🚨 What the new “Chat with Anyone” feature in Microsoft Teams means for your security (and how to tame it)

The latest update from Microsoft is designed to make collaboration easier than ever — but ease often brings expanded risk. Let’s break it down for you, highlight what it means, and show you how your organisation can stay protected.

What is the “Chat with Anyone” feature?

In short: Teams users can now initiate a chat with anyone using just an email address—even if the recipient doesn’t already have a Teams account. 
Here’s how it works:

  • You open a chat in Teams and type an external email address.

  • Teams recognises that the address isn’t in your directory and initiates a guest invitation—creating a guest account in your tenant via B2B collaboration.

  • The external user accepts the invite (via email) and then joins the chat as a guest.

  • This applies across platforms (desktop, mobile, web) for eligible license tiers.

On its face this sounds like a helpful productivity boost (especially for smaller organisations, agencies, and freelancers). But the flip side is where your security focus needs to sharpen.

🚨 The Security & Compliance Risks

Yes — this is where we lean in. Because convenience can widen the attack surface.

1. Expanded guest surface

Now external participants (who may have never previously engaged with your tenant) can join chats. Each such guest account represents a potential vector for phishing, malware, or laterally moving within your organisation.

2. Lower barrier to entry

Because only an email address is required to start the chat, the “trust gate” has shifted. Attackers could masquerade as partners or clients and chat their way in.

3. Guest controls and policy misalignment

Even though this uses the same B2B guest framework (via Microsoft Entra ID), many organisations may not have configured guest policies, external access restrictions, or auditing for these accounts. That means blind spots.

4. Compliance & data leakage risks

Guests might not be subject to the full set of internal controls (DLP, chat retention, external access monitoring). In an environment regulated for data protection (GDPR, HIPAA, etc.), this is a red flag.

What your organisation should do (before this feature becomes a risk)

Since you’re writing for a security-audience, here are actionable steps:

✅ Step 1: Inventory your current external access & guest policies

  • In the Teams admin centre: check Users → External access and Guest access settings.

  • Check your Entra ID B2B guest invitation settings — who can invite guests? What domains are allowed or blocked?

  • Use PowerShell to inspect relevant messaging policies. Example:

Get-CsTeamsMessagingPolicy | Format-Table Identity, UseB2BInvitesToAddExternalUsers

Office 365 for IT Pros+1

✅ Step 2: Decide – Enable, Restrict or Disable

Depending on your risk appetite and control maturity, you have three paths:

  • Enable and control: If you want to use the feature (for sales, client engagement, partners) then build strong guardrails.

  • Restrict: Allow only specific domains (partners, clients) or specific user groups to initiate these chats.

  • Disable: If you’re not ready, you can turn it off via messaging policy. Example:

Set-CsTeamsMessagingPolicy -Identity Global -UseB2BInvitesToAddExternalUsers $false

 

✅ Step 3: Update your governance & monitoring

  • Audit guest account creation: who invited, which domains, reason for invitation.

  • Monitor chats involving guests for suspicious links or attachments.

  • Ensure external chats are subject to your DLP / retention policies.

  • Enforce multi-factor authentication (MFA) on guest/invited accounts.

  • Block or review certain external email domains if needed.

✅ Step 4: Train your users

  • Remind staff that just because an external contact shows up in Teams, it doesn’t guarantee they’re safe.

  • Train on verifying identities: “Are you expecting a new chat invitation from someone outside?”

  • Encourage good habits: avoid sharing sensitive files until guest access rights and identity are confirmed.

  • Use the 🚨 emoji in your internal awareness posts:

    • “🚨 Heads-up: you may receive a Teams chat from someone using your company’s name — verify email and identity before clicking any links.”

Final Thoughts

The new “Chat with Anyone” function in Teams is a double-edged sword. On one side, it removes friction — enabling faster collaboration, bridging organisations, enabling freelancers or external consultants to join chats easily. On the other side, it expands the guest access attack surface and introduces additional governance requirements.

As a security-focused practitioner (and given your audience at Equal Tech Solutions), the key is: control before convenience. Enable productivity by all means — but only when you have the guardrails in place.

▶️ My recommendation: Review your settings today, decide your posture, document policies, train your team, and roll-out user-awareness messaging with the 🚨 alert style you like. Because once this feature unlocks broadly (targeted release already rolling, general rollout planned) it’s much easier to control in advance than mop up later.