Teams External Domain Activity Report Gets a Refresh

But Advanced Collaboration Analytics Remains a Teams Premium Feature

According to message center notification MC862237 (August 14, 2024), Microsoft plans to update the External domain activity report that’s available through the Reports section and the Collaboration activity dashboard in the Teams admin center. This report is designed to allow tenant administrators to know which domains users communicate with and which users are communicating externally. It’s good knowledge to have because it allows an organization to more accurately configure external access for Teams.

Default Open Access for Collaboration

The default state of external access for Teams allows federated communications with any other Microsoft 365 tenant that runs Teams. According to the latest Microsoft numbers, Teams has 320 million monthly active users out of 400 million Office 365 “paid seats,” so allowing open external access essentially means that a tenant allows users to communicate with any other Microsoft 365 tenant.

Given the current state of cyberthreat, maintaining open communications of this nature is an unreachable state of utopia. The GIFShell exploit in 2012 proved the basics of how an attacker might compromise a target account using federated Teams chat. Tenants should configure an external access allow list composed of other domains that they’re willing to communicate with. It’s just too easy for attackers to spin up a tenant, add a Teams license, and start to probe (Teams began to block federated collaboration with trial tenants from July 29, 2024).

The New External Domain Activity Report has More Detail

Microsoft plans to roll out the updated report in September 2024. The update can’t come soon enough because the current report is void of detail. Only users with Teams Premium licenses appear, which accounts for the rather sparse content from my tenant (Figure 1).

Figure 1: The external domain activity report (prior to revision)

Microsoft says that the new report will include:

• Total chat messages exchanged between each external domain and your tenant.
• Number of chat messages sent by each external domain to your tenant.
• The list of users from your tenant that communicates with each external domain.
• For each user, the number of chat messages sent between each external domain and the user, and the number of messages sent by that user to the external domain.

Nice as the new report will be, it’s regrettable that this kind of information is restricted to Teams Premium. According to the latest Microsoft results, Teams Premium represents about 3 million users, or less than 1 percent of the installed base. At $10 per user per month (a $7 introductory price is available until December 31, 2024), Microsoft obviously wants to drive that percentage higher. However, this kind of fundamental information is important for tenant security and should be available to all.

Including the report in Advanced Collaboration Analytics grants the report a status it simply doesn’t have. Other items shown in the collaboration activity dashboard (Figure 2), like noting the domains in the external access allow list that haven’t been used in the last 60 days, are much more worthy of the designation.

Figure 2: Collaboration activity dashboard in the Teams admin center

Like other reports generated from Graph usage data, the cards in the collaboration activity dashboard that include user or team names respect the privacy control setting. Unlike the Microsoft 365 admin center, which obfuscates private data if the privacy control is set, the Teams admin center simply doesn’t display data.

DIY Analytics

If you don’t want to pay for Teams Premium but would like to generate some of the same analyzes that Microsoft include in Advanced Collaboration Analytics, it’s possible to do so with PowerShell or Graph API requests. As an example, this article describes how to create an external access allow list by analyzing federated chat messages using the Microsoft Graph PowerShell SDK. Once the basic data is generated, it can be sliced ​​and diced in different ways.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support country for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.