Microsoft just introduced a major new capability in Teams: the ability to start a chat with anyone using only their email address.
No Teams account. No pre-approval. Just an email invite that turns into a live chat.
For users, it’s a step toward seamless collaboration across companies. For security teams, it’s one more reason to pay close attention to how SaaS platforms evolve and how quickly risk boundaries shift.
This feature is a clear example of how modern collaboration tools outpace governance and security controls, and why SaaS security and SaaS security posture management (SSPM) are more important than ever.
What’s changing
With this new release, Teams users can now invite anyone outside the organization into a chat simply by entering their email. When the external person accepts, they are automatically added to the organization’s tenant as a guest user.
While this update removes friction for legitimate collaboration, it also opens new identity and data pathways that most security programs are not yet monitoring.
The new SaaS security implications
1. Guest identity sprawl
Each chat with an external participant creates a new guest user. Without automated lifecycle management, those identities linger, accumulating risk and access long after they’re needed.
2. Unmonitored data sharing
Documents, URLs, and credentials can easily be shared in chat threads that sit outside the visibility of DLP, CASB, or even compliance tooling.
3. Phishing and impersonation risk
Attackers can exploit Teams chat invitations or newly created guest accounts to impersonate trusted users or deliver malicious links.
4. Compliance and audit challenges
Data exchanged in external chats may bypass retention and eDiscovery processes, making it harder to meet requirements under frameworks like GDPR, SOX, or financial regulations.
Why this extends beyond Microsoft Teams
This is not just a Teams issue… it’s a pattern that spans the entire SaaS ecosystem.
Each time a platform adds new collaboration features, it expands the potential for shadow access, data exposure, and third-party connections that operate beyond the control of security teams.
Valence customers are seeing this across tools like Slack, Zoom, and Google Workspace, where features designed for agility often outpace security readiness.
The result: a growing web of SaaS integrations and identities that must be continuously monitored and governed.
How to stay ahead
Define your external collaboration policy now
Set clear rules around who can initiate chats, which domains are trusted, and what types of data can be shared externally
Automate guest lifecycle management
Continuously monitor, audit, and remove inactive guest users across SaaS applications
Integrate Teams into your broader SaaS security posture
Use SSPM solutions to detect misconfigurations, track guest activity, and remediate risks automatically
Educate employees on external communication risks
Encourage users to verify chat invitations and treat unexpected external messages with the same caution as email
The bottom line
Microsoft’s “Chat with Anyone” update is designed for connection, but it also underscores how SaaS innovation and SaaS security must evolve together.
External collaboration is now part of every organization’s daily workflow. Without visibility and governance, it becomes an easy entry point for attackers and a growing compliance liability.
.jpg)
