Manage external Communications in Teams
Hey Teams Admins!
once in a month, a colleague at thinformatics organizes a “What’s new” Session where all co-workers can and should share news round about M365, Entra and Azure. This is one tool we’re using to catch up with the rapid changes in these topics.
This time one change notification has caught my attention: MC1150123 (Message center - Microsoft 365 admin center )
What’s the deal?
Finally, Teams Admins can manage more granular which people can chat with Teams above the boundaries of your Microsoft 365 Tenant.
Before this change was in Place it was possible to:
Block or Allow chat with consumer &/ corporate &/ Trial Tenants &/ Communications Services
Allow chat only with globally whitelisted Domains
Block specific external senders or domains
Often the lacking availability of more options to manage external chat, Teams customers decided to allow either
to allow all communication with external users despite of security constraints (higher risk of successful phishing attacks, fraud attacks, …)
or
to allow just whitelisted domains despite the lack of managing them (Processes for onboard, update and delete domains, unclear responsibilities).
None of either was really satisfying. Admins that were used to the management of Skype Servers recognized that not everything in Teams was better. To manage external communication granular was also not easy in these times, but at least it was possible.
For a while it was even possible to use some SfB Online cmdlets to manage external communication, but I never really get it done in my environments.
Another topic is also within this discussion when we talk about external Teams communication. If you allow external communication the external people also can see your Teams Status. It’s - I think it’s a German ‘special feature’ – a no go that not only internal members can track your work-habits but also every external people.
Just recently this “One Policy to Rule them All” External Chat Management topic was one of the reasons why an enterprise discussed to break with it single tenant strategy and build up a multi-tenant setup. While some people in the tenant should never ever should receive chats from external Teams users, for other parts of the organization it was essential.
BUT: These times are over now! Sounds great right? But maybe I should not set the expectations too high. Not all issues are solved now, but at least the basics can get done now.
What can we do now?
Now Teams Admins can create own external communication policies which define an own set of external communication settings. Afterwards they can assign these policies to users to manage their ability to chat with external people and other way round.
Here you can see the options you can now manage per policy:
You might have recognized that these are less options than in the global policy. Indeed, it seems that we can’t use all the features. For instance, I’m missing the ability to block Trial Tenants or block/allow single domains. Reading the message center notification again which says:
With this update, you can assign custom external access policies to users or groups with five configuration options:
- Use organization settings: Inherits the tenant’s default external access configuration
- Allow all external domains: All external organizations are trusted
- Allow only specific external domains: Only domains in the allow list are trusted
- Block only specific external domains: Domains in the block list are restricted; all others are trusted
- Block all: All external domains are blocked for users assigned to this policy
Users assigned a custom policy may interact with different external domains than those defined in the organization-wide settings.
So, it seems that we will have more features soon….
I would start with one simple external policy. One which blocks all external communication. This new policy lets name it “Custom-BlockExternalCommunication” can be assigned to all users which are not the “default” and should be protected by this feature.
But assignment of these policies brings struggle again. Even if you spend some more money for your enterprise to equip them all with Teams Premium policies, you can’t use Policy packages to assign these policies to a group of people. You can just assign them individuals. But, you can use PowerShell Command New-CsBatchPolicyAssignmentOperation (MicrosoftTeams) | Microsoft Learn to assign the policy to a lot of individuals. I’ve done something similar when it was useful for app permission policies Assign Teams app permission policies to Groups(-Members) — thinformatics. I will try to recycle this also as a workaround until this gap (In the change notification is also written that groups are a possible scope) is closed.
What’s the result?
So, after all I would say this possibility delivers a rather meager result (publishing date 09/2025), but with real impact! And we can expect more when the change rollout is finished completely.
If a user has a policy assigned that disallows chat with external people, he can’t start a chat.
Unfortunately, the error message is not very specific:
If you, as an external Teams user try to look up a user in an organization which blocks external chat you get an even more unspecific error.
So, again, I think this change is overdue and real important. Keep an eye on the further implementation of this change within your tenant and start testing around. Maybe Microsoft will finalize and publish this with more enthusiasm (like me) at Ignite. I expect that you can use this feature in 2026 to fulfill some needs of your business and security teams.