8.2.1 Ensure 'external access' is restricted in the Teams admin center

Information

This policy setting controls chat with external unmanaged Skype and Teams users. Users in the organization will not be searchable by unmanaged Skype or Teams users and will have to initiate all communications with unmanaged users.

Note: As of December 2021, the default for Teams external communication is set to 'People in my organization can communicate with Teams users whose accounts aren't managed by an organization.'

Note #2: Skype for business is deprecated as of July 31, 2021, although these settings may still be valid for a period of time. See the link in the reference section for more information.

Rationale:

Allowing users to communicate with Skype or Teams users outside of an organization presents a potential security threat as external users can interact with organization users over Skype for Business or Teams. While legitimate, productivity-improving scenarios exist, they are outweighed by the risk of data loss, phishing, and social engineering attacks against organization users via Teams.

Some real-world attacks and exploits delivered via Teams over external access channels include:

DarkGate malware

Social engineering / Phishing attacks by 'Midnight Blizzard'

GIFShell

Username enumeration

Impact:

The impact of disabling external access to Teams and Skype for an organization is highly dependent on current usage practices. If users infrequently communicate with external parties using these channels, the impact is likely to be minimal. However, if users regularly use Teams and Skype for client communication, the impact could be significant. Therefore, before disabling external access, users should be notified, and alternate communication mechanisms should be identified to ensure continuity of communication.

Note: Chat with external unmanaged Teams users isn't available in GCC, GCC High, or DOD deployments, or in private cloud environments.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/.

Click to expand Users select External access.

Under Teams and Skype for Business users in external organizations Select Block all external domains

If the organization's policy allows select any allowed external domains.

Under Teams accounts not managed by an organization move the slider to Off.

Under Skype users move the slider is to Off.

Click Save.

To remediate using PowerShell:

Connect to Teams PowerShell using Connect-MicrosoftTeams

Run the following command:

Set-CsTenantFederationConfiguration -AllowTeamsConsumer False -AllowPublicUsers False -AllowFederatedUsers $false

To allow only specific external domains run these commands replacing the example domains with approved domains:

Set-CsTenantFederationConfiguration -AllowTeamsConsumer $false -AllowPublicUsers $false -AllowFederatedUsers $true
$list = New-Object Collections.Generic.List[String]
$list.add('contoso.com')
$list.add('fabrikam.com')
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList $list

Default Value:

AllowTeamsConsumer : True

AllowPublicUsers : True

AllowFederatedUsers : True

AllowedDomains : AllowAllKnownDomains

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: microsoft_azure

Control ID: 5cf9584305c8f1c5bc3714d5d12307b4cf9f5685b0a2fba0a9868427ca16275d