Blocking Access to Teams Meeting Chat in External Tenants

Block Meeting Chats for Non-Trusted Tenants

In July 2023, Microsoft introduced a new meeting policy setting to control the ability of users to participate in meeting chats for meetings hosted in other non-trusted Microsoft 365 tenants. The change addresses a potential issue where people might reveal confidential information in a meeting chat that their home tenant knows nothing about. Of course, users can also reveal confidential information orally and that information can be captured in a meeting transcript that’s under the control of the host tenant, but that’s a more difficult problem to crack.

The update is covered in message center notification MC561186 (26 May 2023) and Microsoft 365 roadmap item 123975 and the setting should now be available in all tenants, including DOD and GCC-High.

Trusted and Non-Trusted Tenants

A trusted Microsoft 365 tenant is one which the external access settings for Teams allow users to connect to for chats and meetings. By default, Teams allows external access to all other Microsoft 365 organizations (Figure 1), meaning that all other tenants are trusted.

 Teams external access allowed for all organizations
Figure 1: Teams external access allowed for all organizations

Last year, a proof of concept for an attack called GIFshell exposed a downside in the default setting where an attacker could set up a chat with an unsuspecting victim and transmit a modified GIF file containing malware. The easy answer to stopping this kind of attack is to change the external access setting to restrict incoming connections to an allow list of specified tenants.

The need for ongoing maintenance is the downside of using an allow list. In a follow-up article, I discussed how to use PowerShell to populate an allow list based on the home tenants for guest accounts. This helps, but creating an allow list from guest accounts is unlikely to discover every external tenant that users need to communicate with for business purposes. Some other arrangement is therefore necessary to allow users to request the addition of a domain to the allow list. The Teams Approvals app might be one way to handle the issue. Power Automate might be another.

Blocking Access to Meeting Chat in Non-Trusted External Tenants

The new control is in the Meeting engagement section of Meeting policies in the Teams admin center (Figure 2). By default, the setting is enabled, meaning that users can participate in chats in meetings hosted by any external Microsoft 365 tenant.

External meeting chat setting in the Teams admin center
Figure 2: External meeting chat setting in the Teams admin center

Updating the setting to Off blocks the Chat app in meetings hosted by untrusted external tenants.

You can also manage the setting through PowerShell. First, to see the value of the AllowExternalNonTrustedMeetingChat setting in the meeting policies defined for the tenant, run the Get-CsTeamsMeetingPolicy cmdlet:

Get-CsTeamsMeetingPolicy | Format-Table identity, AllowExternalNonTrustedMeetingChat

Identity                           AllowExternalNonTrustedMeetingChat
--------                           ----------------------------------
Global                                                           True
Tag:AllOn                                                        True
Tag:RestrictedAnonymousAccess                                    True

To block access to chat in external meetings, run the Set-CsTeamsMeetingPolicy cmdlet to update the value of AllowExternalNonTrustedMeetingChat for a meeting policy.

Set-CsTeamsMeetingPolicy -Identity Global -AllowExternalNonTrustedMeetingChat $False

An hour or so after updating the meeting policy, the accounts assigned the policy will lose access to chat in external meetings hosted by non-trusted tenants.

Keep External Access Open or Apply Restrictions

If you’re not worried about what people might chat about in external meetings, leave the setting alone and Teams will behave as before. This control is for organizations that have reason to want to stop people from chatting when participating in meetings hosted by non-trusted tenants. Of course, the question of deciding which tenants to trust comes into play here. That’s a difficult question to answer in a generic sense, and it’s definitely worthwhile for a Microsoft 365 tenant to consider if they want to operate external access on an open or closed basis.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

One Reply to “Blocking Access to Teams Meeting Chat in External Tenants”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.