Blocked Teams Federated Chat for Trial Tenants

In June 2024, Microsoft announced their intention to block federated communications using Teams to a certain class of tenant. Time passes by and software updates happen, and the block is now firmly in place. The thing is that you might not be aware that blocked Teams federated chat exists and is active until someone attempts to use federation to set up a chat with someone else in another tenant.

As a refresher, Microsoft implemented the block to stop spammers firing up a test Microsoft 365 tenant and use test Teams licenses to spam other users. The rules around acquiring and operating test Microsoft 365 tenants have tightened since I wrote about how to get a developer tenant in 2021. Microsoft doesn’t like hackers using its services as a platform for malicious activity, so new development tenants are restricted to people with a Visual Studio enterprise subscription.

More than Just Teams

It’s not just about spamming Teams through federated chat: the problems with free tenants include email spam (which is why many tenants block email from *.onmicrosoft.com domains) and attackers using test tenants as a jumping-off point for poking around inside Microsoft 365 hoping to find another tenant to compromise.

Requiring people to take out a subscription and provide a valid credit card is certainly a way to stop misuse. However, the news about the restriction was much to the chagrin of those who depend on test tenants for legitimate purposes such as training and making videos, testing Microsoft 365 apps and Entra ID elements like conditional access policies, and so on.

Different Flavors of Trial Tenants

Microsoft 365 supports different flavors of trial tenants. Apart from the obvious candidates like developer tenants, there are also tenants like those assigned to Microsoft MVPs. In fact, many MVPs couldn’t figure out why blocked Teams federated chat with other tenants suddenly happened. No manner of diligent checks against external access settings (Figure 1) turned up a clue until someone pointed out that the tenants in use came under Microsoft’s trial category and were therefore affected by the ban.

Figure 1: Teams external access settings usually control federated communications

The only other tenants that can be communicated with are those who amend their tenant external federation configuration with PowerShell to set the ExternalAccessWithTrialTenants control to Allowed. I doubt many tenants will deviate from the default value (Blocked) because no good reason exists to allow federated communications with test tenants. It would be the equivalent of an administrator making the decision to accept email from any and all sources, welcoming junk email from anywhere.

Other restrictions exist for trial tenants. For instance, when I was testing the new Exchange Online High-Volume Email (HVE) solution, I discovered that I couldn’t create any of the special HVE mail user objects used to send messages via the HVE SMTP endpoint. After digging into the problem and discussing it with Microsoft 365 messaging engineering (aka Exchange Online), I discovered that test tenants have a limit on the number of mail user objects that can be created. The situation is complicated because when you create a guest user account in Entra ID, Exchange Online creates a mail user object to allow the account to be emailed. The tenant I was using had many guest accounts, and I had to reduce the number of mail users to under 100 before I could add HVE mail users. Of course, none of this apart from the link between guest accounts and mail users is documented.

Can Anything be Done for Blocked Teams Federated Chat?

If you don’t want Teams to put your tenant in the test category, buy at least one Microsoft 365 license that includes Teams. The cheapest option is Microsoft 365 Business Basic. At the time of writing, Microsoft advertises licenses with and without Teams. The version with Teams costs $6 monthly, which isn’t a lot to make your tenant look like the real thing.

Remember that trial licenses can coexist alongside paid-for licenses. However, once you’ve used trial licenses for a product in a tenant, it’s likely that Microsoft will block another test for the same product.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.