Teams guest/external user invitation emails pose serious (information leakage) risks, without sharing minimal unique identification details for an inviting party.
When you invite, or get invited as guest/external user, an (teams service) email invitation is sent out. Because this message contains no unique identifiable details on the inviting party, an invitee has no clue who/where an invite comes from and as such if an invite comes from a known/trusted party/person.
The message header contains a full name (John Do), while the message body only contains a first name (John). The message is received from ‘Microsoft Teams noreply @ email.teams.microsoft.com ’, which of course is a trusted service…, but no clue who/which John Do is asking. Without any unique identifiable information, no one should ever select the ‘Join Teams’ link. From a security/phishing perspective this message shouldn’t even arrive in a user’s mailbox.
Other (social) platforms share at least (a) unique additional detail(s) for the requestor, for better or worse on which you could base an decision to accept or deny. From an organizational perspective you might even consider which (personal) identification details to share, while (receiving) inviting a guest, and/or even what minimal information is required before allowing a message to arrive in a mailbox
Once you have guest member(s) for a team, you should be able to (re)identify, each user and guest uniquely, meaning that minimal identification details should included in the ‘member’ cart, instead of John Do (External), and/or multiple John Do’s etc..
Specifically in a world where users have/bear multiple identities, as well as multiple users share first/last/full names, like John Do, you should be able to easily and at all times identify members uniquely.
Scenario’s:
- Contoso Organization John Do
John Do from the Contoso organization invites johndo @ hotmail.com and johndo @ outlook,.com to become Teams (guest) member. Each (Microsoft account) John Do receives an invitation with subject ‘You have been added as a guest to Contoso in Microsoft Teams’ and from ‘Microsoft Teams noreply @ email.teams.microsoft.com .’ In the body John (only shared details is first name) could be John working at Contoso. Ok, so this is a trusted company, but no clue what I could share with whoever is John. Of course this can be validated once accepted, but should I…
Now John Do at Contoso needs to start an external chat with johdo @ live.com . Another John with a Microsoft account. While typing in the To: line ‘johndo @ live.com’, an action shows “Search johndo @ live.com externally’. You are required to select the action, with a result to select from 2 johndo @ live.com (External). One with an “Skype” icon as well as ‘johndo’ the other without anything additional.
Selecting one of these John Do’s allows for sending a chat message. In the background the (Skype) John Do ends up no where … (could be something related to my config/testing). Selecting the other (blank) John Do, is received in Teams (personal) chat. Though here the inviting user is identified as Unknow User and hovering over shows ‘Unknow User is using Teams with an account managed by an organization. Some features… ‘). Also this could be related to my configuration???. Block or Accept? Guess what, you can’t accept.
Optionally you can select “Preview Message”. This shows the initial chat (message), as well that it comes from John Do. Probably the 'Unknown User' from 'an organization'.
- Microsoft account John Do
Using Teams (personal) on Windows 11, (Microsoft account) John Do is initiating a chat with johndo @ contoso.com . Contoso John will receive an email from ‘Microsoft Teams noreply @ email.teams.microsoft.com ’ with subject ‘John Do invited you to Microsoft Teams’ and in the messagebody that John (first name only) invited you with a link 'Join Teams'. The link contains probably a unique reference, , obfuscated for this scenario, and looks like https://teams.live.com/l/invite/XXXXXXXXXXXX_f6AwI?v=e1 . Again not something you can't/shouldn't accept.
From a conversation point of view
Even if you would except all these requests, it then becomes hard or even impossible to clearly identify/differentiate among each John Do, beacuse they all rollup as John Do in the conversations.
Even withing an organization multiple John Do’s easily exist. Hovering over (members) makes them identifiable, but it would be great to optionally change their ‘display name’ or anything else to uniquely. For external John Do’s they seem all endup as John Do (External).
