Block Meeting Chats for Non-Trusted Tenants

In July 2023, Microsoft introduced a new meeting policy setting to control the ability of users to participate in meeting chats for meetings hosted in other non-trusted Microsoft 365 tenants. The change addresses a potential issue where people might reveal confidential information in a meeting chat that their home tenant knows nothing about. Of course, users can also reveal confidential information orally and that information can be captured in a meeting transcript that’s under the control of the host tenant, but that’s a more difficult problem to crack.

The update is covered in message center notification MC561186 (26 May 2023) and Microsoft 365 roadmap item 123975 and the setting should now be available in all tenants, including DOD and GCC-High.

Trusted and Non-Trusted Tenants

A trusted Microsoft 365 tenant is one which the external access settings for Teams allow users to connect to for chats and meetings. By default, Teams allows external access to all other Microsoft 365 organizations (Figure 1), meaning that all other tenants are trusted.

Last year, a proof of concept for an attack called GIFshell exposed a downside in the default setting where an attacker could set up a chat with an unsuspecting victim and transmit a modified GIF file containing malware. The easy answer to stopping this kind of attack is to change the external access setting to restrict incoming connections to an allow list of specified tenants.

The need for ongoing maintenance is the downside of using an allow list. In a follow-up article, I discussed how to use PowerShell to populate an allow list based on the home tenants for guest accounts. This helps, but creating an allow list from guest accounts is unlikely to discover every external tenant that users need to communicate with for business purposes. Some other arrangement is therefore necessary to allow users to request the addition of a domain to the allow list. The Teams Approvals app might be one way to handle the issue. Power Automate might be another.

Blocking Access to Meeting Chat in Non-Trusted External Tenants

The new control is in the Meeting engagement section of Meeting policies in the Teams admin center (Figure 2). By default, the setting is enabled, meaning that users can participate in chats in meetings hosted by any external Microsoft 365 tenant.

Updating the setting to Off blocks the Chat app in meetings hosted by untrusted external tenants.

You can also manage the setting through PowerShell. First, to see the value of the AllowExternalNonTrustedMeetingChat setting in the meeting policies defined for the tenant, run the Get-CsTeamsMeetingPolicy cmdlet:

Get-CsTeamsMeetingPolicy | Format-Table identity, AllowExternalNonTrustedMeetingChat

Identity                           AllowExternalNonTrustedMeetingChat
--------                           ----------------------------------
Global                                                           True
Tag:AllOn                                                        True
Tag:RestrictedAnonymousAccess                                    True

To block access to chat in external meetings, run the Set-CsTeamsMeetingPolicy cmdlet to update the value of AllowExternalNonTrustedMeetingChat for a meeting policy.

Set-CsTeamsMeetingPolicy -Identity Global -AllowExternalNonTrustedMeetingChat $False

An hour or so after updating the meeting policy, the accounts assigned the policy will lose access to chat in external meetings hosted by non-trusted tenants.

Keep External Access Open or Apply Restrictions

If you’re not worried about what people might chat about in external meetings, leave the setting alone and Teams will behave as before. This control is for organizations that have reason to want to stop people from chatting when participating in meetings hosted by non-trusted tenants. Of course, the question of deciding which tenants to trust comes into play here. That’s a difficult question to answer in a generic sense, and it’s definitely worthwhile for a Microsoft 365 tenant to consider if they want to operate external access on an open or closed basis.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Teams Group Chats Support External Access Via Teams Connect

When Microsoft announced Microsoft Teams Connect in March 2021, their focus was firmly on shared channels as a new way to collaborate with people external to an organization in a channel. Teams shared channels use Azure AD cross-tenant access policies alongside the existing Teams federation capability to communicate with external members (who don’t need guest accounts).

By default, Teams uses open federation, which means that you can communicate with any other Teams user in a Microsoft 365 tenant. Administrators can control the domains users can communicate with by adding domains to a list in the External access section of the Teams admin center and setting their status to be allowed or blocked (Figure 1).

Up to now, the external access list has only been used to control federated 1:1 chat (including calls) between users in other domains. In the future, collaboration using shared channels will use the same list, so it’s important to keep it updated.

Federated Group Chats

On May 11 2021, message center notification MC255536 announced an enhancement to chat (roadmap item 51126) to allow external participation in group chats. In effect, extended federated chat moves from its previous 1:1 limitation to allow external users from other tenants (they must have an Azure AD account) to join group chats of up to 250 participants. Roll-out to tenants begins in mid-May 2021 with completion due in late July 2021.

