Block for Federated Communications Imposed on July 29, 2024

In a development reported in message center notification MC805200 (25 June 2024), Microsoft is moving to block a potential attack vector that might be exploited by malicious actors who attempt to launch phishing or abuse attacks against Teams by blocking federated chat from trial tenants. I say “potential” because although demonstrations of how such an attack might happen in the GIFShell and JumpSec exploits, I am unaware of any successful attack.

In any case, an easy fix for phishing attempts from any unknown tenant already exists by not amending the tenant’s external access configuration to restrict federation to a curated tenant list. I advise every tenant to do this because there’s really no need to allow open access to your tenant unless you want to invite unwanted communications. It’s easy to use PowerShell to update the allowed tenant list automatically based on conditions like guest user accounts created within the tenant or even existing federated chats found for user accounts.

But applying an allow list to external federation goes against the philosophy of open federation for chat espoused by Microsoft. I think this kind of thinking is wrong in the current threat climate. All it does is open customers to exploits, which then means that Microsoft is forced to introduce controls.

In this case, Microsoft is introducing a new tenant-wide control for the federation configuration to block external access with trial-only tenants. The new control is called ExternalAccessWithTrialTenants and is set to Blocked by default.

Blocked means that users from trial tenants are unable to search for people or create federated chats with users in your tenant and Teams will remove any users from trial tenants from existing chats. Users from trial tenants will be unable to participate in Teams calls hosted by your tenant, unless those calls permit anonymous join. Likewise, users from your tenant will be unable to connect with users belonging to trial tenants.

If you follow my advice and limit federated communications to an allow list of selected domains, the ExternalAccessWithTrialTenants has no effect because the allow list takes precedence. Trial-only tenants are only permitted if added to the allow list.

Deployment Starts Now

Microsoft says that the deployment of the new setting is complete worldwide, so you should be able to see it by running the Get-CsTenantFederationConfiguration cmdlet from the latest version of the Microsoft Teams PowerShell module:

Get-CsTenantFederationConfiguration | Format-List ExternalAccessWithTrialTenants

ExternalAccessWithTrialTenants: Blocked

Microsoft plans to implement the block on July 29, 2024. If you take no action, federated chat with trial tenants will cease. After that time, if you really want to open your tenant to communications with trial tenants, you can run the Set-CsTenantFederationConfiguration cmdlet to update ExternalAccessWithTrialTenants to Allowed. Don’t make this change.

Trial Tenants

Trial tenants are often used by attackers to secure a foothold within Microsoft 365 that they can use to probe other tenants, including by reaching out to people that they know about (probably through harvesting of email addresses) for a federated chat. In this context, a trial tenant is deemed to be one with a Teams service plan with trial subscriptions. Once a tenant purchases a license that includes a Teams service plan (like Office 365 E3), the tenant is no longer deemed to be a trial. Potential attackers don’t have to spend a lot of money to avoid being detected as trial tenants.

The block applies to Skype for Business on-premises users. That’s because the tenant external access configuration applies to Skype for Business as well as Teams in other Microsoft 365 organizations (Figure 1).

Exceptions

With the block in places, it will still be possible to add users from trial tenants to shared channels or as guest members of teams. You can block these points of entry by using an Entra ID B2B Collaboration policy to limit collaboration with named tenants.

Open Collaboration is Not Always Great

Flaws in technology have a nasty habit of being exposed. Open federation is a nice concept and in a perfect world where everyone behaved, it would be the right approach. It’s like Microsoft’s attitude to Microsoft 365 groups where everyone can create new groups. The fallacy of that approach and the problems it creates for tenant administration were pointed out in explicit terms to Microsoft in 2015. They persisted and created the problem of team rot and digital debris that afflicts so many tenants today. Then Copilot for Microsoft 365 comes along and exposes how easy it is for AI to consume confidential material. Microsoft responds with Restricted SharePoint Search, a terrible solution to a predictable problem of their making.

Plans hatched in Redmond don’t always work out as expected…

Make sure that you’re not surprised about changes that appear inside Microsoft 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.