Merge pull request #4609 from MicrosoftDocs/TABL-chrisda

chrisda · web-flow · commit e385a3ad1619 · 2025-07-29T22:27:28.000-07:00
TABL-chrisda to Main
diff --git a/defender-office-365/TOC.yml b/defender-office-365/TOC.yml
@@ -253,6 +253,8 @@
              href: tenant-allow-block-list-urls-configure.md
            - name: Allow or block IPv6 addresses using the Tenant Allow/Block List
              href: tenant-allow-block-list-ip-addresses-configure.md
+           - name: Block domains in Microsoft Teams using the Tenant Allow/Block List
+             href: tenant-allow-block-list-teams-domains-configure.md
          - name: Admin submissions
            href: submissions-admin.md
          - name: Create block sender lists
diff --git a/defender-office-365/mdo-support-teams-about.md b/defender-office-365/mdo-support-teams-about.md
@@ -16,7 +16,7 @@ ms.collection:
   - tier1
 description: Admins can learn about Microsoft Teams features in Microsoft Defender for Office 365 Plan 2.
 ms.service: defender-office-365
-ms.date: 07/24/2025
+ms.date: 07/28/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -30,7 +30,7 @@ appliesto:
 With the increased use of collaboration tools like Microsoft Teams, the possibility of malicious attacks using chat messages has also increased. Microsoft Defender for Office 365 already provides the following Teams protection features:
 
 - Time of click protection for URLs and files in Teams messages through [Safe Links for Microsoft Teams](safe-links-about.md#safe-links-settings-for-microsoft-teams) and [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md).
-- Allow/block [URLs](tenant-allow-block-list-urls-configure.md) and [files](tenant-allow-block-list-files-configure.md) inside Teams using Tenant Allow Block Lists.
+- Allow/block [domains](tenant-allow-block-list-teams-domains-configure.md), [URLs](tenant-allow-block-list-urls-configure.md) and [files](tenant-allow-block-list-files-configure.md) inside Teams using the Tenant Allow Block List.
 
 In Microsoft 365 E5 and Defender for Office 365 Plan 2, we've extended Teams protection with a set of capabilities that are designed to disrupt the attack chain:
 
diff --git a/defender-office-365/mdo-support-teams-sec-ops-guide.md b/defender-office-365/mdo-support-teams-sec-ops-guide.md
@@ -16,7 +16,7 @@ ms.collection:
   - tier1
 description: A prescriptive playbook for SecOps personnel to manage Microsoft Teams protection in Microsoft Defender for Office 365.
 ms.service: defender-office-365
-ms.date: 04/22/2025
+ms.date: 07/28/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -59,7 +59,7 @@ SecOps team members can also use block entries in the Tenant Allow/Block List to
 SecOps team members can use threat hunting or information from external threat intelligence feeds to proactively respond to false negative Teams messages (bad messages allowed). They can use the information to proactively block threats. For example:
 
 - [Create URL block entries](tenant-allow-block-list-urls-configure.md#create-block-entries-for-urls) in the Tenant Allow/Block List in Defender for Office 365. Block entries apply at time of click for URLs in Teams.  
-- [Block domains in Teams using the Teams admin center](/microsoftteams/trusted-organizations-external-meetings-chat#specify-trusted-microsoft-365-organizations).
+- [Block domains in Teams using the Tenant Allow/Block List](tenant-allow-block-list-teams-domains-configure.md).
 - Submit undetected URLs to Microsoft using [admin submission](submissions-admin.md#report-questionable-urls-to-microsoft).
 
 > [!TIP]
diff --git a/defender-office-365/media/tenant-allow-block-list-teams-domains.png b/defender-office-365/media/tenant-allow-block-list-teams-domains.png
diff --git a/defender-office-365/tenant-allow-block-list-about.md b/defender-office-365/tenant-allow-block-list-about.md
@@ -8,7 +8,7 @@ manager: deniseb
 audience: ITPro
 ms.topic: how-to
 ms.localizationpriority: medium
-ms.date: 07/08/2025
+ms.date: 07/28/2025
 search.appverid:
 - MET150
 ms.collection:
@@ -30,9 +30,9 @@ appliesto:
 > [!IMPORTANT]
 > To allow phishing URLs that are part of non-Microsoft attack simulation training, use the [advanced delivery configuration](advanced-delivery-policy-configure.md) to specify the URLs. Don't use the Tenant Allow/Block List.
 