When the new software is available, you’ll be able to add external participants to group chats like any other tenant or guest account. To add an external person, enter their email address as a participant and then use the Search externally option (Figure 2). Teams checks the external access domain list to discover if federated chat is allowed with the participant’s domain, and if it is, looks up Azure AD to find their account. If the account exists, Teams adds it to the chat.

Of course, the domain for the external participant might block federated communications with your domain. If this is the case, the chat can’t happen.

As shown in Figure 3, when a group chat includes an external participant, Teams displays a prominent External label to advise everyone that they shouldn’t discuss company confidential information (unless it’s appropriate to share the information with an external person). External participants are also marked as such in the participant roster. If you want to share confidential information with external people, it’s probably best to use a private channel for this purpose.

Shared Channels Next

Microsoft hasn’t given a recent update about the progress of shared channels or an expected delivery date, but the feature is expected “later this year.”

Update (July 19, 2022): According to this post in the Microsoft technical community, Teams shared channels are now generally available to all Microsoft 365 tenants with Teams licenses.

Adding federated capability to bring external users into group chats is a logical step. Chats are often used to resolve issues before decisions are brought back for wider comment in channel conversations. It wouldn’t make much sense to be able to collaborate with groups of external users in a shared channel if you couldn’t communicate with the same people in a group chat.

Stay abreast of the latest developments by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that subscribers always know what’s going on across the Office 365 ecosystem.

Teams Communication with Users in other Microsoft 365 Tenants

Updated 1 June 2023.

In the context of a messaging application like Teams, federation means that your tenant allows connections with people belonging to other organizations. For example, if my tenant is federated with Microsoft’s tenant, I can use Teams federated chat to message and call users belonging to the Microsoft tenant.

Being able to reach outside the boundaries of your tenant is a big thing for a communications client. Teams was slow to make this happen, but now External Access (the term Teams uses for federation) works well if you enable the feature in your tenant by turning it on in the org-wide setting section of the Teams Admin Center. You can also set up a list of allowed or blocked domains. If no list exists, any user in another Office 365 tenant can connect to users in your tenant.

Finding an External User

External access is not the same as the access enjoyed by Azure AD guest accounts. It’s much more limited (think chats and calls) whereas guest access can allow someone to have extensive access to tenant resources (groups, teams, sites, individual documents). Along with the ability to chat and call (on an individual basis), external users can see presence information for other people. And most important, they can search your tenant directory to find people.

An external user can’t browse your directory. Searching means that they can input an email address (or SIP address) into the search box to instruct Teams to look up the name in the tenant owning the domain name part of the email address (Figure 1). And if a match is found, Teams launches a 1:1 chat. The trick is to have Teams search externally (see below). If you don’t see this option, you know external access isn’t enabled in your tenant.

A Potential Lack of Emojis in Teams Federated Chat

Once the chat starts, you’ll discover other limitations. Most importantly, you can’t share files with an external user (you can upload a file to OneDrive or another sharing site and then send a link). Somewhat less critically, you can’t use emojis or reactions (like) in a response unless both tenants are configured in “TeamsOnly” mode. Both the iOS and Android clients support emojis in their native keyboards and it’s possible to insert them with the desktop client using the Windows + ; (Windows key plus semi-colon) combination.

Fewer text formatting options are available too. Teams gives a visible indicator (Figure 2) that you’re using a federated communication by displaying the address of the external user in the title bar.

Apart from these restrictions, a chat with an external user is much the same as with a tenant or guest user. Apart from a potential lack of emojis, it’s as easy to communicate externally with Teams as it was with Skype for Business.

Controlling Teams Federated Chat

At the organization level, the Teams admin center (Figure 3) offers these options to control Teams external access/federated chat:

• Allow all external domains. This is the default, chosen because Microsoft wants to encourage organizations to communicate and collaborate together.
• Block all external domains.
• Block only specific external domains.
• Allow only specific external domains. This is the option I suggest organizations adopt, if only to avoid potential attacks like the GIFShell demonstration. It’s possible to update the allowed external domains list with PowerShell. I show how to do this in an article explaining how to add external domains for guest accounts present in the tenant.

For more information about Teams, read Chapter 13 of Office 365 for IT Pros. Teams meetings are covered in Chapter 16.