Teams Gains Ability to Start Chat with Email Address

Posted on by Tony Redmond

Chat with Email Addresses Causes Security Community Some Heartburn

Microsoft published message center notification MC1182004 on Halloween (Microsoft 365 roadmap item 513271) and announced that any Teams user will be able to start a chat with an external user by using their email address to add the external person to the chat. Essentially, this is a variant on federated chat with the big difference being that the external person doesn’t need to be a Teams user AND the external person is added to the host tenant as a guest account.

A reasonable amount of heat has been generated within the security community with most commentators agreeing that this is a bad idea because allowing Teams users to set up chats with external people using email addresses exposes another potential vector for infection to bring malware into the tenant. In fact, chatting through Teams is no more serious than allowing users to send email to remote addressees. It would be better if the feature was opt-in rather than opt-out, and even better if Microsoft provided some guidance about how to secure tenants against potential infection via Teams.

Update: According to an update to MC1182004, Microsoft is targeting the feature at “small and medium business customers with a Teams Essentials, Business Basic, Business Standard, or Business Premium license.” In my opinion, if this change means that Microsoft inteneds to restrict the start chat with email feature to the tenant types listed and block access to enterprise tenants, it is a bad change. Many smaller tenants do not have the same kind of framework established to manage guest accounts as exists in enterprise tenants. However, “targeted at” might mean that Microsoft intends to market the feature to those tenants and leave it to enterprise tenants to decide if they want to use start chat with email. No doubt we will see in due course. In the meantime, I have asked Microsoft to comment.

Initiating Chat with Email Addresses

To set up a chat with an email address, create a new chat and enter the email address of the user to chat with. Teams recognizes that the email address is not present in the tenant directory, so it creates a new guest account and stamps the external user with the external trust indicator (Figure 1).

Creating a Teams chat with an email address.
Figure 1: Initiating Teams chat with email address

While you can go ahead and add messages to the chat, the external user must accept the invitation before they can join the chat to respond. Charmingly, after sending a message, Teams informs the user that the invitation is on its way and might take a few minutes. This covers the time required for the email recipient to receive the message and then confirm details of their guest account, including going through multifactor authentication if mandated by conditional access policies.

After the guest account is confirmed, the chat proceeds just like any other chat with a guest, with all the normal restrictions on guests. For instance, while the guest can send URLs in messages, they can’t send file attachments. The only new thing that’s been added is the process to initiate creation of the guest account from chat.

It’s important to realize that after a guest account is added using this method, that account functions in the same way as any other guest. It can be added to the membership of Teams, Outlook groups, or even Exchange Online distribution lists, join group chats, and so on.

Managing the Chat with Email Address Feature

Although Microsoft enables the invite user to chat via email feature by default, it is subject to many controls. First, the feature can be disabled for some or all users by updating the Teams messaging policy assigned to user accounts. This isn’t possible yet in the Teams admin center, so it must be done in PowerShell. If your PC has the latest version of the Teams PowerShell module, you can update the policy today in advance of the feature’s arrival:

To find what messaging policies support external chat with email users, run:

Get-CsTeamsMessagingPolicy | Format-Table identity, UseB2BInvitesToAddExternalUsers

To block the start chat with email feature for accounts, update the messaging policy assigned to the accounts by running the Set-CsTeamsMessagingPolicy cmdlet. Here’s an example:

Set-CsTeamsMessagingPolicy -Identity 'Restricted - No Chat' -UseB2BInvitesToAddExternalUsers $false

Second, because the user invited to the chat becomes a guest in the tenant, the user must be able to invite new guests (Figure 2). Normally, team owners can add new guests to team membership and users can add guests to share documents with SharePoint Online and OneDrive for Business, but the ability to invite guests can be restricted.

Entra ID External Collaboration settings govern who can create new guest accounts.
Figure 2: Entra ID External Collaboration settings govern who can create new guest accounts

Third, the tenant B2B collaboration policy must allow users from the target email domain to be invited as guests. It’s quite common to block invitations from consumer email domains, for instance. If Teams cannot create a guest account for the external user, federated chat can’t happen. In fact, the way things are set up at present, the user who attempts to initiate the chat is left in the dark because the invitation is silently quashed in the background. Obviously, Teams does not check the B2B Collaboration policy before it allows users to attempt to initiate chats via email.

Fourth, as mentioned above, guest accounts are subject to controls like multifactor authentication policies that might, for instance, require the new guest to use the Microsoft authenticator app as a secondary authentication method.

Last, consider using Microsoft Defender for Office 365 to protect Teams communications, including blocking malicious URLs sent in chat messages.

Like all other guest- and chat-related activities, the actions to create the new guest from the email address and their participation in the chat are captured in audit records in the Microsoft 365 audit log.

Chat with Email Addresses Causes Understandable Concern But Really Not That Bad

I understand why the security community think that adding the ability to chat with someone using their email address is a bad idea. However, some of the commentary that I have seen has been over the top and displays a lack of knowledge about how Teams and Entra ID B2B Collaboration work. The controls listed above are enough to keep everything in check. In security terms, the exposure through adding a guest to chat via an email address is no more than adding a guest to share a SharePoint Online or OneDrive for Business document.

Microsoft should have made chat with an email address an opt-in feature, but they probably think of this as simply an extension of existing functionality, and there’s some truth in that.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

10 Replies to “Teams Gains Ability to Start Chat with Email Address”

  1. Microsoft have subsequently clarified the channels that this update is targeted at: This capability will be available to small and medium business customers with a Teams Essentials, Business Basic, Business Standard, or Business Premium license

    Reply

    1. Which is not a great decision because those tenants tend to have less developed management frameworks for guest accounts. Can you cite a link for the new direction? I can’t find one.

      Update: I see the change to the MC post (MC1182004). Not a good call for Microsoft to make.

      Reply

  2. Agreed. I hope we see a further update on this – more along the lines of ‘we have listened to you, and not going ahead with this at this time….’

    Reply

    1. I suspect that they will go ahead because there’s nothing wrong with the idea. All the processes and procedures to control the guest accounts created through start chat with email are in place (or could be in place if implemented by tenants). And anyway, the Entra B2B guest-invite-and-accept mechanism used here is exactly what happens when SharePoint Online and OneDrive for Business do when they share documents outside the tenant, so what is so bad when Teams does the same thing? That’s what’s confusing me.

      Reply

  3. To me a big security concern would be less sophisticated small tenant admins not thinking through that every guest account is included in the EEEU (Everyone except external users) group, which automatically gets Edit access to any Team or Group-connected SharePoint site that was created as Public. Microsoft wisely is removing EEEU default access in OneDrive, but not in SharePoint (yet).

    Reply

    1. That’s true, but the same happens when a user shares a document with an external user – an invitation goes to the external user, they accept, and then have a valid guest account in the tenant that can be used for further sharing, or to join a team, etc.

      All of which proves that it’s important to understand the critical components within a Microsoft 365 tenant because those components (like B2B Collaboration) can appear in different guises.

      Reply

  4. Does the Teams ‘external access’ organization setting override this new option, specifically when it’s set to “Allow only specific external domains”?

    Reply

    1. I’m confused why you might say that. The ability of users to create guest accounts has been available in SharePoint and OneDrive for years. This is similar, and just like the SharePoint facility, if a tenant restricts the ability of users to create guest accounts, they won’t be able to…

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.