(Updated) Microsoft Teams: Let customers book appointments directly from your website using the Customer Connect widget

🚨 The Signal: Microsoft Teams Customer Connect now allows external customers to book appointments directly from your website. This integrates external scheduling into staff calendars and Teams channels, potentially exposing internal scheduling details and increasing attack surface if not properly secured.

The Impact

Teams administrators are affected by new configuration options, creating a security risk if external booking exposes internal calendar details or creates unmanaged access points.

• Teams administrators: Must configure new settings, risking misconfiguration that could expose internal scheduling.
• Staff members: Calendar entries are automatically created, risking oversharing of availability or meeting details.
• External customers: Interact with a new public-facing widget, risking data exposure if the widget is compromised.

The Action

1. Review Customer Connect settings in Teams Admin Center for new appointment scheduling options.
2. Implement strict access controls for the Customer Connect requests channel to limit information exposure.
3. Educate staff on the implications of automated calendar entries and information sharing via Customer Connect.
4. Conduct a security assessment of the embedded Customer Connect widget on public websites.

Domain: Teams · Impact: medium · Workload: Teams