External User Access SHALL Be Restricted

Description

External access allows external users to look up internal users by their email address to initiate chats and calls entirely within Teams. Blocking external access prevents external users from using Teams as an avenue for reconnaissance or phishing. Even with external access disabled, external users will still be able to join Teams calls, assuming anonymous join is enabled. Depending on organizational need, if both external access and anonymous join need to be blocked— neither required nor recommended by this baseline—external collaborators would only be able to attend meetings if added as a B2B guest user. External access may be granted on a per-domain basis. This may be desirable in some cases, e.g., for agency-to-agency collaboration.

Policy

External access SHALL only be enabled on a per-domain basis.
Anonymous users SHOULD be enabled to join meetings.

Licensing Considerations

Any Teams licensing supports this configuration.

Set Up Instructions

Manage external meetings and chat - Microsoft Teams | Microsoft Learn

Manage meeting settings - Microsoft Teams | Microsoft Learn

Use guest access and external access to collaborate with people outside your organization - Microsoft Teams | Microsoft Learn

End-User Impact

Level: Low

This will vary depending on the organization and need for external collaboration. A formal process for adding external domains for collaboration should be established so that end users have a place to request new external participants.

Tips

Make sure its clear how end-users request external collaboration participants

PowerShell Scripts

Set External Access Policy: Set-CsExternalAccessPolicy (SkypeForBusiness) | Microsoft Learn

Manage external meetings and chat - Microsoft Teams | Microsoft Learn

Videos

None Currently

PreviousAutomatic Admittance to Meetings SHOULD Be Restricted NextUnmanaged User Access SHALL Be Restricted

Last updated 10 months ago