Microsoft Teams adds bot detection to keep unwanted bots out of meetings

The decision to admit a bot should never be automatic.
Microsoft's approach treats bot admission as a deliberate choice, not a default action.

As digital meetings become a primary arena of organizational life, Microsoft is confronting a quiet but consequential question: when software arrives at the door of a human gathering, who decides whether it belongs? The company's new bot detection framework for Teams treats that threshold as a matter of deliberate choice rather than passive default, replacing automated CAPTCHA screening with behavioral analysis and a human approval step. In doing so, Microsoft is nudging organizations toward a more conscious relationship with the automated agents that increasingly seek entry into their most sensitive conversations.

  • Uninvited bots have been slipping into Teams meetings under a CAPTCHA system too blunt to distinguish legitimate tools from potential threats — that era is ending.
  • A new detection layer reads behavioral and infrastructure signals to identify bot-like activity before it ever reaches the meeting room, routing suspects to a lobby queue instead.
  • Organizers are now the gatekeepers: they receive explicit notifications when non-human participants are waiting, and the one-click 'Admit All' shortcut is deliberately disabled when bots are in the queue.
  • Legitimate bot developers can register their tools through a new identification program, earning a digital credential that smooths the approval process without bypassing human oversight.
  • Microsoft's roadmap promises allowlists, org-wide blocking policies, audit logs, and department-level controls — signaling that this is the foundation of a much larger security architecture, not a finished product.

Microsoft is rolling out a new admin policy for Teams that intercepts bots before they can join meetings, holding them in a digital lobby until a human organizer makes a deliberate decision to admit or deny them. The move retires the platform's older CAPTCHA-based screening in favor of something more sophisticated: behavioral analysis and infrastructure monitoring that can identify bot-like activity in real time.

Administrators can assign the new policy to individual users or entire groups through the Teams Admin Center. Once active, the system flags incoming bots, routes them to the lobby, and alerts the organizer. Microsoft recommends limiting lobby admission rights to organizers and co-organizers to reduce the risk of a well-meaning participant accidentally approving something harmful. Notably, even in meetings configured to let participants bypass the lobby, detected bots will still require explicit human approval.

To support legitimate automation, Microsoft has launched a registration program for independent software vendors who build meeting tools for Teams. Enrolled bots can embed a self-identification marker in their join requests, which Teams recognizes as a verified credential — accelerating approval without removing the human step. The lobby interface now visually sorts waiting participants into categories: verified humans, standard participants, registered bots, and flagged unknowns.

Friction-reducing safeguards are built into the design: the standard 'Admit' button disappears for identified bots, confirmation prompts appear during bulk admissions, and warnings fire if an organizer tries to admit everyone at once while bots are in the queue. Microsoft has signaled that allowlists, org-wide blocking policies, audit logs, and more granular departmental controls are all on the roadmap — the beginning of a tiered security system rather than a single universal rule.

Microsoft is tightening control over who—and what—can join Teams meetings. Starting now, the company is rolling out a new admin policy that catches bots before they slip into your video calls, holding them in a digital waiting room until the meeting organizer decides whether to let them in.

The shift marks a meaningful change in how Teams handles uninvited software. Previously, the platform relied on a CAPTCHA verification system to screen participants. That approach is being phased out. In its place, Teams will deploy what amounts to a more sophisticated bouncer: behavioral analysis and infrastructure monitoring that can spot bot-like activity, flag it, and demand human approval before admission.

Administrators now have granular tools to manage this. Through the Teams Admin Center, they can assign the new "Manage external bots and their access to meetings" policy to individual users or entire groups. When activated, the system identifies incoming bots, routes them to the lobby, and notifies the meeting organizer that something non-human is trying to join. The organizer then decides: approve or deny. Microsoft recommends that organizations restrict lobby admission rights to organizers and co-organizers only, reducing the chance that a regular participant might accidentally wave a malicious bot through the door.

Even in meetings where organizers have loosened restrictions and allowed participants to skip the lobby entirely, bots caught by this new detection system will still require explicit approval. As Meera Ajam, a senior product marketing manager at Microsoft, put it: the decision to admit a bot should never be automatic.

The company has also created a registration program for legitimate bot builders. Independent software vendors that develop meeting tools for Teams can now enroll their bots in the Teams Bot Identification Program, embedding a self-identification marker in their join requests. When Teams recognizes that marker, it classifies the bot as registered and approved—a digital credential that speeds up the approval process. Microsoft is currently testing this with a limited group of vendors before expanding access.

When a bot attempts entry, Teams now displays visual indicators in the lobby that sort participants into categories: verified humans, standard participants, registered bots waiting for approval, and unregistered or system-identified bots flagged as potential threats. This visual sorting helps organizers make faster, more informed decisions. The system also includes friction-reducing safeguards: the one-click "Admit" button disappears for identified bots, confirmation prompts appear when bots are included in bulk admissions, and warnings flash if an organizer tries to admit everyone at once and bots are in the queue.

Looking ahead, Microsoft has signaled more controls are coming. The roadmap includes allowlists for pre-approved bots, organization-wide policies to block external bots entirely, detailed audit logs and admin reports tracking bot detection activity, and more granular controls to let different departments or security postures coexist within the same organization. The company is essentially building a tiered system where security requirements can vary by team or function, rather than imposing a one-size-fits-all rule.

Even in meetings where organizers allow participants to bypass the lobby, bots identified through this policy will continue to require approval before joining.
— Meera Ajam, Senior Product Marketing Manager, Microsoft
A Conversa do Hearth Outra perspectiva sobre a história
Inventor

Why does Microsoft need a whole new system just to keep bots out of meetings? Weren't they already doing something?

Model

They were, but it wasn't working well enough. The old CAPTCHA system was blunt—it treated bots and humans the same way. Now they're saying: let's actually identify what's trying to join, and make a human decide whether it belongs.

Inventor

So the real problem is that bots were getting in without anyone noticing?

Model

Exactly. Or worse, they were getting in because someone in the meeting didn't realize what they were admitting. A bot could masquerade as a participant, and by the time anyone noticed, it was already in the call.

Inventor

What's the difference between a registered bot and an unregistered one?

Model

A registered bot is built by a vendor who's enrolled in Microsoft's program and has basically said, "This is my bot, I built it for legitimate purposes." An unregistered bot is either unknown or flagged as suspicious. The system treats them very differently.

Inventor

Does this slow things down? If every bot needs approval, won't meetings start late?

Model

It could, but Microsoft is trying to minimize friction. Registered bots get faster approval. And organizers can set policies ahead of time—allowlists of bots they always want to admit. The goal is to make the security decision once, not every meeting.

Inventor

Who actually benefits from this? Is it the organizer, the admin, or the company?

Model

All three, but in different ways. Organizers get clarity about who's in their meeting. Admins get visibility and control over what's happening across the organization. And the company gets to prevent the kind of disruption or data leakage that a malicious bot could cause.

Fale Conosco FAQ