Teams B2B Chat Invite without Teams account: Configure Safely or Risk Phishing!

So, I saw this post on LinkedIn that mentioned a new setting rolling out for Microsoft Teams any day now (Targeted release for now, General availability is in January 2026).

I decided to dive deep into this new setting and external identity management in Teams and Entra so you don’t have to. I also created a Powershell script that covers all settings related to this new setting in Teams so you can easily manage it.

In today’s post I’ll cover how you can secure your tenant to be prepared for this new feature once it’s out. This feature is turned ON by default which in my opinion is crazy, since this is opens up a completely new attack surface for phishing attacks which can put your users at risk. Don’t get me wrong, it’s a cool feature but it should be limited to only a specific list of domains if it’s something you feel like you want to use.

The new setting in the Microsoft 365 Roadmap

This new setting labeled “Microsoft Teams: Chat with anyone who has an email address” has the roadmap ID 513271 and this is basically all we know about this setting as of now:

Decide if this setting is really necessary for your organization

In my opinion, it’s better to disable this feature and evaluate if this is something your organization really needs. If so, I would highly recommend adding a list of allowed or blocked domains. Lucky for you, I incorporated all this into one fairly simple Powershell script that I’ll include at the end of this post.

Enable or disable B2B invites for external users in Powershell

First of all, if you don’t have the Teams Powershell module, install it using the command below:

Install-Module MicrosoftTeams -Scope CurrentUser

After that run the following command to check the current state of the new B2B setting.

Get-CsTeamsMessagingPolicy -Identity Global | Select-Object UseB2BInvitesToAddExternalUsersCode language: JavaScript (javascript)

As I mentioned previously it’s set to true by default

If you just wish to just turn this new B2B setting off you simply run:

Set-CsTeamsMessagingPolicy -Identity Global -UseB2BInvitesToAddExternalUsers $falseCode language: JavaScript (javascript)

This is enough if you know you are happy with the rest of your settings for external identities. However, it might be a good idea to look over some other settings related to this new one. I’ll cover everything in a Powershell script further down.

Review your Entra ID settings for External identites

While being on the topic of hardening our external identity management, I highly recommend taking a look at your settings in Entra > External identities > External collaboration settings and decide if you want to change anything there before moving on to this new feature and external identity management in Teams.

My settings are listed below, I would say this is a pretty good base configuration.

Powershell script to handle this new setting and external access in Teams

Below is the full script followed by an explaination of each part:

<#
Author: Tobias Eriksson. www.tob-it.se
-----------------------------------------
Enable or disable all settings required for Teams B2B chat invites (Roadmap ID 513271).
-----------------------------------------
IMPORTANT: Make sure to also review your external collaboration settings in Entra > External identities > External collaboration settings
-----------------------------------------
Set $enableB2B to $true or $false to enable/disable the new B2B chat invite
Set $teamsGuestSettings to $true or $false to enable/disable guest settings in Teams
#>
$enableB2B = $false
$teamsGuestSettings = $false

# Connect to Teams
Connect-MicrosoftTeams 

# Current state of each settings 
Get-CsTeamsMessagingPolicy -Identity Global | Select-Object UseB2BInvitesToAddExternalUsers # New B2B settings
Get-CsTenantFederationConfiguration

# Teams Messaging Policy
# Admin portal: Teams Admin Center > Teams > Messaging policies > Global (Not confirmed, but will likely be here)
Set-CsTeamsMessagingPolicy -Identity Global -UseB2BInvitesToAddExternalUsers $enableB2B 

# Teams External Access (Enable or disable)
# Admin portal: Teams Admin Center → Users → External access
Set-CsTenantFederationConfiguration -AllowFederatedUsers $teamsGuestSettings

<#
-----------------------------------------
OPTIONAL; If $teamsGuestSettings is set to $true, Create allow or block list for specific domains
-----------------------------------------
#>

# ALLOW LIST
# Allow only specific external domains
$list = New-Object Collections.Generic.List[String]
$list.add("contoso.com")
$list.add("fabrikam.com")
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList @{Add=$list}

# Remove list of allowed external domains (Reverts back to block all external domains)
$list = New-Object Collections.Generic.List[String]
# Add more rows if you wish to add more domains
$list.add("contoso.com")
$list.add("fabrikam.com")
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList @{Remove=$list}

# BLOCK LIST
# Block only specific external domains and subdomains 
$list = New-Object Collections.Generic.List[String]
# Add more rows if you wish to add more domains
$list.add("contoso.com")
$list.add("fabrikam.com")
Set-CsTenantFederationConfiguration -BlockedDomains $list
Set-CsTenantFederationConfiguration -BlockAllSubdomains $teamsGuestSettings

# Remove lost of blocked domains (Reverts back to block all external domains)
Set-CsTenantFederationConfiguration -BlockedDomains $NullCode language: PHP (php)

If you prefer working in the admin portal you can find some of the Teams related settings mentioned in the script here Teams admin center > Users > External access (EXCEPT for the new B2B setting and the AllowFederatedUsers which is Powershell only).

