Teams now supports domain blocking via Microsoft Defender Tenant Allow/Block List

Microsoft Teams now integrates with Microsoft Defender for Office 365, allowing security admins to manage blocked domains for Teams using the Tenant Allow/Block List in the Microsoft Defender portal. This integration centralizes domain blocking across Microsoft 365 services and applies to all Teams clients as well as the Defender XDR portal.

Timeline

The rollout should be completed in September 2025.

Impact for your organization

Teams admins can now enable a new option under Users > External Access to apply blocked domains from the Microsoft Defender Tenant Allow/Block List.

External access settings in Teams Admin Center
External access settings in Teams Admin Center

Admins can also configure this setting using PowerShell with the DomainBlockingForMDOAdminsInTeams property.

DomainBlockingForMDOAdminsInTeams
When set to ‘Enabled’, security operations team will be able to add domains to the blocklist on security portal. When set to ‘Disabled’, security operations team will not have permissions to update the domains blocklist.

PowerShell configuration

This option is disabled by default and must be explicitly enabled to grant security administrators access to manage blocked domains for Teams. Teams supports up to 4,000 blocked domains.

Security admins find a new option to block Teams domains in the Tenant Allow/Block list.

Microsoft Defender Tenant Allow/Block list
Microsoft Defender Tenant Allow/Block list

If a blocked domain is added, Defender will update the external access configuration to “Block only specific external domains.”

Blocked domain from the Defender tenant block list
Blocked domain from the Defender tenant block list

Incoming communications from blocked domains are prevented across chats, channels, meetings, and calls. As Microsoft states, existing communications from these domains can be automatically deleted. Actions taken to block domains are recorded in audit logs for compliance monitoring and reporting purposes.

This change does not affect existing federation configurations or domain blocks set directly in the Teams admin center.

As outlined in the documentation, three prerequisites apply:

  • A Microsoft Defender for Office 365 Plan 1 or Plan 2 is required.
  • A Teams admin must enable the option to manage blocked domains via Microsoft Defender.
  • A Teams admin must configure external access as either “Block only specific external domains” or “Allow all external domains”.
Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with around ten years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *