L2 BIO 13.02 ISO A.13.2.1 CIS 4.1.1

External Domains Restricted In Teams

πŸ“… 2025-10-29
β€’
⏱️ 6 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Restricting external access in Teams to approved domains voorkomt ongecontroleerde communication en collaboration met external parties, en vermindert phishing en Gegevenslek risks.

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
6/10
Implementatie
4u (tech: 1u)
Van toepassing op:
βœ“ M365
βœ“ Teams

Unrestricted Teams external access is anyone globally kan contact met users: phishing attacks via Teams chat/calls, social engineering voor Diefstal van inloggegevens, business email compromise via Teams instead of email, Gegevensleks via file sharing in external chats. Domain restrictions Sta toe collaboration met approved partners alleen (domain allowlist) of Blokkeer specific risky domains (domain blocklist).

PowerShell Modules Vereist
Primary API: Teams PowerShell
Connection: Connect-MicrosoftTeams
Required Modules: MicrosoftTeams

Implementatie

Configureer Teams external access: (1) Sta toe alleen specific external domains (whitelist approved partners), of (2) Blokkeer specific domains (blacklist competitors/risky domains), of (3) Blokkeer alle external access (most restrictive). aanbevolen: allowlist approach - specify approved partner domains only. Users kunnen NIET communiceren met externe gebruikers buiten approved domains.

Vereisten

  1. Teams Administrator
  2. List van approved external domains
  3. External collaboration policy
  4. User communication

Implementatie

  1. Teams admin center β†’ Org-wide settings β†’ External access
  2. Choose: Sta toe alleen specific external domains (allowlist), Add approved partner domains (partner1.com, partner2.com)
  3. Alternative: Blokkeer alle external access (if no external collaboration needed)
  4. gebruikers kunnen communicate met Teams users: binnen allowed domains only
  5. Test: internal user kan niet chat met unapproved external domain
  6. Communicate: external collaboration restrictions to users

Compliance en Auditing

  1. CIS M365 - control 4.1.1 (Teams external access restricted)
  2. BIO 13.02
  3. ISO 27001:2022 A.13.2.1
  4. NIS2 Artikel 21

Monitoring

Gebruik PowerShell-script external-domains-restricted.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script external-domains-restricted.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS External Domains Restricted .DESCRIPTION Ensures external access in Teams is restricted to specific allowed domains. Prevents unrestricted communication with any external organization. .NOTES Filename: external-domains-restricted.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\external-domains-restricted.ps1 -Monitoring Check if external access is restricted #> #Requires -Version 5.1 #Requires -Modules MicrosoftTeams [CmdletBinding()] param( [Parameter(Mandatory = $false)] [switch]$Monitoring, [Parameter(Mandatory = $false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf, [Parameter(Mandatory = $false)] [string[]]$AllowedDomains = @() ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "External Domains Restricted" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS External Domains Restricted .DESCRIPTION Ensures external access in Teams is restricted to specific allowed domains. Prevents unrestricted communication with any external organization. .NOTES Filename: external-domains-restricted.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\external-domains-restricted.ps1 -Monitoring Check if external access is restricted #> #Requires -Version 5.1 #Requires -Modules MicrosoftTeams [CmdletBinding()] param( [Parameter(Mandatory=$false)] [switch]$Monitoring, [Parameter(Mandatory=$false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf, [Parameter(Mandatory=$false)] [string[]]$AllowedDomains = @() ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "External Domains Restricted" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "Connecting to Microsoft Teams..." -ForegroundColor Gray Connect-MicrosoftTeams -ErrorAction Stop | Out-Null Write-Host "Checking external access configuration..." -ForegroundColor Gray $config = Get-CsTenantFederationConfiguration -ErrorAction Stop $result = @{ isCompliant = $false allowFederation = $config.AllowFederatedUsers allowPublicUsers = $config.AllowPublicUsers allowedDomains = $config.AllowedDomains blockedDomains = $config.BlockedDomains } Write-Host "`n Federation Configuration:" -ForegroundColor Cyan Write-Host " Allow Federated Users: $($config.AllowFederatedUsers)" -ForegroundColor $( if ($config.AllowFederatedUsers) { "Yellow" } else { "Green" } ) Write-Host " Allow Public Users (Skype): $($config.AllowPublicUsers)" -ForegroundColor $( if ($config.AllowPublicUsers) { "Red" } else { "Green" } ) # Check if using allow list (more secure) vs open federation if ($config.AllowedDomains -and $config.AllowedDomains.AllowedDomain.Count -gt 0) { Write-Host " Mode: ALLOW LIST (Secure)" -ForegroundColor Green Write-Host " Allowed domains: $($config.AllowedDomains.AllowedDomain.Count)" -ForegroundColor Cyan if ($config.AllowedDomains.AllowedDomain.Count -le 20) { foreach ($domain in $config.AllowedDomains.AllowedDomain) { Write-Host " - $($domain.Domain)" -ForegroundColor Gray } } $result.isCompliant = $true } elseif ($config.AllowedDomains -and $config.AllowedDomains.AllowAllKnownDomains) { Write-Host " Mode: OPEN FEDERATION (Not Secure!)" -ForegroundColor Red Write-Host " Any domain can communicate!" -ForegroundColor Red } else { Write-Host " Mode: BLOCKED (Most Secure)" -ForegroundColor Green $result.isCompliant = $true } if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - Restrict to specific domains only!" -ForegroundColor Red exit 1 } } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Connect-MicrosoftTeams -ErrorAction Stop | Out-Null if ($AllowedDomains.Count -eq 0) { Write-Host "⚠️ No allowed domains specified" -ForegroundColor Yellow Write-Host "Blocking all external access..." -ForegroundColor Cyan Set-CsTenantFederationConfiguration ` -AllowFederatedUsers $false ` -AllowPublicUsers $false ` -ErrorAction Stop Write-Host "`n[OK] External access completely blocked" -ForegroundColor Green } else { Write-Host "Configuring allow list with $($AllowedDomains.Count) domains..." -ForegroundColor Cyan $allowedList = New-Object 'System.Collections.Generic.List[string]' foreach ($domain in $AllowedDomains) { $allowedList.Add($domain) } Set-CsTenantFederationConfiguration ` -AllowFederatedUsers $true ` -AllowedDomains $allowedList ` -ErrorAction Stop Write-Host "`n[OK] Allow list configured" -ForegroundColor Green Write-Host "Allowed domains:" -ForegroundColor Cyan $AllowedDomains | ForEach-Object { Write-Host " - $_" -ForegroundColor Gray } } exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Usage:" -ForegroundColor Yellow Write-Host " -Monitoring Check external access" -ForegroundColor Gray Write-Host " -Remediation Block all external" -ForegroundColor Gray Write-Host " -Remediation -AllowedDomains @(..) Configure allow list" -ForegroundColor Gray } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { Write-Host "Connecting to Microsoft Teams..." -ForegroundColor Gray Connect-MicrosoftTeams -ErrorAction Stop | Out-Null Write-Host "Checking external access configuration..." -ForegroundColor Gray $config = Get-CsTenantFederationConfiguration -ErrorAction Stop $result = @{ isCompliant = $false allowFederation = $config.AllowFederatedUsers allowPublicUsers = $config.AllowPublicUsers allowedDomains = $config.AllowedDomains blockedDomains = $config.BlockedDomains } Write-Host "`n Federation Configuration:" -ForegroundColor Cyan Write-Host " Allow Federated Users: $($config.AllowFederatedUsers)" -ForegroundColor $( if ($config.AllowFederatedUsers) { "Yellow" } else { "Green" } ) Write-Host " Allow Public Users (Skype): $($config.AllowPublicUsers)" -ForegroundColor $( if ($config.AllowPublicUsers) { "Red" } else { "Green" } ) # Check if using allow list (more secure) vs open federation if ($config.AllowedDomains -and $config.AllowedDomains.AllowedDomain.Count -gt 0) { Write-Host " Mode: ALLOW LIST (Secure)" -ForegroundColor Green Write-Host " Allowed domains: $($config.AllowedDomains.AllowedDomain.Count)" -ForegroundColor Cyan if ($config.AllowedDomains.AllowedDomain.Count -le 20) { foreach ($domain in $config.AllowedDomains.AllowedDomain) { Write-Host " - $($domain.Domain)" -ForegroundColor Gray } } $result.isCompliant = $true } elseif ($config.AllowedDomains -and $config.AllowedDomains.AllowAllKnownDomains) { Write-Host " Mode: OPEN FEDERATION (Not Secure!)" -ForegroundColor Red Write-Host " Any domain can communicate!" -ForegroundColor Red } else { Write-Host " Mode: BLOCKED (Most Secure)" -ForegroundColor Green $result.isCompliant = $true } if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - Restrict to specific domains only!" -ForegroundColor Red exit 1 } } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS External Domains Restricted .DESCRIPTION Ensures external access in Teams is restricted to specific allowed domains. Prevents unrestricted communication with any external organization. .NOTES Filename: external-domains-restricted.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\external-domains-restricted.ps1 -Monitoring Check if external access is restricted #> #Requires -Version 5.1 #Requires -Modules MicrosoftTeams [CmdletBinding()] param( [Parameter(Mandatory=$false)] [switch]$Monitoring, [Parameter(Mandatory=$false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf, [Parameter(Mandatory=$false)] [string[]]$AllowedDomains = @() ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "External Domains Restricted" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "Connecting to Microsoft Teams..." -ForegroundColor Gray Connect-MicrosoftTeams -ErrorAction Stop | Out-Null Write-Host "Checking external access configuration..." -ForegroundColor Gray $config = Get-CsTenantFederationConfiguration -ErrorAction Stop $result = @{ isCompliant = $false allowFederation = $config.AllowFederatedUsers allowPublicUsers = $config.AllowPublicUsers allowedDomains = $config.AllowedDomains blockedDomains = $config.BlockedDomains } Write-Host "`n Federation Configuration:" -ForegroundColor Cyan Write-Host " Allow Federated Users: $($config.AllowFederatedUsers)" -ForegroundColor $( if ($config.AllowFederatedUsers) { "Yellow" } else { "Green" } ) Write-Host " Allow Public Users (Skype): $($config.AllowPublicUsers)" -ForegroundColor $( if ($config.AllowPublicUsers) { "Red" } else { "Green" } ) # Check if using allow list (more secure) vs open federation if ($config.AllowedDomains -and $config.AllowedDomains.AllowedDomain.Count -gt 0) { Write-Host " Mode: ALLOW LIST (Secure)" -ForegroundColor Green Write-Host " Allowed domains: $($config.AllowedDomains.AllowedDomain.Count)" -ForegroundColor Cyan if ($config.AllowedDomains.AllowedDomain.Count -le 20) { foreach ($domain in $config.AllowedDomains.AllowedDomain) { Write-Host " - $($domain.Domain)" -ForegroundColor Gray } } $result.isCompliant = $true } elseif ($config.AllowedDomains -and $config.AllowedDomains.AllowAllKnownDomains) { Write-Host " Mode: OPEN FEDERATION (Not Secure!)" -ForegroundColor Red Write-Host " Any domain can communicate!" -ForegroundColor Red } else { Write-Host " Mode: BLOCKED (Most Secure)" -ForegroundColor Green $result.isCompliant = $true } if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - Restrict to specific domains only!" -ForegroundColor Red exit 1 } } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Connect-MicrosoftTeams -ErrorAction Stop | Out-Null if ($AllowedDomains.Count -eq 0) { Write-Host "⚠️ No allowed domains specified" -ForegroundColor Yellow Write-Host "Blocking all external access..." -ForegroundColor Cyan Set-CsTenantFederationConfiguration ` -AllowFederatedUsers $false ` -AllowPublicUsers $false ` -ErrorAction Stop Write-Host "`n[OK] External access completely blocked" -ForegroundColor Green } else { Write-Host "Configuring allow list with $($AllowedDomains.Count) domains..." -ForegroundColor Cyan $allowedList = New-Object 'System.Collections.Generic.List[string]' foreach ($domain in $AllowedDomains) { $allowedList.Add($domain) } Set-CsTenantFederationConfiguration ` -AllowFederatedUsers $true ` -AllowedDomains $allowedList ` -ErrorAction Stop Write-Host "`n[OK] Allow list configured" -ForegroundColor Green Write-Host "Allowed domains:" -ForegroundColor Cyan $AllowedDomains | ForEach-Object { Write-Host " - $_" -ForegroundColor Gray } } exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Usage:" -ForegroundColor Yellow Write-Host " -Monitoring Check external access" -ForegroundColor Gray Write-Host " -Remediation Block all external" -ForegroundColor Gray Write-Host " -Remediation -AllowedDomains @(..) Configure allow list" -ForegroundColor Gray } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { Connect-MicrosoftTeams -ErrorAction Stop | Out-Null if ($AllowedDomains.Count -eq 0) { Write-Host "⚠️ No allowed domains specified" -ForegroundColor Yellow Write-Host "Blocking all external access..." -ForegroundColor Cyan Set-CsTenantFederationConfiguration ` -AllowFederatedUsers $false ` -AllowPublicUsers $false ` -ErrorAction Stop Write-Host "`n[OK] External access completely blocked" -ForegroundColor Green } else { Write-Host "Configuring allow list with $($AllowedDomains.Count) domains..." -ForegroundColor Cyan $allowedList = New-Object 'System.Collections.Generic.List[string]' foreach ($domain in $AllowedDomains) { $allowedList.Add($domain) } Set-CsTenantFederationConfiguration ` -AllowFederatedUsers $true ` -AllowedDomains $allowedList ` -ErrorAction Stop Write-Host "`n[OK] Allow list configured" -ForegroundColor Green Write-Host "Allowed domains:" -ForegroundColor Cyan $AllowedDomains | ForEach-Object { Write-Host " - $_" -ForegroundColor Gray } } exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS External Domains Restricted .DESCRIPTION Ensures external access in Teams is restricted to specific allowed domains. Prevents unrestricted communication with any external organization. .NOTES Filename: external-domains-restricted.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\external-domains-restricted.ps1 -Monitoring Check if external access is restricted #> #Requires -Version 5.1 #Requires -Modules MicrosoftTeams [CmdletBinding()] param( [Parameter(Mandatory=$false)] [switch]$Monitoring, [Parameter(Mandatory=$false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf, [Parameter(Mandatory=$false)] [string[]]$AllowedDomains = @() ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "External Domains Restricted" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "Connecting to Microsoft Teams..." -ForegroundColor Gray Connect-MicrosoftTeams -ErrorAction Stop | Out-Null Write-Host "Checking external access configuration..." -ForegroundColor Gray $config = Get-CsTenantFederationConfiguration -ErrorAction Stop $result = @{ isCompliant = $false allowFederation = $config.AllowFederatedUsers allowPublicUsers = $config.AllowPublicUsers allowedDomains = $config.AllowedDomains blockedDomains = $config.BlockedDomains } Write-Host "`n Federation Configuration:" -ForegroundColor Cyan Write-Host " Allow Federated Users: $($config.AllowFederatedUsers)" -ForegroundColor $( if ($config.AllowFederatedUsers) { "Yellow" } else { "Green" } ) Write-Host " Allow Public Users (Skype): $($config.AllowPublicUsers)" -ForegroundColor $( if ($config.AllowPublicUsers) { "Red" } else { "Green" } ) # Check if using allow list (more secure) vs open federation if ($config.AllowedDomains -and $config.AllowedDomains.AllowedDomain.Count -gt 0) { Write-Host " Mode: ALLOW LIST (Secure)" -ForegroundColor Green Write-Host " Allowed domains: $($config.AllowedDomains.AllowedDomain.Count)" -ForegroundColor Cyan if ($config.AllowedDomains.AllowedDomain.Count -le 20) { foreach ($domain in $config.AllowedDomains.AllowedDomain) { Write-Host " - $($domain.Domain)" -ForegroundColor Gray } } $result.isCompliant = $true } elseif ($config.AllowedDomains -and $config.AllowedDomains.AllowAllKnownDomains) { Write-Host " Mode: OPEN FEDERATION (Not Secure!)" -ForegroundColor Red Write-Host " Any domain can communicate!" -ForegroundColor Red } else { Write-Host " Mode: BLOCKED (Most Secure)" -ForegroundColor Green $result.isCompliant = $true } if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - Restrict to specific domains only!" -ForegroundColor Red exit 1 } } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Connect-MicrosoftTeams -ErrorAction Stop | Out-Null if ($AllowedDomains.Count -eq 0) { Write-Host "⚠️ No allowed domains specified" -ForegroundColor Yellow Write-Host "Blocking all external access..." -ForegroundColor Cyan Set-CsTenantFederationConfiguration ` -AllowFederatedUsers $false ` -AllowPublicUsers $false ` -ErrorAction Stop Write-Host "`n[OK] External access completely blocked" -ForegroundColor Green } else { Write-Host "Configuring allow list with $($AllowedDomains.Count) domains..." -ForegroundColor Cyan $allowedList = New-Object 'System.Collections.Generic.List[string]' foreach ($domain in $AllowedDomains) { $allowedList.Add($domain) } Set-CsTenantFederationConfiguration ` -AllowFederatedUsers $true ` -AllowedDomains $allowedList ` -ErrorAction Stop Write-Host "`n[OK] Allow list configured" -ForegroundColor Green Write-Host "Allowed domains:" -ForegroundColor Cyan $AllowedDomains | ForEach-Object { Write-Host " - $_" -ForegroundColor Gray } } exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Usage:" -ForegroundColor Yellow Write-Host " -Monitoring Check external access" -ForegroundColor Gray Write-Host " -Remediation Block all external" -ForegroundColor Gray Write-Host " -Remediation -AllowedDomains @(..) Configure allow list" -ForegroundColor Gray } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Usage:" -ForegroundColor Yellow Write-Host " -Monitoring Check external access" -ForegroundColor Gray Write-Host " -Remediation Block all external" -ForegroundColor Gray Write-Host " -Remediation -AllowedDomains @(..) Configure allow list" -ForegroundColor Gray } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium - Unrestricted external Teams access: phishing via Teams chat (bypasses email security), social engineering attacks, Gegevensleks via external file sharing, no control over external collaboration.

Management Samenvatting

Beperk Teams external access: allowlist approved partner domains only. Blokkeert unapproved external communication. Voldoet aan CIS 4.1.1 L2, BIO 13.02. Setup: 1u technical + 3u policy definition.