This rule identifies when external access is enabled in Microsoft Teams, a feature permitting users to communicate with individuals outside their organization. While useful for collaboration, this feature can be abused by adversaries who may activate external access or add malicious domains to facilitate data exfiltration or maintain persistence within the network. The rule monitors audit logs for configuration changes related to federation settings, particularly focusing on events where external access has been enabled. The strategy involves analyzing the relevant event actions, parameters, and the individuals involved to determine if these actions were legitimate or potentially malicious. The response steps include disabling any unauthorized external access, documenting the changes, and notifying security personnel of any suspicious activities. Additionally, the rule recommends ongoing monitoring of Teams federation settings to quickly identify and react to future threats.