Microsoft has rolled out a new administration policy for Teams that gives organizations granular control over external bots attempting to join meetings. The change comes as AI-powered meeting assistants have proliferated, creating risks when sensitive discussions are recorded or transcribed by unvetted third-party tools.
How the New Policy Works
Admins can now assign a Manage external bots and their access to meetings policy to individual users or groups through the Teams Admin Center. When the feature is enabled, Teams automatically detects potential bots, holds them in the meeting lobby with clear visual labeling, and prompts the organizer to explicitly confirm admission. Importantly, this bot-screening step applies even in meetings where the lobby has been disabled for regular participants.
To prevent accidental admission, Microsoft has removed the one-click Admit option for identified bots. Organizers receive a confirmation prompt when admitting a bot individually, and a warning is shown if they attempt to use Admit all while bots are present in the lobby.
Detection and Classification
Microsoft says it improved the underlying detection engine using behavioral and infrastructure signals to better distinguish bots from human participants. Lobby participants are now grouped into two categories:
- Waiting: Verified individuals and registered bots
- Suspected threats: Unregistered or unverified bots
Independent software vendors can register their bots with Microsoft and include a self-identification marker in join requests, allowing Teams to categorize them as known participants rather than suspected threats.
CAPTCHA Retired
With the new controls in place, Microsoft is retiring its existing CAPTCHA-based verification mechanism for meeting entry. Admins also retain the option to disable bot detection entirely, in which case Teams will take no action on detected bots.
The policy is designed to address a gap that has grown more pressing as organizations rely on Teams for sensitive discussions while AI meeting tools become standard in enterprise workflows. Security and privacy teams in particular should review the new admin settings to ensure bot admission aligns with their data governance requirements.
