Forum Discussion

tsl65's avatar
tsl65
Copper Contributor
Sep 19, 2022
Solved

Prevent file upload from external parties

Hi, We have a bit of a security concern:  Persons external to our company can without any notice initiate a chat to an employee and send a file.  Is it possible to block either for external initi...
Guest Access
microsoft teams
  • ChristianJBergstrom's avatar
    ChristianJBergstrom
    Sep 19, 2022
    Head over to Teams admin center and External access (under Users). Disable the option that consumer accounts can initiate a chat with your org. users. This isn't applicable for the "Teams and Skype for Business users in external organizations" setting which is federation. Because when using federation (also called trusted organizations) you cannot share files in chats.

    You can prevent guest users (added to your org. with a guest account) from uploading files but that isn't the question here as far as I understand.
StevenC365's avatar
StevenC365
MVP
Sep 19, 2022

tsl65 How can they send a file? Federated chat to or from people outside your organisation doesn't allow file transfer. 

  • tsl65's avatar
    tsl65
    Copper Contributor
    Sep 19, 2022

    StevenC365 We had the setting that Christian mentioned, set to allow contact from unmanaged sources. 

    (Teams accounts not managed by an organization)

  • ChristianJBergstrom's avatar
    ChristianJBergstrom
    MVP
    Sep 19, 2022
    Hey Steven, it's a sharing link from the consumer account pointing to its OneDrive where that file is being shared from. Don't like the open default setting here tbh.
    • StevenC365's avatar
      StevenC365
      MVP
      Sep 19, 2022

      ChristianJBergstrom I don't really see where the OP mentions it's from the consumer version.

       

      Anyway that's not a file, it's a link to a file, just like if I emailed a link or you clicked one on a website, all the same mechanisms exist if you want to scan it. Microsoft Defender for Office 365 includes SafeLinks which will scan the destination of a link sent via Teams so offers protection.

       

      It's very rare for organisations to allow chat with personal Teams accounts, most just turn it off and then use an allowlist for the organisations that people can talk to.

      • ChristianJBergstrom's avatar
        ChristianJBergstrom
        MVP
        Sep 19, 2022

        One can assume as you cannot share files in federated chats 😉

        Safe Links feature will work for all kinds of links sent from the consumer account. When the consumer account is sharing documents (sharing links) you're hoping that the Safe attachments will kick in. But that's an asynchronous process so will/can be bypassed. Haven't yet seen Safe Links take action when receiving a sharing link from a consumer account. *edit* If having a license with Safe Documents you'll get protection from the above scenario. Before a user is allowed to trust a file opened in a supported version of Office, the file will be verified by Microsoft Defender for Endpoint.

        Should obviously been rolled out default off as it shouldn't be on for consumer -> org direction.

Resources