-You might occasionally disagree with the filtering verdict from the default email protections for cloud mailboxes or from Microsoft Defender for Office 365. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).
+You might occasionally disagree with the Microsoft filtering verdict for email messages, Microsoft Teams messages, or Office apps. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative), or a URL might be blocked when it shouldn't have.
 
-The Tenant Allow/Block List in the Microsoft Defender portal gives you a way to manually override filtering verdicts. The list is used during mail flow or time of click for incoming messages from external senders.
+The Tenant Allow/Block List in the Microsoft Defender portal gives you a way to manually override filtering verdicts. The list is used during mail flow (for email) or time of click (for email, Teams, or Office apps).
 
 Entries for **Domains and email addresses** and **Spoofed senders** apply to messages from both internal and external senders. Special handling applies to internal spoofing scenarios. Block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses.
 
@@ -44,6 +44,7 @@ For usage and configuration instructions, see the following articles:
 - **Files**: [Allow or block files using the Tenant Allow/Block List](tenant-allow-block-list-files-configure.md)
 - **URLs**: [Allow or block URLs using the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md).
 - **IP addresses**: [Allow or block IPv6 addresses using the Tenant Allow/Block List](tenant-allow-block-list-ip-addresses-configure.md).
+- **Teams domains**: [Block domains in Microsoft Teams using the Tenant Allow/Block List](tenant-allow-block-list-teams-domains-configure.md).
 
 These articles contain procedures in the Microsoft Defender portal and in PowerShell.
 
@@ -73,6 +74,8 @@ In the Tenant Allow/Block List, you can also directly create block entries for t
 
 - **[IP addresses](tenant-allow-block-list-ip-addresses-configure.md#create-block-entries-for-ipv6-addresses)**: If you manually create a block entry, all incoming email messages from that IP address are dropped at the edge of the service.
 
+- **[Teams domains](tenant-allow-block-list-teams-domains-configure.md)**: If you manually create a block entry, all incoming communication over Teams from that domain will be blocked whereas existing communication will be deleted.
+
 By default, the following types of block entries expire after 30 days, but you can set them to expire up 90 days or to never expire:
 
 - [Domains and email addresses](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses)
@@ -83,6 +86,7 @@ The following types of block entries never expire:
 
 - [Spoofed senders](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-spoofed-senders)
 - [IP addresses](tenant-allow-block-list-ip-addresses-configure.md#create-block-entries-for-ipv6-addresses)
+- [Teams domains](tenant-allow-block-list-teams-domains-configure.md).
 
