Block for Federated Communications Imposed on July 29, 2024

In a development reported in message center notification MC805200 (25 June 2024), Microsoft is moving to block a potential attack vector that might be exploited by malicious actors who attempt to launch phishing or abuse attacks against Teams by blocking federated chat from trial tenants. I say “potential” because although demonstrations of how such an attack might happen in the GIFShell and JumpSec exploits, I am unaware of any successful attack.

In any case, an easy fix for phishing attempts from any unknown tenant already exists by not amending the tenant’s external access configuration to restrict federation to a curated tenant list. I advise every tenant to do this because there’s really no need to allow open access to your tenant unless you want to invite unwanted communications. It’s easy to use PowerShell to update the allowed tenant list automatically based on conditions like guest user accounts created within the tenant or even existing federated chats found for user accounts.

But applying an allow list to external federation goes against the philosophy of open federation for chat espoused by Microsoft. I think this kind of thinking is wrong in the current threat climate. All it does is open customers to exploits, which then means that Microsoft is forced to introduce controls.

In this case, Microsoft is introducing a new tenant-wide control for the federation configuration to block external access with trial-only tenants. The new control is called ExternalAccessWithTrialTenants and is set to Blocked by default.

Blocked means that users from trial tenants are unable to search for people or create federated chats with users in your tenant and Teams will remove any users from trial tenants from existing chats. Users from trial tenants will be unable to participate in Teams calls hosted by your tenant, unless those calls permit anonymous join. Likewise, users from your tenant will be unable to connect with users belonging to trial tenants.

If you follow my advice and limit federated communications to an allow list of selected domains, the ExternalAccessWithTrialTenants has no effect because the allow list takes precedence. Trial-only tenants are only permitted if added to the allow list.

Deployment Starts Now

Microsoft says that the deployment of the new setting is complete worldwide, so you should be able to see it by running the Get-CsTenantFederationConfiguration cmdlet from the latest version of the Microsoft Teams PowerShell module:

Get-CsTenantFederationConfiguration | Format-List ExternalAccessWithTrialTenants

ExternalAccessWithTrialTenants: Blocked

Microsoft plans to implement the block on July 29, 2024. If you take no action, federated chat with trial tenants will cease. After that time, if you really want to open your tenant to communications with trial tenants, you can run the Set-CsTenantFederationConfiguration cmdlet to update ExternalAccessWithTrialTenants to Allowed. Don’t make this change.

Trial Tenants

Trial tenants are often used by attackers to secure a foothold within Microsoft 365 that they can use to probe other tenants, including by reaching out to people that they know about (probably through harvesting of email addresses) for a federated chat. In this context, a trial tenant is deemed to be one with a Teams service plan with trial subscriptions. Once a tenant purchases a license that includes a Teams service plan (like Office 365 E3), the tenant is no longer deemed to be a trial. Potential attackers don’t have to spend a lot of money to avoid being detected as trial tenants.

The block applies to Skype for Business on-premises users. That’s because the tenant external access configuration applies to Skype for Business as well as Teams in other Microsoft 365 organizations (Figure 1).

Exceptions

With the block in places, it will still be possible to add users from trial tenants to shared channels or as guest members of teams. You can block these points of entry by using an Entra ID B2B Collaboration policy to limit collaboration with named tenants.

Open Collaboration is Not Always Great

Flaws in technology have a nasty habit of being exposed. Open federation is a nice concept and in a perfect world where everyone behaved, it would be the right approach. It’s like Microsoft’s attitude to Microsoft 365 groups where everyone can create new groups. The fallacy of that approach and the problems it creates for tenant administration were pointed out in explicit terms to Microsoft in 2015. They persisted and created the problem of team rot and digital debris that afflicts so many tenants today. Then Copilot for Microsoft 365 comes along and exposes how easy it is for AI to consume confidential material. Microsoft responds with Restricted SharePoint Search, a terrible solution to a predictable problem of their making.

Plans hatched in Redmond don’t always work out as expected…

Make sure that you’re not surprised about changes that appear inside Microsoft 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Teams Group Chats Support External Access Via Teams Connect

When Microsoft announced Microsoft Teams Connect in March 2021, their focus was firmly on shared channels as a new way to collaborate with people external to an organization in a channel. Teams shared channels use Azure AD cross-tenant access policies alongside the existing Teams federation capability to communicate with external members (who don’t need guest accounts).

