Teams – You can now block federation with trial tenants

As you know, Teams administrators can manage how their end-users can communicate with external contacts – either hosted on another Teams tenants, on-premises Skype for Business or customer’s Skype accounts.

With this configuration capabilities, Teams administrators can manage if communication with external contacts is allowed/denied and define if it is widely applied (aka not specific domain restriction) or based on a white/black listed domains.

This means end-users can ended to communicate with M365 (Teams) trial tenants which can be used for malicious activities such as phishing or abuse attacks.

Well, good news as now Teams administrators can allow a wide communication with external contacts while blocking trial tenants.

This settings is enabled since August 15th, 2024 meaning federation with trial tenants is now being blocked; you can control how this settings is acting if you need to have trial tenant communication allowed for specific one, see below notes.

Quite few important notes about this new capability:

  • A “trial-only” tenant is defined as a tenant with a Teams service plan that has only Trial subscriptions (0 purchased licenses).

NOTE this also includes any tenant using MDSN (Visual Studio) or Developers tenant

  • Shared Channels, Guest access and Anonymous Meeting joins will not be affected by this setting.
  • This new setting only controls external communication with trial-only tenants within the same Microsoft 365 cloud environment (cloud, GCC or Vianet). Users from trial-only tenants in public clouds will be blocked by default from external communication with users in other Microsoft 365 cloud environments and with Microsoft Skype for Business server users. No admin control will exist to allow cross-cloud external communication with trial tenants.
  • If your tenant has enabled Allow only specific domains and specified domains in the Allow list, and if -ExternalAccessWithTrialTenants is set to Blocked, trial-only tenants in the Allow list will be blocked. If this setting is set to Allowed, all domains in the Allow list will be allowed.
  • If your tenant has enabled Block all external domains, the -ExternalAccessWithTrialTenants setting has no impact.If your tenant has enabled Block specific domains and specified domains in the Block list, and if the -ExternalAccessWithTrialTenants setting is set to Blocked, trial-only tenants not in the Block list will also be blocked. If set to Allowed, this setting has no impact.
  • For two trial-only tenants to be able to federate, both of them need to have the -ExternalAccessWithTrialTenants set to Allowed.

To manage this setting, you need to use Teams PowerShell module – no option is available through the Teams portal – you need to have the latest version of Teams PowerShell module version (6.5.0 at the time of writing – see PowerShell Gallery | MicrosoftTeams 6.5.0 for install options)

  • Connect to your Teams tenant

Connect-MicrosoftTeams

  • Check trial tenant communication configuration

Get-CsTenantFederationConfiguration | Select *trial*

image

  • Set the configuration

Set-CsTenantFederationConfiguration -ExternalAccessWithTrialTenants “Blocked”/”Allowed”

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.