man thinking

External Connectivity Problems in Teams with Trial Tenants

If you have a Microsoft 365 trial tenant, then from around the end of August 2024 you might have noticed that you start having issues in Microsoft Teams when connecting with external users. By "external users" I mean users in another Microsoft 365 tenant. The first thing you might see is that chat history starts showing users as “UU” or “unknown user”.

Unknown User card

As well as disappearing from chat, you find that you can’t find them to start a new chat and instead get the error message "We can't set up the conversation because your organisations are not set up to talk to each other.":

Error Message: We can't set up the conversation because your organisations are not set up to talk to each other.

...or send a new message to them anymore.

Error Message: Failed to send.

These are error messages that we would normally associate with external access being disabled, but you probably already set the external access permissions to the most permissive possible, either in the Teams Admin Center or in Entra ID. The same users might email you to say that they can’t find you on Teams from their side, and you might find the problem gradually spreads to more external users, although guest users such as people with a live.com account still work. You check your external access settings in the Teams Admin Center and in Entra ID and all looks fine. You might even run the diagnostic tool to check connectivity, and it will detect no problems. So what’s going on?

This is due to a new setting that Microsoft introduced to Teams at the end of July called “ExternalAccessWithTrialTenants”. It’s a security option for Teams that blocks users from “Trial only” tenants contacting you, or vice versa. A “Trial only” tenant means one in which there are no paid licences, only trial licences. The new setting was introduced because a lot of trial tenants were being abused. There is nothing in the Teams Admin Center, but administrators can enable or disable it using PowerShell using the Set-CsTenantFederationConfiguration cmdlet. It can be set to either “Allowed” or “Blocked”. You can check the current value in your tenant using the Get-CsTenantFederationConfiguration PowerShell cmdlet (you'll need the June 2024 version 6.4.0 of the MicrosoftTeams module or later): Unknown User card
In this tenant the value is “Blocked”, which means any “Trial only” tenant won’t be able to use external access, and you’ll get the behaviour described above. The problem is that “Blocked” is the default value! So things that used to work, stopped working, once the ExternalAccessWithTrialTenants was rolled out and started to be enforced. That process took about 30 days, so from around the end of August 2024, things started going wrong for users with “Trial only” tenants. All the other tenants gradually started blocking them, as the new setting was rolled out by Microsoft, without any action by the admins in those other tenants.

You can try setting this property in your own tenant to “Allowed” using PowerShell:

Set-CsTenantFederationConfiguration -ExternalAccessWithTrialTenants "Allowed"

It was probably already set to “Allowed” in your trial tenant. But even it wasn’t, changing it doesn’t help, because all the other tenants still have the “Blocked” setting. You need the admin of every other tenant to run the PowerShell script to allow access. Even then, changing these settings is not instantaneous – it takes a few hours before the process takes effect. So if you change the setting on your trial tenant and also the tenant you want to connect to, after a few hours you will again be able to find users in the other directory, initiate chat, and so on.

But before you start telling everyone to change the setting in their tenants, you might want to reflect whether that’s a good idea. It actually makes a lot of sense to keep this at the default value, because it protects tenants and their users from being vulnerable to malicious attacks by ne’er-do-wells using rogue trial tenants.

Fortunately, there’s another solution to the problem, albeit not a free one. The definition of a “Trial only” tenant is one that has no paid licences. You only need to add a single paid licence, such as a “month to month” Microsoft 365 Basic licence that costs about £6 or so per month, and just keep it going as long as you need it. That single licence means your tenant is no longer “Trial only” and won’t be blocked. Again, the effect is not immediate once you’ve added the paid licence. But after a few hours the Microsoft 365 platform will discover that your tenant is no longer “Trial only” and things should start working again.