By default, Teams uses open federation, which means that you can communicate with any other Teams user in a Microsoft 365 tenant. Administrators can control the domains users can communicate with by adding domains to a list in the External access section of the Teams admin center and setting their status to be allowed or blocked (Figure 1).

Up to now, the external access list has only been used to control federated 1:1 chat (including calls) between users in other domains. In the future, collaboration using shared channels will use the same list, so it’s important to keep it updated.

Federated Group Chats

On May 11 2021, message center notification MC255536 announced an enhancement to chat (roadmap item 51126) to allow external participation in group chats. In effect, extended federated chat moves from its previous 1:1 limitation to allow external users from other tenants (they must have an Azure AD account) to join group chats of up to 250 participants. Roll-out to tenants begins in mid-May 2021 with completion due in late July 2021.

When the new software is available, you’ll be able to add external participants to group chats like any other tenant or guest account. To add an external person, enter their email address as a participant and then use the Search externally option (Figure 2). Teams checks the external access domain list to discover if federated chat is allowed with the participant’s domain, and if it is, looks up Azure AD to find their account. If the account exists, Teams adds it to the chat.

Of course, the domain for the external participant might block federated communications with your domain. If this is the case, the chat can’t happen.

As shown in Figure 3, when a group chat includes an external participant, Teams displays a prominent External label to advise everyone that they shouldn’t discuss company confidential information (unless it’s appropriate to share the information with an external person). External participants are also marked as such in the participant roster. If you want to share confidential information with external people, it’s probably best to use a private channel for this purpose.

Shared Channels Next

Microsoft hasn’t given a recent update about the progress of shared channels or an expected delivery date, but the feature is expected “later this year.”

Update (July 19, 2022): According to this post in the Microsoft technical community, Teams shared channels are now generally available to all Microsoft 365 tenants with Teams licenses.

Adding federated capability to bring external users into group chats is a logical step. Chats are often used to resolve issues before decisions are brought back for wider comment in channel conversations. It wouldn’t make much sense to be able to collaborate with groups of external users in a shared channel if you couldn’t communicate with the same people in a group chat.

Stay abreast of the latest developments by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that subscribers always know what’s going on across the Office 365 ecosystem.

Teams to Skype Chats and VOIP Calls Bridge the Divide

Update May 19: Microsoft has run into some problems with the early implementation of the Skype consumer interoperability feature and has delayed the roll-out to make some code changes. The new target date for completion is the end of June.

Office 365 Notification MC205801 (Microsoft 365 roadmap item 53935) published on March 7, 2020 brings news that Teams is extending its federated chat capabilities to include Skype consumer users. When enabled, Teams and Skype users can have personal chats and VOIP calls with each other. Teams users can search for Skype users with their email address (not Skype ID or phone number) while Skype users need to know the user principal name of a Teams user.

Being able to communicate with Skype consumer users closes a gap in the Teams chat story that will help Skype for Business Online users move to Teams in advance of the July 31, 2021 deadline for the shutdown of Skype for Business Online.

Common Roots in the Media Stack

Apart from building out the Skype for Business Online migration story, this update shouldn’t be a huge surprise because Teams and Skype consumer share many components like the media stack. Once Microsoft had rolled out native federated chat for Teams users in different Office 365 tenants, Skype was the natural next stop.

Enable Under External Access

Unlike many new features Microsoft introduces in Teams, Teams-Skype interoperability is disabled by default. To allow users to chat and call each you, you must go to the Org-wide settings access section of the Teams Admin Center, select External access, and then move the Users can communicate with Skype users slider to on (Figure 1).

Allow an hour or for Teams and Skype learn of their new ability to interact before trying to connect. To support federation, Teams users must be configured in TeamsOnly mode. This won’t be an issue for tenants that have always used Teams, but could be a problem for those still migrating from Skype for Business Online.

Searching for Connections

Teams users can search for people in Skype by typing their email address (the address associated with their Windows Live ID or Microsoft Services Account) into the search bar or by adding them to a chat. Like for federated chat, Teams won’t find the address locally but can if you tell it to search externally.

Skype users can search for Teams users with their email address. When the chat connects to Teams, the Teams user has the option to block or accept the connection (Figure 1). If the user accepts, the connection is made, and the two users can chat and call each other. If the Teams user chooses to block the connection, no further attempts to connect by the Skype user will be accepted.

Meetings are unsupported on either platform and neither the Teams nor the Skype consumer user can see details of each other’s presence.