Breaking down the script pt.1: Disabling B2B invites and block external users

If you wish to disable B2B invites and also block all external domains in Teams you can set the variables $enableB2B and $teamsGuestSettings to $false and run the first part of the script:

<#
Author: Tobias Eriksson. www.tob-it.se
-----------------------------------------
Enable or disable all settings required for Teams B2B chat invites (Roadmap ID 513271).
-----------------------------------------
IMPORTANT: Make sure to also review your external collaboration settings in Entra > External identities > External collaboration settings
-----------------------------------------
Set $enableB2B to $true or $false to enable/disable the new B2B chat invite
Set $teamsGuestSettings to $true or $false to enable/disable guest settings in Teams
#>
$enableB2B = $false
$teamsGuestSettings = $false

# Connect to Teams
Connect-MicrosoftTeams 

# Current state of each settings 
Get-CsTeamsMessagingPolicy -Identity Global | Select-Object UseB2BInvitesToAddExternalUsers # New B2B settings
Get-CsTenantFederationConfiguration

# Teams Messaging Policy
# Admin portal: Teams Admin Center > Teams > Messaging policies > Global (Not confirmed, but will likely be here)
Set-CsTeamsMessagingPolicy -Identity Global -UseB2BInvitesToAddExternalUsers $enableB2B 

# Teams External Access (Enable or disable)
# Admin portal: Teams Admin Center → Users → External access
Set-CsTenantFederationConfiguration -AllowFederatedUsers $teamsGuestSettingsCode language: PHP (php)

Breaking down the script pt.2: Creating allow or block list for specific domains

The -AllowFederatedUsers specified in variable $teamsGuestSettings is basically the big on/off switch for if external users should be allowed to use Teams in your tenant or not. This is not visible in the admin portal. Just wanted to clarify that. If you want to utilize the new B2B feature you should set it to $true and only allow certain domains.

In order to do so you have everything you need in the second part of the script:

<#
-----------------------------------------
OPTIONAL; If $teamsGuestSettings is set to $true, Create allow or block list for specific domains
-----------------------------------------
#>

# ALLOW LIST
# Allow only specific external domains
$list = New-Object Collections.Generic.List[String]
$list.add("contoso.com")
$list.add("fabrikam.com")
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList @{Add=$list}

# Remove list of allowed external domains (Reverts back to block all external domains)
$list = New-Object Collections.Generic.List[String]
$list.add("contoso.com")
$list.add("fabrikam.com")
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList @{Remove=$list}

# BLOCK LIST
# Block only specific external domains and subdomains 
$list = New-Object Collections.Generic.List[String]
$list.add("contoso.com")
$list.add("fabrikam.com")
Set-CsTenantFederationConfiguration -BlockedDomains $list
Set-CsTenantFederationConfiguration -BlockAllSubdomains $teamsGuestSettings

# Remove lost of blocked domains (Reverts back to block all external domains)
Set-CsTenantFederationConfiguration -BlockedDomains $NullCode language: PHP (php)

Fill out each $list.add(“domain.com”) with all the domains you want to allow or block and run that specific block. For example if I run the block to create an allow list this is what it looks like in Teams admin afterwards:

IMPORTANT: If you wish to add a block list instead, you need to remove the allowed list first using this part of the script:

# Remove list of allowed external domains (Reverts back to block all external domains)
$list = New-Object Collections.Generic.List[String]
$list.add("contoso.com")
$list.add("fabrikam.com")
Set-CsTenantFederationConfiguration -AllowedDomainsAsAList @{Remove=$list}Code language: PHP (php)

As mentioned in the script, if a block or allow list is removed it reverts back to blocking all domains.

Summary

As I mentioned before, I’m not against this new feature. I think it’s cool and potentially really useful but it should be approached with caution. Remember to always learn your users to avoid sketchy links and limit this to a list of allowed domains and you should be good to go. Until next time!