Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
An External network is a redesigned external Viva Engage network type that requires and supports Microsoft Entra authentication and identity.
Microsoft designs modern external Viva Engage networks to promote collaboration between organizations. Modern networks allow users and teams from different companies, known as external participants, to communicate and share information in an industry-standard secure environment. Enterprise admins allocate these special external networks to partners, consultants, and other outside companies to conduct team discussions, share files, and collaborate on projects.
All Viva Engage networks use Microsoft Entra identities and policies. Doing so enables users, groups, and content to map directly to their accounts in Microsoft Entra and in Microsoft 365. All parent Viva Engage networks and external Viva Engage networks observe this standard. To promote safe and secure collaboration, Engage networks also supports eDiscovery through the Microsoft Purview portal.
In this procedure, create a new Microsoft Entra workforce tenant to support the Viva Engage external network. As part of provisioning the new tenant, you also configure and enable the same B2B user account and email address from the main Viva Engage network.
Supported features for the modern external network
External Participants: Users can add external participants to their public and private Viva Engage communities.
Create and Connect: Users can browse existing external networks or create new networks to connect with external collaborators.
Management: Administrators can manage external networks, set permissions, monitor activity, and ensure compliance with organizational policies.
Note
Modern Viva Engage external networks support the Communities feature, with future expansions to include Campaigns, Events, and Knowledge.
Requirements
Modern external networks must use the following Microsoft 365 requirements:
- Global Administrator privileges
- Microsoft 365 E5 license for at least one user
- Permissions to create new Workforce tenant.
Viva Engage also has the following requirements:
- The active Global Administrator account
The last requirement involves correct user provisioning.
- The B2B user account and email address of your main Viva Engage network gets provisioned in the new workforce tenant network. This value must be present in Microsoft Entra.
Set up a modern external network
Take the following steps to perform a modern external network configuration. Complete these tasks in the order shown. Since the role requirements vary by each task, they're called out in each section.
Set up a new Microsoft Entra workforce tenant
Note
Consult the Microsoft Entra documentation QuickStart - Access and create new tenant for information and steps to set up your new workforce tenant for the modern external network. Ensure that the new tenant's Country/Region setting matches the Home tenant's Country/Region value. For example, if the tenant that hosts the Engage Home network is in the United States, the new tenant also must be hosted in the United States. If the Country/Region value doesn't match, the new Engage network can't link to the Home network.
After creating the tenant, copy the new Microsoft Entra Tenant ID to a safe location for later use.
Assign the required license and email address to the tenant admin
The new tenant automatically embeds the creating user as a B2B guest, and assigns them the Global Administrator role and privileges.
Use the Microsoft Entra admin center to assign the correct license to the B2B guest. You assign a Microsoft 365 E5 license to the Global Administrator of the new tenant. Doing so enables the Global Administrator to sign into Viva Engage as the Network Admin.
In the Microsoft Entra admin center, add the creating user's email address to their Entra B2B guest user account in the new tenant.
Important
The creating user's email address must be the same email that is associated with the user's account for the parent Viva Engage network.
Note
Enable the Engage Core Service plan for the user in the assigned Microsoft 365 E5 license. Then, the admin needs to confirm that the B2B guest account owns the global admin role and the correct Microsoft 365 E5 license.
Connect the new Microsoft Entra tenant to the parent network
Because the legacy external network doesn't yet have a Microsoft Entra tenant that backs it, the legacy network can't communicate with the parent Viva Engage network.
The new tenant also needs to connect to the parent network. The next step is to connect the new Microsoft Entra tenant with the parent Viva Engage network so the parent network knows about its existence.
This process requires two steps:
- Generate a tenant association token.
- Redeem the tenant association token in the parent network. This step connects and links the new Microsoft Entra tenant to the parent Viva Engage network.
Generate the association token
Do the following to create the association token:
As the Viva Engage Global Administrator, go to engage.cloud.microsoft and sign into Viva Engage on the new Microsoft Entra tenant.
In Viva Engage, select the settings icon, and go to Admin center.
In the Admin center, on the Setup and Configuration tab, select External Networks.
Select Setup External Network.
Select the Generate Code tab to generate a one-time tenant association code, and select Generate. You use the code to associate the new Microsoft Entra tenant with the parent Engage network.
Make a note of the association code, because it's used in later steps.
Redeem the Token to associate the new external network/tenant with the parent Viva Engage network
This process uses the association token to establish the new Microsoft Entra tenant with the enterprise parent Viva Engage network.
- Sign out of the new Engage external network. (If you use In-Private, or Saved Profiles, you don't need to sign out.)
- Sign in to the parent Viva Engage network on engage.cloud.microsoft. (The user must be the same Global Administrator that sets up the new tenant.)
- To access External Networks Setup in the parent network, select the settings icon, and go to the admin center.
- In the admin center Setup and Configuration tab, select External Networks.
- Select Set up external network.
- Select the Redeem code tab to redeem the association code. Add the association token and the Microsoft Entra tenant ID saved from the prior steps.
The redemption of the association code gives the following result:
The parent network connects to the new tenant.
Connect the legacy external network to the new external network
After the new Microsoft Entra tenant associates to the parent network, set the legacy external network to connect to the new external network. To do so, use the same association token and Microsoft Entra tenant ID from the previous sections.
- From the parent Engage network, network switch to the legacy external network.
- To open the external network settings, select the Settings Icon on the external network and choose Network Admin.
- To associate the legacy external network to the new external network, select External Network Upgrade from the menu.
- Use the same tenant ID and tenant association token from the previous steps to enter the information in the appropriate fields and select Redeem token.
Because it's backed by the new Microsoft Entra tenant, the Viva Engage external network binds to the new external network.
Note
The system signs the user out from the legacy network to allow immediate sign in with Microsoft Entra as the identity provider.
Launch the modern external network
Important
Update the policies of the Microsoft Entra tenant that hosts your new external network based on your security posture. Pay particular attention to policies that identify, respond to, and recover from security threats.
After the data move completes, the network administrators can take the following steps:
- Confirm that the communities are configured as they were in the legacy Network.
- Notify users of their membership in the new network.
Note
Bringing user accounts to the updated external network offers a feature to notify users of the new URL/domain. We suggest including the tenant ID of the new External Network in the invite URL. Format it as https://engage.cloud.microsoft/main/org/<Tenant ID>.
FAQ
What's the best way to set up a tenant for a Viva Engage modern external network?
There are three ways to prepare a tenant for modern external networks:
Create a new tenant using the add-on tenant flow. Use the same user account that is automatically projected into the new tenant. Users created this way might be missing a required email property for their Microsoft Entra user account. During setup, fill in the same email as your home tenant user so Viva Engage can sync that user account.
Create a tenant using the add-on tenant flow and invite a different user to the tenant. The process is similar to #1, but has other requirements:
- The invited user must be given the Global Admin (GA) role
- The invited user must be set to Member.
The invited user automatically has the email property set because of the invitation flow.
Use a preexisting tenant. The user has the same requirements as #2, but no tenant creation flow is necessary. The same user must be projected into two tenants, and the user account requires the email property to be set to the same value on both user instances.
Can I use external networks for consumer identities in external networks?
External networks provide full support for the Consumer Identities use case.
What's the process for members to join the migrated external network?
The external network continues support for the same invitation flow to add members. Admins can use cross-tenant sync to join users directly into Microsoft Entra, and those users have access to the external network.