users on Office 365 or All Cloud Apps)
[ ] If a blocking CA policy exists: either trust PressW's MFA/device claims in Inbound Trust settings, or exclude B2B direct connect users from the policy
All items must pass. If any are missing, shared channels will fail silently.
Troubleshooting
Symptom | Likely Cause | Fix |
|---|---|---|
Shared channel invite never arrives | Outbound B2B Direct Connect not configured on your side | Complete the Outbound Access steps above |
"Your organization doesn't allow you to join shared channels" | Teams channel policy blocks external shared channels | Enable all three toggles in Teams Admin Center |
Invite arrives but user can't join | B2B Direct Connect Inbound not configured | Complete the Inbound Access steps above |
Everything looks correct but still not working | Propagation delay | Wait up to 24 hours after making changes |
Settings show "Inherited from default" after saving | Didn't click "Customize settings" before toggling | Re-open the settings, click "Customize settings" first, then set to Allow |
Works for some users but not others | Users assigned to a custom Teams policy | Check which Teams policy is assigned to the affected users and update that policy |
User is blocked with no error or a generic "access denied" | Conditional Access policy requiring MFA or device compliance is blocking B2B Direct Connect users | Configure Inbound Trust settings for PressW to trust MFA/device claims, or exclude B2B direct connect users from the CA policy (see Part 2) |
User sees "MFA required" but cannot complete it | CA policy requires MFA but Inbound Trust is not configured | Enable "Trust multifactor authentication from Microsoft Entra tenants" in the PressW Inbound Trust settings |
Need Help?
If your IT administrator has verified all settings above and shared channels still aren't working, please contact PressW at liam@pressw.ai with:
A screenshot of the PressW row in your Cross-Tenant Access Settings (showing both Inbound and Outbound columns)
A screenshot of your Teams channel policy settings
The output of the PowerShell verification script (if available)