SOLVED

Prevent file upload from external parties

Occasional Contributor
Hi,
We have a bit of a security concern: 
Persons external to our company can without any notice initiate a chat to an employee and send a file. 
Is it possible to block either for external initiated chat or prevent the external user can upload a file? 
The concern is, these files could be anything, including malware and then we have to rely solely on our virus scanner (that we trust, but there are zero-day exploits and rare cases....) 

I found al kinds of articles and how to prevent file sharing from internal to external, but here we don't want to receive files from external. 

Any suggestions ??

Regards
TSL65
7 Replies
best response confirmed by tsl65 (Occasional Contributor)
Solution
Head over to Teams admin center and External access (under Users). Disable the option that consumer accounts can initiate a chat with your org. users. This isn't applicable for the "Teams and Skype for Business users in external organizations" setting which is federation. Because when using federation (also called trusted organizations) you cannot share files in chats.

You can prevent guest users (added to your org. with a guest account) from uploading files but that isn't the question here as far as I understand.

@tsl65 How can they send a file? Federated chat to or from people outside your organisation doesn't allow file transfer. 

Hey Steven, it's a sharing link from the consumer account pointing to its OneDrive where that file is being shared from. Don't like the open default setting here tbh.

@ChristianJBergstrom I don't really see where the OP mentions it's from the consumer version.

 

Anyway that's not a file, it's a link to a file, just like if I emailed a link or you clicked one on a website, all the same mechanisms exist if you want to scan it. Microsoft Defender for Office 365 includes SafeLinks which will scan the destination of a link sent via Teams so offers protection.

 

It's very rare for organisations to allow chat with personal Teams accounts, most just turn it off and then use an allowlist for the organisations that people can talk to.

Thanks, that will take the top of the concerns and lower my managers blood pressure :)
We are most concerned about the unknow users that suddenly contacts us.
Teams is made for collaboration so we cannot shout down for all external activities.

One can assume as you cannot share files in federated chats ;)

Safe Links feature will work for all kinds of links sent from the consumer account. When the consumer account is sharing documents (sharing links) you're hoping that the Safe attachments will kick in. But that's an asynchronous process so will/can be bypassed. Haven't yet seen Safe Links take action when receiving a sharing link from a consumer account. *edit* If having a license with Safe Documents you'll get protection from the above scenario. Before a user is allowed to trust a file opened in a supported version of Office, the file will be verified by Microsoft Defender for Endpoint.

Should obviously been rolled out default off as it shouldn't be on for consumer -> org direction.

@Steven Collier We had the setting that Christian mentioned, set to allow contact from unmanaged sources. 

(Teams accounts not managed by an organization)