Given that Skype consumer users don’t belong to any organization, the likelihood of spammers connecting to Teams users exists. The Show messages link allows the Teams user to see whatever message the Skype user sends to set up a conversation as an aid to decide if they want to accept the connection (just like a LinkedIn request to connect!).

Microsoft recommends that Skype users should use version 8.58 or above. I tested with Skype version 8.56.0.102 and things worked OK. Even so, I will upgrade as soon as the Windows Store offers an update for Skype, just to make sure that I have all available bug fixes.

The Nature of Chat

Unlike Teams native federated chat, Skype to Teams chats are text-only and don’t enjoy the full range of text formatting, @mentions, and emojis that liven native chat between Teams users. However, if you input text emojis into Teams, Skype will interpret and change those emojis to graphics. In the conversation shown in Figure 3, inputting into Teams shows up as a wink in Skype.

Teams gathers compliance records for interactions with Skype users. Those records can be searched for using an Office 365 content search and included in an eDiscovery case. The messages posted by Skype users are also monitored by Office 365 supervision policies and Microsoft 365 communication compliance policies.

Another Step for Skype for Business Online Users

Slowly but surely, Microsoft is peeling away any reason why Skype for Business Online users want to stay on that platform. Connecting with consumer users is important because it allows consumers to be brought into the Teams ecosystem. Another item is marked off on the migration checklist.

Planning a migration from Skype for Business Online is a difficult and time-consuming task. Make it easier by subscribing to the Office 365 for IT Pros eBook and learn from our experience.

Teams Communication with Users in other Microsoft 365 Tenants

Updated 1 June 2023.

In the context of a messaging application like Teams, federation means that your tenant allows connections with people belonging to other organizations. For example, if my tenant is federated with Microsoft’s tenant, I can use Teams federated chat to message and call users belonging to the Microsoft tenant.

Being able to reach outside the boundaries of your tenant is a big thing for a communications client. Teams was slow to make this happen, but now External Access (the term Teams uses for federation) works well if you enable the feature in your tenant by turning it on in the org-wide setting section of the Teams Admin Center. You can also set up a list of allowed or blocked domains. If no list exists, any user in another Office 365 tenant can connect to users in your tenant.

Finding an External User

External access is not the same as the access enjoyed by Azure AD guest accounts. It’s much more limited (think chats and calls) whereas guest access can allow someone to have extensive access to tenant resources (groups, teams, sites, individual documents). Along with the ability to chat and call (on an individual basis), external users can see presence information for other people. And most important, they can search your tenant directory to find people.

An external user can’t browse your directory. Searching means that they can input an email address (or SIP address) into the search box to instruct Teams to look up the name in the tenant owning the domain name part of the email address (Figure 1). And if a match is found, Teams launches a 1:1 chat. The trick is to have Teams search externally (see below). If you don’t see this option, you know external access isn’t enabled in your tenant.

A Potential Lack of Emojis in Teams Federated Chat

Once the chat starts, you’ll discover other limitations. Most importantly, you can’t share files with an external user (you can upload a file to OneDrive or another sharing site and then send a link). Somewhat less critically, you can’t use emojis or reactions (like) in a response unless both tenants are configured in “TeamsOnly” mode. Both the iOS and Android clients support emojis in their native keyboards and it’s possible to insert them with the desktop client using the Windows + ; (Windows key plus semi-colon) combination.

Fewer text formatting options are available too. Teams gives a visible indicator (Figure 2) that you’re using a federated communication by displaying the address of the external user in the title bar.

Apart from these restrictions, a chat with an external user is much the same as with a tenant or guest user. Apart from a potential lack of emojis, it’s as easy to communicate externally with Teams as it was with Skype for Business.

Controlling Teams Federated Chat

At the organization level, the Teams admin center (Figure 3) offers these options to control Teams external access/federated chat:

• Allow all external domains. This is the default, chosen because Microsoft wants to encourage organizations to communicate and collaborate together.
• Block all external domains.
• Block only specific external domains.
• Allow only specific external domains. This is the option I suggest organizations adopt, if only to avoid potential attacks like the GIFShell demonstration. It’s possible to update the allowed external domains list with PowerShell. I show how to do this in an article explaining how to add external domains for guest accounts present in the tenant.

For more information about Teams, read Chapter 13 of Office 365 for IT Pros. Teams meetings are covered in Chapter 16.