Have you noticed a new trial in your tenant? If you have a “Microsoft Teams Trial” SKU appearing in your Office 365/Azure AD Tenant, you have users you didn’t intend using Microsoft Teams out in the big wide world, and you need to make sure the rest of your Office 365/Azure AD settings are configured so that you haven’t created a massive accidental hole in your organisation’s data security.
Microsoft have always allowed users the ability to create trials within their organisation’s tenant (if the organisation allowed it, but more on this later) but this only really applied in products like PowerBI and PowerApps where there was limited impact/scope to affect access to any other services. With Redmond’s push for adoption of Microsoft Teams, they have opened a new trial license – the Microsoft Teams Commercial Cloud Trial offer – that can be signed up to by users without administrative approval, and this one has more wide-reaching consequences. The “Microsoft Teams Trial” license not only gives users a Teams license, but also includes SharePoint Online Kiosk and Yammer Enterprise among others. Any user who does not have an Office 365 license that includes Microsoft Teams can initiate or join the trial. So if you only provide your users Exchange Online Plan 2 licenses, they could sign up, but if your users are assigned Office 365 Enterprise E3, vut have the Microsoft Teams licensed option disabled, they will not.
If an eligigble user either opens the Microsoft Teams client, or navigate to https://teams.microsoft.com from the web browser and signs in they will be shown a screen showing that they don’t have a license but they can use the “organization’s trial” to get started – regardless of whether or not the organisation has signed up or activated the trial or not.
What’s the user experience?
A loading screen will then be shown while the user’s license is assigned/activated and the trial provisioned and then the full Microsoft Teams experience opens.
The Importance of properly deploying Office 365 and Conditional Access
Although there is a way of controlling the initiation of trials by users at a tenant level – there may be perfectly acceptable reasons why you would want to allow users to sign up to trials of services such as PowerBI, PowerApps etc. but not Microsoft Teams, which opens up a lot more potential holes in the organisations information security. This highlights the importance of properly configuring tenant level settings such as Office 365 Group creation and guest access settings to limit the unexpected capabilities of new services or features that tie in to these services. Almost more importantly, it calls attention to properly configuring Azure AD Conditional Access to ensure only the users you want have access to services, from where you want them to, and as Conditional Access has an “allow by default” model, this requires extensive thought and testing.
How to disable user-initiated trials
If you want to prevent users from initiating any trials in the organisation’s Office 365 tenant then this can be controlled at a tenant level (not user or group based) by going to Settings > Services & add-ins > User owned Apps and Services from the Microsoft 365 Admin portal (https://admin.microsoft.com) and turning off Let users install trial apps and services
Hopefully if you’ve noticed this license in your tenant and you weren’t expecting it this post will help you work out why, and prevent it from causing more unexpected stuff happening in your tenant!