Detections
Analytics
8.2.1 Ensure 'external access' is restricted in the Teams admin center
Information
This policy setting controls chat with external unmanaged Skype and Teams users. Users in the organization will not be searchable by unmanaged Skype or Teams users and will have to initiate all communications with unmanaged users.Note: As of December 2021, the default for Teams external communication is set to 'People in my organization can communicate with Teams users whose accounts aren't managed by an organization.'
Note #2: Skype for business is deprecated as of July 31, 2021, although these settings may still be valid for a period of time. See the link in the reference section for more information.
Rationale:
Allowing users to communicate with Skype or Teams users outside of an organization presents a potential security threat as external users can interact with organization users over Skype for Business or Teams. While legitimate, productivity-improving scenarios exist, they are outweighed by the risk of data loss, phishing, and social engineering attacks against organization users via Teams. Therefore, it is recommended to restrict external communications in order to minimize the risk of security incidents.
Impact:
The impact of disabling external access to Teams and Skype for an organization is highly dependent on current usage practices. If users infrequently communicate with external parties using these channels, the impact is likely to be minimal. However, if users regularly use Teams and Skype for client communication, the impact could be significant. Therefore, before disabling external access, users should be notified, and alternate communication mechanisms should be identified to ensure continuity of communication.
Note: Chat with external unmanaged Teams users isn't available in GCC, GCC High, or DOD deployments, or in private cloud environments.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To remediate using the UI:Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/.
Click to expand Users select External access.
Under Teams and Skype for Business users in external organizations Select Block all external domains
NOTE: If the organization's policy allows select any allowed external domains.
Under Teams accounts not managed by an organization move the slider to Off.
Under Skype users move the slider is to Off.
Click Save.
To remediate using PowerShell:
Connect to Teams PowerShell using Connect-MicrosoftTeams
Run the following command:
Set-CsTenantFederationConfiguration -AllowTeamsConsumer False -AllowPublicUsers False -AllowFederatedUsers $false
To allow only specific external domains run these commands replacing the example domains with approved domains:
Set-CsTenantFederationConfiguration -AllowTeamsConsumer $false -AllowPublicUsers $false -AllowFederatedUsers $true
$list = New-Object Collections.Generic.List[String]
$list.add('contoso.com')
$list.add('fabrikam.com')
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList $list
Default Value:
AllowTeamsConsumer : True
AllowPublicUsers : True
AllowFederatedUsers : True
AllowedDomains : AllowAllKnownDomains
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E3 L2 v3.0.0
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b.
Plugin: microsoft_azure
Control ID: 5cf9584305c8f1c5bc3714d5d12307b4cf9f5685b0a2fba0a9868427ca16275d