Open Federation vs Direct Federation


  • Hello,

    Please suggest which federation method is higly recommended in terms of security, control and monitoring.I have seen in many articles where experts are suggesting to allow Open federation in place of direct federation, Any suggestion/feedback on this.

    If we allow open federation, is there any way through which we can monitor federated traffic to ensure its credibility.



    Saturday, March 18, 2017 1:53 PM

All replies

  • Hi JinDeep,

    Direct federation is more secure than open federation, you could refer to the following link:

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    From this link, you could notice: “While direct federation is more secure than open federation, it’s still difficult to establish for a variety of reasons”.

    For control and monitor, I could not find any documents about it.

    Best Regards,
    Jim Xu
    TechNet Community Support

    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact

    Monday, March 20, 2017 2:11 AM
  • If you want to control the federation,with whom you wanted to have federation better go with Direct federation.If you make open federation it wont be under your control as any other open federated organisation can federate with you without any admin intervention.There is no builtin monitoring mechanism for federation as per my knowledge.But you can check edge event logs .Edge will always validate federation connection.

    Jayakumar K

    Monday, March 20, 2017 10:51 AM
  • Hi,

    Thanks for reply.

    Our main objective to know if we can analyse what all are activities being performed between internal users and federated users to avoid any misuse of Skype functionality.

    As an Skype Admin , do we have any such option ?



    Monday, March 20, 2017 11:00 AM
  • Hi Jindeep,

    I think Monitoring server role wil help ur need

     Skype for Business Server 2015 enables you to monitor two general types of data: call detailing recording (CDR) data and Quality of Experience (QoE) data. Call detail recording provides a way for you to track the usage of Skype for Business Server 2015 features such as Voice over IP (VoIP) phone calls; instant messaging (IM); file transfers; audio/video (A/V) conferencing; and application sharing sessions. This information helps you know which Skype for Business Server 2015 features are being used (and which ones are not) and also provides information as to when these features are being used. Quality of Experience data allows you to maintain a record of the quality of audio and video calls made in your organization, including such things as the number of network packets lost, background noise, and the amount of "jitter" (differences in packet delay).

    MCSA Office 365 | MCSA Exchange server 2010 | Red Hat Certified Engineer

    Monday, March 20, 2017 12:28 PM
  • Agree with Akabe,you can use reporting but it wont give you segregated report for fedarated activities,you need to pull the report and do some manual task to segregate the activities.

    Jayakumar K

    Monday, March 20, 2017 12:53 PM
  • Hi,

    There is a parameter called "MarkForMonitoring" for "CsAllowedDomain", if we set it to "True".It seems we can see the logs of federated connection as described below:




    Indicates whether the federation connection between your domain and the remote domain will be monitored by Monitoring Server. By default, MarkForMonitoring is set to False, meaning that the connection will not be monitored.

    Is there any one who has seen the report of this type of monitoring data ? I would like to know what all information are included.



    Tuesday, March 21, 2017 3:49 PM
  • again this is subjected to having Monitoring server. Set the value to true and seek help from Monitoring server's report 

    It was a good find. Thnx for sharing

    MCSA Office 365 | MCSA Exchange server 2010 | Red Hat Certified Engineer

    • Edited by Akabe Tuesday, March 21, 2017 3:51 PM
    Tuesday, March 21, 2017 3:50 PM
  • Hi,

    I totally agree with you.I wanted to confirm from monitoring reports, would we get complete information about activities with federated partners or just number of AV calls etc ?



    Tuesday, March 21, 2017 3:56 PM
  • Hmm.

    I think it would depend upon how ur monitoring server role is set up (Two types- CDR & QOE)

    If you have CDR i would believe it will capture below details even though it is a federated partner/domain:-

    features such as:-
    1. Voice over IP (VoIP) phone calls
    2. instant messaging (IM) 
    3. file transfers (A/V) conferencing
    5.application sharing sessions. 

    MCSA Office 365 | MCSA Exchange server 2010 | Red Hat Certified Engineer

    Tuesday, March 21, 2017 4:06 PM
  • Hi Akabe,

    Thanks for your all answers.

    Please help about  "what could be the consequences to have Open federation" ?

    Please also suggest if there is any third party tool available through which UC admins can have better control /restriction/policy and provide granual report of each connection between internal user and partner organisation.



    Thursday, March 23, 2017 4:49 PM
  • There is no harm in open Federation as end users are more educated now with company policies and other compliance stuff

    You can always monitor this by the monitoring reports. With O365, you have to open the connection else it wont work.

    Not sure about the third party tools though 

    MCSA Office 365 | MCSA Exchange server 2010 | Red Hat Certified Engineer

    • Edited by Akabe Saturday, March 25, 2017 4:31 PM
    • Proposed as answer by jim-xuModerator Monday, March 27, 2017 1:28 AM
    Saturday, March 25, 2017 4:30 PM