Detections
Analytics
3.3 Ensure 'external access' is restricted in the Teams admin center
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
As of December 2021 the default for Teams external communication is set to 'People in my organization can communicate with Teams users whose accounts aren't managed by an organization.' This means that users can communicate with personal Microsoft accounts (e.g. Hotmail, Outlook etc.), which presents data loss / phishing / social engineering risks.NOTE: Skype for business is deprecated as of July 31, 2021 although these settings may still be valid for a period of time. See the link in the reference for more information.
Rationale:
Allowing users to communicate with Skype or Teams users outside of an organization presents a potential security threat as external users can interact with organization users over Skype for Business or Teams. While legitimate, productivity-improving scenarios exist, they are outweighed by the risk of data loss, phishing, and social engineering attacks against organization users via Teams. Therefore, it is recommended to restrict external communications in order to minimize the risk of security incidents.
Impact:
The impact of disabling external access to Teams and Skype for an organization is highly dependent on current usage practices. If users infrequently communicate with external parties using these channels, the impact is likely to be minimal. However, if users regularly use Teams and Skype for client communication, the impact could be significant. Therefore, before disabling external access, users should be notified, and alternate communication mechanisms should be identified to ensure continuity of communication.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To prohibit user communication with external Teams organizations:Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/.
Click to expand Users select External access.
Under Teams and Skype for Business users in external organizations Select Block all external domains
Note: If the organization's policy allows select any allowed external domains.
Under Teams accounts not managed by an organization move the slider to Off.
Under Skype users move the slider is to Off.
Click Save.
To configure teams external access restrictions using PowerShell:
Connect to Teams PowerShell using Connect-MicrosoftTeams
Run the following command:
Set-CsTenantFederationConfiguration -AllowTeamsConsumer False -AllowPublicUsers False -AllowFederatedUsers $false
To allow only specific external domains run these commands replacing the example domains with approved domains:
Set-CsTenantFederationConfiguration -AllowTeamsConsumer $false -AllowPublicUsers $false -AllowFederatedUsers $true
$list = New-Object Collections.Generic.List[String]
$list.add('contoso.com')
$list.add('fabrikam.com')
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList $list
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E3 L2 v2.0.0
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b.
Plugin: microsoft_azure
Control ID: c8d96e82a3488531cad9fe9e17f6448e2564de975e72b978c4007d917cb2ae9a