Detections
Analytics

8.2.4 (L1) Ensure the organization cannot communicate with accounts in trial Teams tenants

Information

This setting controls the organization's external access with Teams "trial-only" tenants. These are tenants that don't have any purchased seats.

When set to Blocked, users from these trial-only tenants aren't able to search and contact your users via chats, Teams calls, and meetings (using the users' authenticated identities) and your users aren't able to reach users in these trial-only tenants. Users from the trial-only tenant are also removed from existing chats.

The recommended state for People in my organization can communicate with accounts in trial Teams tenant is Off.

Microsoft introduced this setting as Off by default on July 29, 2024 in order to block attack vectors being exploited by threat actors who have abused trial tenants. Enforcing the default ensures the setting is not reenabled for any reason.

Allowing users to communicate with unmanaged Teams users presents a potential security threat as little effort is required by threat actors to gain access to a trial or free Microsoft Teams account.

Some real-world attacks and exploits delivered via Teams over external access channels include:

 - DarkGate malware
 - Social engineering / Phishing attacks by "Midnight Blizzard"
 - GIFShell
 - Username enumeration

Solution

To remediate using the UI:

 - Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/.
 - Click to expand Users select External access.
 - Select the Organization settings tab.
 - Set People in my organization can communicate with accounts in trial Teams tenant to Off.

To remediate using PowerShell:

 - Connect to Teams PowerShell using Connect-MicrosoftTeams
 - Run the following command:

Set-CsTenantFederationConfiguration -ExternalAccessWithTrialTenants "Blocked"

Impact:

There is minimal to no legitimate business need for users to communicate with accounts in trial tenants. For temporary or testing scenarios, alternative communication methods are readily available that do not require enabling this setting.

See Also

https://workbench.cisecurity.org/benchmarks/24619

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-20

Plugin: microsoft_azure

Control ID: 0ce1855391f4b49df9f3af70753e6114b1bd76662f5a2d014319359dd18a049f