 ## Allow entries in the Tenant Allow/Block List
 
diff --git a/defender-office-365/tenant-allow-block-list-teams-domains-configure.md b/defender-office-365/tenant-allow-block-list-teams-domains-configure.md
@@ -0,0 +1,110 @@
+---
+title: Block domains in Microsoft Teams using the Tenant Allow/Block List
+f1.keywords:
+  - NOCSH
+ms.author: chrisda
+author: chrisda
+manager: deniseb
+audience: ITPro
+ms.topic: how-to
+ms.localizationpriority: medium
+search.appverid:
+  - MET150
+ms.collection:
+  - m365-security
+  - tier1
+description: Admins can learn how to block domains in Microsoft Teams using the Tenant Allow/Block List.
+ms.service: defender-office-365
+ms.date: 07/29/2025
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Default email protections for cloud mailboxes</a>
+  - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
+  - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
+---
+
+# Block domains in Microsoft Teams using the Tenant Allow/Block List
+
+[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
+
+In all organizations with Microsoft Teams and cloud mailboxes, admins can create and manage block entries for domains in Microsoft Teams using the Tenant Allow/Block List. These blocked domain entries also appear on the **Organization settings** tab of the **External access** page in the Microsoft Teams admin center at <https://admin.teams.microsoft.com/company-wide-settings/external-communications> in the **Teams and Skype for Business users in external organizations** section:
+
+:::image type="content" source="media/tenant-allow-block-list-teams-domains.png" alt-text="Screenshot of the External access page in the Microsoft Teams admin center showing blocked domains." lightbox="media/tenant-allow-block-list-teams-domains.png":::
+
+For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md).
+
+This article describes how security admins can manage entries for blocked domains in Teams admin center using the Microsoft Defender portal.
+
+## What do you need to know before you begin?
+
+- You open the Microsoft Defender portal at <https://security.microsoft.com>. To go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>. Then, go to the **Teams domains** tab.
+
+- After you add the block entry for the domain in Teams, all new Teams communication from that organization is blocked. Block communication includes new Teams meetings, chats, channels, and calls. Existing Teams meetings, chats, channels, and calls are deleted.
+
+- On the **Organization settings** tab of the **External access** page in the Microsoft Teams admin center at <https://admin.teams.microsoft.com/company-wide-settings/external-communications>, the following settings are required to create and manage block entries for domains in Teams using the Tenant Allow/Block List:
+  - **Teams and Skype for Business users in external organizations** must be one of the following values:
+    - **Allow all external domains**
+    - **Block only specific external domains**
+  - **Allow my security team to manage blocked domains** must be :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **On**.
+
+- Block entries for domains in Teams never expire.
+
+- An entry should be active within 5 minutes.
+
+- You need to be assigned permissions before you can do the procedures in this article. You have the following options:
+  - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**<sup>\*</sup>, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions *and* permissions for other features in Microsoft 365.
+
+    > [!IMPORTANT]
+    > <sup>\*</sup> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
+## Create block entries for domains in Teams in the Tenant Allow/Block List
+
+   > [!TIP]
+   > See the requirements in the [What do you need to know before you begin?](#what-do-you-need-to-know-before-you-begin) section to managed blocked domains in Teams in the Tenant Allow/Block list. You don't get a **Teams domains** tab on the **Tenant Allow/Block Lists** page if you don't meet the requirements.
+
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
+
+2. On the **Tenant Allow/Block Lists** page, select the **Teams domains** tab.
+
+3. On the **Teams domains** tab, select :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **Add**, and then select **Block**.
+
+4. In the **Block external domains in Teams** flyout that opens, configure the following settings:
+
+   - **Add domains**: Enter one domain per line, up to a maximum of 20.
+
+5. When you're finished in the **Block external domains in Teams** flyout, select **Add**.
+
+Back on the **Teams domains** tab, the entry is listed. After a few minutes, the blocked domain also appears on the **Organization settings** tab of the **External access** page in the Microsoft Teams admin center at <https://admin.teams.microsoft.com/company-wide-settings/external-communications>.
+
+## View block entries for domains in Teams in the Tenant Allow/Block List
+
+In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
+
+On the **Teams domains** tab, select the **Teams domains**.
+
+On the **Teams domains** tab, you can sort the entries by clicking on an available column header. The following columns are available:
+
+- **Value**: The domain or email address.
+
+Use the :::image type="icon" source="media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific entries.
+
+### Remove block entries for domains in Teams in the Tenant Allow/Block List
+
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
+
+2. On the **Tenant Allow/Block Lists** page, select the **Teams domains** tab.
+
+3. On **Teams domains** tab, select the entry from the list by selecting the check box next to the first column, and then select the :::image type="icon" source="media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears.
+
+   > [!TIP]
+   > - You can select multiple entries by selecting each check box, or select all entries by selecting the check box next to the **Value** column header.
+
+4. In the warning dialog that opens, select **Delete**.
+
+Back on the **Teams domains** tab, the entry is no longer listed. After a few minutes, the blocked domain disappears from the **Organization settings** tab of the **External access** page in the Microsoft Teams admin center at <https://admin.teams.microsoft.com/company-wide-settings/external-communications>.
+
+## Related articles
+
+- [Managing external access in Teams admin center](/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings#specify-trusted-microsoft-365-organizations)
+- [Report false positives and false negatives in Teams](submissions-teams.md)
+- [Allow or block files in the Tenant Allow/Block List](tenant-allow-block-list-files-configure.md)
+- [Allow or block URLs in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md)
