Block an external user in Microsoft Teams

Teams administrators can configure various options for communication with external users.
Administrators can now also block specific external users. Microsoft mentioned the possibility last August.

The availability of the delete API (removeallaccessforuser API) does not stop a malicious user from resending a Microsoft Teams message to the same victim. To help prevent that, a block user feature will allow the admin to block the malicious user from reaching out again. To make this possible, we will use a similar feature as the allow/block list in federation identity credentials to block the malicious user from the entire organization.

The new configuration is available in the Teams Admin Center > Users > External Access > Organization Settings and disabled by default.

Externe Konten in Teams blockieren
Block external users in Teams

Alternatively, the configuration is also possible with the Teams PowerShell module.
The configuration is in the rollout. If it is not yet available for your tenant, PowerShell will inform you that your tenant has not been enabled for the Private Preview.

Policy is in rollout
Policy is in rollout

There are two new properties for the External Access configuration in PowerShell: BlockExternalAccessUserAccess and BlockedUsers
Both properties must be configured.

BlockExternalAccessUserAccess
Designates whether BlockedUsers list is taking effect or not. $true means BlockedUsers are blocked and can’t communicate with internal users.

BlockedUsers
You can specify blocked users using a List object that contains either the user email or the MRI from the external user you want to block. The user in the list will not be able to communicate with the internal users in your organization.

Neue Properties für BlockedUsers
New properties for BlockedUsers

The configuration is enabled using the command Set-CsTeamsExternalAccessConfiguration.

PowerShell
Set-CsTeamsExternalAccessConfiguration -Identity Global -BlockExternalUserAccess $true -BlockedUsers "<user1>@<domain.com>","<user2>@<domain.com>"


The change takes a few hours.

  • Teams informs blocked users in existing chats that messages can no longer be sent.
In bestehenden Chats, Nachricht wird blockiert
New messages are blocked in existing chats
  • In new chats, Teams notifies blocked users that the communication is not possible.
In neuen Chats, Kommunikation kann nicht gestartet werden
Chat communication is not possible in new chats
Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with around ten years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *