Microsoft announced a feature MC296208 that makes it possible for Teams consumer account users to connect & chat with Teams business users. An update was released on Jan 04 2022 about roll out timeline.
Well! By early February it is available. As Microsoft mentioned in the message center, it was shipped with default set to Enabled. If Admins do not take an action, teams consumer users can connect and chat with Teams business users. This is a helpful feature but can lead to a lot of spoofing.
By now, you might have heard about Teams extending it reach to consumers by providing a consumer account and Teams availability within Windows 11. (Hello Skype! 🙂 )
Any user with a burner account can sign up for Teams consumer account and name it what ever Ex: Bill Belichick and connect with any Teams consumer account as long as they know the email. This opens up lot of scenarios for impersonations and phishing attacks.
Even with the functionality that it brings, lot of security teams will not be happy to turn this feature on. Microsoft made an effort to handle some of the security concerns by limiting the chat until it is explicitly accepted after reminding the risks of external chat. Chat with user is tagged with ‘External’ badge.
Above screen shot is from Microsoft article.
Major concern here is con artists can easily get hold of prominent & executive level user names & title and can use them to spoof vulnerable employees to hand them valuable information. Important thing we noticed here is that since the External user (Consumer account) is not something managed in Azure AD unlike Guest users account, DLP policies are not enforced.
How to turn it off if you are concerned as an Admin
- Go to Teams Admin Center.
- Users -> External access
- Under Teams account not managed by an organization
- Admin option gives the flexibility to keep this chat feature one way. Only Teams business users can connect to Teams consumer users.
- Turn off and save as you desire.
This setting is also available via PowerShell and gives Admin more granular control to turn it On/Off for everyone or at individual level.
Tenant level: CsTenantFederationConfiguration
User level: CsExternalAccessPolicy
More details from this feature announcement can be found here. Comment and let me know how you are handling this feature.