Chat with Email Addresses Causes Security Community Some Heartburn

Microsoft published message center notification MC1182004 on Halloween (Microsoft 365 roadmap item 513271) and announced that any Teams user will be able to start a chat with an external user by using their email address to add the external person to the chat. Essentially, this is a variant on federated chat with the big difference being that the external person doesn’t need to be a Teams user AND the external person is added to the host tenant as a guest account.

A reasonable amount of heat has been generated within the security community with most commentators agreeing that this is a bad idea because allowing Teams users to set up chats with external people using email addresses exposes another potential vector for infection to bring malware into the tenant. In fact, chatting through Teams is no more serious than allowing users to send email to remote addressees. It would be better if the feature was opt-in rather than opt-out, and even better if Microsoft provided some guidance about how to secure tenants against potential infection via Teams.

Initiating Chat with Email Addresses

To set up a chat with an email address, create a new chat and enter the email address of the user to chat with. Teams recognizes that the email address is not present in the tenant directory, so it creates a new guest account and stamps the external user with the external trust indicator (Figure 1).

While you can go ahead and add messages to the chat, the external user must accept the invitation before they can join the chat to respond. Charmingly, after sending a message, Teams informs the user that the invitation is on its way and might take a few minutes. This covers the time required for the email recipient to receive the message and then confirm details of their guest account, including going through multifactor authentication if mandated by conditional access policies.

After the guest account is confirmed, the chat proceeds just like any other chat with a guest, with all the normal restrictions on guests. For instance, while the guest can send URLs in messages, they can’t send file attachments. The only new thing that’s been added is the process to initiate creation of the guest account from chat.

It’s important to realize that after a guest account is added using this method, that account functions in the same way as any other guest. It can be added to the membership of Teams, Outlook groups, or even Exchange Online distribution lists, join group chats, and so on.

Managing the Chat with Email Address Feature

Although Microsoft enables the invite user to chat via email feature by default, it is subject to many controls. First, the feature can be disabled for some or all users by updating the Teams messaging policy assigned to user accounts. This isn’t possible yet in the Teams admin center, so it must be done in PowerShell. If your PC has the latest version of the Teams PowerShell module, you can update the policy today in advance of the feature’s arrival:

To find what messaging policies support external chat with email users, run:

Get-CsTeamsMessagingPolicy | Format-Table identity, UseB2BInvitesToAddExternalUsers

To block the feature for accounts assigned a specific policy, run the Set-CsTeamsMessagingPolicy cmdlet. Here’s an example:

Set-CsTeamsMessagingPolicy -Identity 'Restricted - No Chat' -UseB2BInvitesToAddExternalUsers $false

Second, because the user invited to the chat becomes a guest in the tenant, the user must be able to invite new guests (Figure 2). Normally, team owners can add new guests to team membership and users can add guests to share documents with SharePoint Online and OneDrive for Business, but the ability to invite guests can be restricted.

Third, the tenant B2B collaboration policy must allow users from the target email domain to be invited as guests. It’s quite common to block invitations from consumer email domains, for instance. If Teams cannot create a guest account for the external user, federated chat can’t happen.

Fourth, as mentioned above, guest accounts are subject to controls like multifactor authentication policies that might, for instance, require the new guest to use the Microsoft authenticator app as a secondary authentication method.

Last, consider using Microsoft Defender for Office 365 to protect Teams communications, including blocking malicious URLs sent in chat messages.

Like all other guest- and chat-related activities, the actions to create the new guest from the email address and their participation in the chat are captured in audit records in the Microsoft 365 audit log.

Chat with Email Addresses Causes Understandable Concern But Really Not That Bad

I understand why the security community think that adding the ability to chat with someone using their email address is a bad idea. However, some of the commentary that I have seen has been over the top and displays a lack of knowledge about how Teams and Entra ID B2B Collaboration work. The controls listed above are enough to keep everything in check. In security terms, the exposure through adding a guest to chat via an email address is no more than adding a guest to share a SharePoint Online or OneDrive for Business document.

Microsoft should have made chat with an email address an opt-in feature, but they probably think of this as simply an extension of existing functionality, and there’s some truth in that.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.