Trust Indicators Indicate the Level of Trust in External Users

Unfortunately, social engineering attacks designed to confuse and trick unwary users into doing something that leads to account compromise (and potentially to tenant compromise) continue unabated. According to the last number for monthly active users provided by Microsoft, 320 million people use Teams. That audience represents an attractive target for attackers to go after, and many of the social engineering attacks occur through federated chats from unknown externals users.

The original design for Teams envisaged an open collaborative environment where Teams users from Microsoft 365 domains could connect to Teams users in other domains. Attackers duly signed up trial tenants and used trial Teams licenses to reach out and attempt to connect with targets. Given that the SIP address for most Microsoft 365 users is the same as their primary SMTP address, once an attacker has an email address, they can try to institute a federated chat to that address and hope that the person at the other end responds.

Visual Clues About the Trustability of External Users

Microsoft clamped down on the ability of trial tenants to use federated chat in 2024. But attackers adapt to changed circumstances and keep on trying. This brings us to the announcement of trust indicators for Teams users published in MC1162276 (29 September 2025). Like the external tag applied to email from external sources, a trust indicator is a badge displayed alongside an external user’s name to give tenant users a visual clue about their status.

Public preview for trusted indicators has already started and is expected to be completed in late November. General availability will then roll out the feature to all tenants in all clouds for completion in early January 2026. The documentation for trust indicators describes the different badges used by Teams and where the badges appear, so I won’t go into the details here. However, here are some examples of where you’ll probably see trust indicators in action.

First, Figure 1 shows the participant list for a group chat. I’m a guest user in this chat and the badge and tooltip show that status. A guest user has a high level of trust because they are using an account added to the tenant directory to access Teams. Some might argue that this really doesn’t indicate a high level of trust because guests can be added to the tenant directory without administrative oversight. For example, by sharing a document with an external user.

Figure 2 shows another important point. In this case, we’re viewing the membership of a team and two of the members have no trust indicators. This is because they’re tenant members, so their status makes these members very trustworthy.

Build an Allow List for Teams Communications

Trust indicators are a nice addition to Teams, but I fear that they don’t address an issue that many Microsoft 365 tenants ignore, and that’s the need to control external access for Teams. I accept that it’s nice to be open and collaborative and willing to communicate with anyone in any tenant, but I also consider this to be a dangerous approach to use without question. An open tenant is an invitation to connect, but that allows unwanted visitors to attempt to connect to users.

Tenants can control the tenants that users are allowed to communicate with by establishing an external access allow list. You can build an allow list manually, but it can be difficult to know all the domains that people wish to use. It’s possible to construct the allow list programmatically with PowerShell using sources like the home domains for guest accounts or federated chats with external people. Either source is a good start for an allow list that can then be tweaked to add whatever domains are missing.

The downside of using an allow list to control Teams external access is that anytime someone wants to connect with a user in a domain that’s not in the allow list, they must seek approval for the addition of that domain. That’s regrettable, but it might be better than allowing external connections from any other Microsoft 365 domain, including those controlled by the bad guys.

Small but Important Step

Trust indicators are a small but important step to help Teams users recognize the status of external collaborators. It’s good to have these visual clues, and I hope that the clues help users to be more wary in their external communications. However, maybe it’s even better to close off the holes in Teams external access where undesirable connections can creep in.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!