3.3 Ensure 'external access' is restricted in the Teams admin center

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


As of December 2021 the default for Teams external communication is set to 'People in my organization can communicate with Teams users whose accounts aren't managed by an organization.' This means that users can communicate with personal Microsoft accounts (e.g. Hotmail, Outlook etc.), which presents data loss / phishing / social engineering risks.

NOTE: Skype for business is deprecated as of July 31, 2021 although these settings may still be valid for a period of time. See the link in the reference for more information.


Allowing users to communicate with Skype or Teams users outside of an organization presents a potential security threat as external users can interact with organization users over Skype for Business or Teams. While legitimate, productivity-improving scenarios exist, they are outweighed by the risk of data loss, phishing, and social engineering attacks against organization users via Teams. Therefore, it is recommended to restrict external communications in order to minimize the risk of security incidents.


The impact of disabling external access to Teams and Skype for an organization is highly dependent on current usage practices. If users infrequently communicate with external parties using these channels, the impact is likely to be minimal. However, if users regularly use Teams and Skype for client communication, the impact could be significant. Therefore, before disabling external access, users should be notified, and alternate communication mechanisms should be identified to ensure continuity of communication.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To prohibit user communication with external Teams organizations:

Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/.

Click to expand Users select External access.

Under Teams and Skype for Business users in external organizations Select Block all external domains

Note: If the organization's policy allows select any allowed external domains.

Under Teams accounts not managed by an organization move the slider to Off.

Under Skype users move the slider is to Off.

Click Save.

To configure teams external access restrictions using PowerShell:

Connect to Teams PowerShell using Connect-MicrosoftTeams

Run the following command:

Set-CsTenantFederationConfiguration -AllowTeamsConsumer False -AllowPublicUsers False -AllowFederatedUsers $false

To allow only specific external domains run these commands replacing the example domains with approved domains:

Set-CsTenantFederationConfiguration -AllowTeamsConsumer $false -AllowPublicUsers $false -AllowFederatedUsers $true
$list = New-Object Collections.Generic.List[String]
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList $list

See Also


Item Details


References: 800-53|CM-6b.

Plugin: microsoft_azure

Control ID: c8d96e82a3488531cad9fe9e17f6448e2564de975e72b978c4007d917cb2ae9a