Teams Stamps External Users with Trust Indicators

Posted on by Tony Redmond

Trust Indicators Indicate the Level of Trust in External Users

Unfortunately, social engineering attacks designed to confuse and trick unwary users into doing something that leads to account compromise (and potentially to tenant compromise) continue unabated. According to the last number for monthly active users provided by Microsoft, 320 million people use Teams. That audience represents an attractive target for attackers to go after, and many of the social engineering attacks occur through federated chats from unknown externals users.

The original design for Teams envisaged an open collaborative environment where Teams users from Microsoft 365 domains could connect to Teams users in other domains. Attackers duly signed up trial tenants and used trial Teams licenses to reach out and attempt to connect with targets. Given that the SIP address for most Microsoft 365 users is the same as their primary SMTP address, once an attacker has an email address, they can try to institute a federated chat to that address and hope that the person at the other end responds.

Visual Clues About the Trustability of External Users

Microsoft clamped down on the ability of trial tenants to use federated chat in 2024. But attackers adapt to changed circumstances and keep on trying. This brings us to the announcement of trust indicators for Teams users published in MC1162276 (29 September 2025). Like the external tag applied to email from external sources, a trust indicator is a badge displayed alongside an external user’s name to give tenant users a visual clue about their status.

Public preview for trusted indicators has already started and is expected to be completed in late November. General availability will then roll out the feature to all tenants in all clouds for completion in early January 2026. The documentation for trust indicators describes the different badges used by Teams and where the badges appear, so I won’t go into the details here. However, here are some examples of where you’ll probably see trust indicators in action.

First, Figure 1 shows the participant list for a group chat. I’m a guest user in this chat and the badge and tooltip show that status. A guest user has a high level of trust because they are using an account added to the tenant directory to access Teams. Some might argue that this really doesn’t indicate a high level of trust because guests can be added to the tenant directory without administrative oversight. For example, by sharing a document with an external user.

Trusted indicator for a guest account in a Teams chat.
Figure 1: Trusted indicator for a guest account in a Teams chat

Figure 2 shows another important point. In this case, we’re viewing the membership of a team and two of the members have no trust indicators. This is because they’re tenant members, so their status makes these members very trustworthy.

Trust indicators when viewing the membership of a team.
Figure 2: Trust indicators when viewing the membership of a team

Build an Allow List for Teams Communications

Trust indicators are a nice addition to Teams, but I fear that they don’t address an issue that many Microsoft 365 tenants ignore, and that’s the need to control external access for Teams. I accept that it’s nice to be open and collaborative and willing to communicate with anyone in any tenant, but I also consider this to be a dangerous approach to use without question. An open tenant is an invitation to connect, but that allows unwanted visitors to attempt to connect to users.

Tenants can control the tenants that users are allowed to communicate with by establishing an external access allow list. You can build an allow list manually, but it can be difficult to know all the domains that people wish to use. It’s possible to construct the allow list programmatically with PowerShell using sources like the home domains for guest accounts or federated chats with external people. Either source is a good start for an allow list that can then be tweaked to add whatever domains are missing.

The downside of using an allow list to control Teams external access is that anytime someone wants to connect with a user in a domain that’s not in the allow list, they must seek approval for the addition of that domain. That’s regrettable, but it might be better than allowing external connections from any other Microsoft 365 domain, including those controlled by the bad guys.

Small but Important Step

Trust indicators are a small but important step to help Teams users recognize the status of external collaborators. It’s good to have these visual clues, and I hope that the clues help users to be more wary in their external communications. However, maybe it’s even better to close off the holes in Teams external access where undesirable connections can creep in.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!

8 Replies to “Teams Stamps External Users with Trust Indicators”

  1. What would be good would for there to be a way of saying “Allow all external domains” and then “and these are the ones we trust” without having to go down the block list or allow list approach.

    Reply

      1. I suspect not, this appears a massive oversight on Microsoft’s behalf – is it hardly a massive overhead, the likelihood is that you probably have handful of partner domains you work with regularly. I have a tenant where they have two other organisations they share office facilities with; yes we could add 200+ users as guests but I’d be more than happy to say “if you have an Entra account from there domains then we trust your organisation” – this ultimately is the level of verification that you have with what the “allow only” list you are advocating without.

        As I see it the current approach

        1) Allow all (everything external is deemed External-Unfamiliar/”This person is part of an organization that is neither trusted nor blocked by your organization.”)
        2) Allow all but block these explicitly (those then not blocked are External-Unfamiliar/”This person is part of an organization that is neither trusted nor blocked by your organization.”)
        3) Block all but allow these explicitly (those left will External-Familiar/”[Name] is part of a trusted organization.”)

        What I want is a

        4) Allow all external domains (unverified/External-Unfamiliar/”This person is part of an organization that is neither trusted nor blocked by your organization.”), but block these (untrusted/External-Unfamiliar/”This person is part of an organization that is not trusted by your organization.”) and trust these domains (trusted/External-Familiar/”[Name] is part of a trusted organization.”)

        The guidance here https://learn.microsoft.com/en-us/microsoftteams/trust-indicators “Outside of your organization and your organization doesn’t have an explicit allowlist or blocklist.” but from what I can see you can’t add them to an allow list without blocking every other domain; the only way I can see you could get around that is cross cloud trust or setting up large numbers of guests (and that in itself isn’t entirely desirable; I do exist at another tenants domain as a guest and I simply miss Teams messages as I don’t “live within their tenant” day to day – so I need to interact with stuff in Sharepoint and Teams etc as a guest; but day to say messaging between tenants as “external” contacts is much easier as you can remain in you own tenant in teams as Teams only allows you to look at one at a time)

      2. There are gaps in what Microsoft delivers, that’s true. I think this is indicative of a solution that attempts to meet the needs of hundreds of thousands of different organizations of varying sizes and needs. They can’t come up with something that addresses all requirements. Would the trusted domains setup work for you? If you have specific domains that you connect to for external access, you can create an allow list for those domains. It’s what I do for my domain (there are currently 77 domains on my allow list). Yes, it’s a pain having to add a new domain each time someone wants to contact someone via federated chat in that domain, but it works. After that, I have a managed set of guests. By managed, I mean that I have various tools to weed out unwanted (obsolete) guests on an ongoing basis. These approaches leverage what’s in the product without waiting for Microsoft to deliver something else, which they might never do.

    2. This is exactly what I’m searching for but it doesn’t exist. I want to allow all external contacts but I want to mark some as trusted.

      Reply

  2. No way to reply to Tony.
    I’m not using Guests. But I don’t want to. I don’t want to clutter my environment, only because I want to chat to someone. How about new users etc. Now you see the new icon that is helpfull. But some of the external people/organizations I trust I want to mark them as trusted.

    Reply

    1. Well, there’s no other way (that I know of) to give federated chat participants any indicator that shows a higher level of trust. With guests, you can give them a logo to show that they are trusted (in addition to the Teams stamp) and can change their display name to include some form of trust. As always with Microsoft 365, you can only work with the features Microsoft delivers…

      And keeping control of guests isn’t that difficult…

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.