Occasional Contributor

Dear community,

 

I just got external access working with both test tenants that my organization has. However, I want to clarify some things about what external access opens up for other users from other organizations (in case of "open federation"). My questions are the following:

 

1. In case of "Open Federation / no blocked domains": Can anyone who has access to my emailaddress, has Teams and external access with "open federation" as well, just send me a chat message, without any form of me having to accept that incoming chat message?

 

2. In case of "Open Federation / no blocked domains": Can anyone who has access to my emailaddress, has Teams and external access with "open federation" as well, just give me an ad hoc call via their Teams chat, without any form of me having to accept that incoming call?

 

I am asking this just to make sure I get this straight. Because if there is no sort of security in the sense of blocking incoming external calls or messages when using external access in combination with "Open federation", then potentially you open up a new channel for spamming and phishing right? 

 

Thank you so much for your help,

 

Sylvester

Hi @Forrest Hoffman ,

 

Thanks for the quick response! In your references I see a lot of information on Guest Access. However, guest access is something different compared to External Access. Guest access allows collaboration and also much more control in terms of security. 

 

My questions are purely about external access with open federation. However I cannot find answers to my specific questions as stated before when going through the Microsoft documentation. Any more ideas?

 

Thanks,

 

Sylvester

best response confirmed by Sylvester- (Occasional Contributor)
Solution

@Sylvester- I think it really depends on HOW the other Federated domains have their configuration set.

The first link doesn't exactly mention IF the External participants can see your e-mail.  However, If they already have it then they would be able to send a Chat request or add you as a Contact. I suppose a malicious user in a Federated Domain could spray your users if they had a list of e-mails but that is very low chance if the Federated domain is trustworthy.

I did find another article at the very bottom of the first doc that tries to explain External versus Guest.

Hi @Forrest Hoffman,

 

Thanks! So I think I understand correctly now. The way I understand it: If you allow external access with open federation (no black or whitelisting) then users from other orgs that have the same settings could, if they have your email address, send you chat mesages or give you a call without any way to you having to "accept" that incoming call or chat message first. However, as you say, it might be better to whitelist domains of organizations that you find trustworthy in order to make sure that only those organizations can contact users our organization. That is correct right?

 

Thanks for your help :)

 

Sylvester

 

 

I guess if you really

@Sylvester- I am not sure how the granular interaction works with the Federations.  There may even be more configuration options available through PowerShell or other API. To Be Honest.  We are not using Federations or Trusted Domains , Yet! One of the other problems is the speed at which changes are being made with the Teams platform / service. Just about the time I think I have a grasp of what is happening , they make more changes. 

Having said that, it seems that all parties involved in setting up Federation have responsibility for adjusting configuration options in their own Domains for things to work (or not). If you do start setting up Federations & Trusted Domains, I would make sure I have Global Admin contacts for all parties involved.  Sometimes the smallest change in the settings will have a large impact.

Another thing to be careful of is HOW LONG some changes take to become effective. If you read many of the posts on Teams configuration problems you will learn that sometimes it takes several hours for the change you make to actually become effective.

www.000webhost.com