Securing Microsoft Teams and any other SaaS platform is of upmost importance. Microsoft Teams has several options for doing this, but there are two settings dealing with people outside your organization: guest access and external access. In this post, I’m focusing on external access and how to resolve an issue when you remove the last blocked domain.
What is external access?
External access allows your Teams and Skype for Business Online users to communicate with other people outside of your organization. For seasoned Lync or Skype for Business administrators, this is also known as federation. These external user are also using Teams or Skype for Business. In a new Teams tenant, your users will have the ability to communicate with all external domains. This is often referred to as “open federation” and is the least restrictive option. The communication options include chat or instant messaging, desktop sharing, and audio/video calls.
You can access external access settings by navigating to the Teams admin center at https://admin.teams.microsoft.com. From there, navigate to Org-wide settings, then External access.
Managing Federated Domains
If you want to lock this down a bit, there are a few options. First, you can block all external communication with other Skype for Business and Teams users. This will keep all communication within your organization. There is also the option to allow or block communication with Skype consumer users. These options can be toggled On or Off.
If you decide to allow users to contact Teams and Skype for Business users in other organizations, you can configure additional restrictions based on domains. You can add specific external domains to block. This means your users can still communicate with any other outside organization except those domains on the blocked list.
The other option is configuring a set of allowed external domains. This means your users can communicate only with those external domains and all others will be blocked. This often leads to requests to add a new domain and open up communication with a new domain. I have seen where the other company requires some type of agreement to be signed and a designated point-of-contact for future communication with the other organization.
Unlike previous Lync and Skype for Business server versions, you cannot mix allowed and blocked domains. If you add a blocked domain, then you can only add other blocked domains in your list. This goes for allowed domain lists too. There were levels of “allowed-ness” or federation trust in the on-premises versions but this is not the case in Teams online.
However, the admin center does not stop you from adding both into the list, and honestly, I’ve never tested to see what behavior occurs in this configuration:
Error Removing the Last Blocked Domain
An issue I ran into recently is trying to remove the last blocked domain in the external access settings. When trying to remove the last blocked domain from the list, it returns the error:
We weren’t able to remove the domain. You must have at least one domain in the block list.
Why the admin center feels the need that one blocked domain should be present, I’m not sure. But if you find yourself in this situation and needing to clear out the list, you’ll have to drop out to a Skype for Business Online PowerShell session to do so. If you need a refresher on how to connect to Skype for Business Online PowerShell, check out this article:
First, view the current settings and the last blocked domain in the federation settings:
To remove the last blocked domain, run the Set-CsTenantFederationgConfiguration command and set the BlockedDomains to $null, then check the configuration after the change:
Set-CsTenantFederationConfiguration -BlockedDomains $null
With the blocked domains cleared in PowerShell, refresh the Teams admin center and see the domain list is now clear: