Microsoft Teams security: external access, guest sharing and federation

Teams is no longer just corporate chat: it concentrates meetings, files, channels and automations connected to SharePoint and Entra ID. Its default configuration favors external collaboration, which turns external access, guests and federation into one of the least audited surfaces of Microsoft 365.

External access vs. guest access: two different surfaces

Microsoft Teams distinguishes two forms of collaboration with third parties that are often confused. "External access" (federation) lets users from other Microsoft 365 tenants find, call and chat with you without a formal invitation, similar to email federation. "Guest access" adds an external person as a member of a specific team or channel, with a guest identity in your own Entra ID. Each surface has its own controls, and both are usually enabled by default for any domain, with no allowlist.

Open federation policies: the most overlooked risk

By default, Teams allows federated communication with "all domains", meaning any employee can receive messages, calls and meeting requests from any external organization that also uses Teams, without IT approving it case by case. It's the preferred entry vector for phishing delivered via Teams —including campaigns impersonating Microsoft support— because the message arrives inside a tool the user perceives as internal and trusted.

Guest sharing and persistent guest accounts

Guests added to a team gain access to the SharePoint and OneDrive files linked to that team, not just the chat. In practice, guests are rarely reviewed or removed once a project ends: most tenants accumulate guest accounts from collaborations closed months or years ago, each still holding residual access to files no one has re-evaluated. Without automatic expiration or periodic access reviews, every guest added becomes a permanent entry in the tenant's threat model.

How to audit and harden Teams security

A Teams audit covers: (1) restricting external access to an explicit allowed-domain list instead of "all domains"; (2) reviewing the guest access policy and enabling automatic expiration of inactive guest accounts; (3) inventorying teams and channels with active guests and their file access level; (4) reviewing third-party apps connected to Teams (bots, connectors) and their permissions, an OAuth consent vector analogous to Exchange; (5) verifying that meeting policies block direct anonymous entry to sensitive meetings.

FAQ

Should I disable external access in Teams entirely?

That's usually not realistic if your company collaborates with clients or vendors. It's better to replace "all domains" with an explicit list of allowed domains and review it periodically, rather than leaving federation open to any organization.

Do Teams guests count as Microsoft 365 licenses?

No, guests don't consume a license, which reduces the friction to add them — and explains why they accumulate uncontrolled. That's exactly why they need a review and expiration policy independent of the employee onboarding/offboarding cycle.