A security issue has been identified where the guest access feature in Microsoft Teams can lead to the deactivation of Microsoft Defender for Endpoint (MDE) protection on a user’s device. The process is triggered when a user accepts an invitation to collaborate within an external organization’s Teams tenant, a common practice for inter-company projects.

The removal of endpoint protection occurs due to a conflict in security policies between the user’s home organization and the external tenant they are attempting to join. This leaves the device unmonitored and unprotected by the organization’s primary security tooling, increasing its exposure to threats.

How the Security Flaw is Triggered

The vulnerability’s execution begins when a user accepts a guest invitation from an external organization. This action creates a guest account for the user within the external tenant’s Microsoft Entra ID (formerly Azure AD). The core of the problem arises if the external tenant has configured a specific Conditional Access policy that requires connecting devices to be “Microsoft Entra joined” to their tenant.

A user’s device, which is properly joined to their own organization’s tenant, cannot meet this requirement from the external organization. This creates an authentication conflict. The Microsoft Defender for Endpoint agent on the user’s device is consequently unable to authenticate using the user’s primary credentials from their home tenant.

This failed authentication process results in the MDE agent becoming de-registered from the user’s home organization. The de-registration effectively disconnects the device from its security management platform.

Impact and Mitigation Measures

When a device is de-registered from Microsoft Defender for Endpoint, it ceases to receive security policies from the home organization. Furthermore, it no longer reports security events or its health status to the company’s security operations center. This renders the device unprotected and invisible from a security monitoring perspective.

This mechanism can be leveraged by an adversary. An attacker could establish a malicious external tenant with the necessary Conditional Access policy and then send a guest invitation to a targeted user. By tricking the user into accepting the invitation, the attacker can cause the Defender for Endpoint protection on the user’s device to be disabled.

Microsoft has provided guidance for organizations to mitigate this risk. Administrators can configure outbound cross-tenant access settings within Microsoft Entra ID. The recommended practice is to block guest access to all external tenants by default and then explicitly permit access only to known and trusted partner organizations.

Source: https://thehackernews.com/2025/11/ms-teams-guest-access-can-remove.html