Microsoft Teams is rolling out native detection for external AI meeting bots across commercial and GCC tenants in June 2026. If your business has not made a clear policy decision about what should happen when an external AI notetaker tries to join one of your meetings, now is the time to make one.
The default setting is sensible, but not sufficient on its own. Detected external bots are routed to the meeting lobby and require organiser approval before they can join. That is better than allowing them straight in, but it still relies on the organiser recognising the bot, understanding the risk and making the right decision at the start of a live meeting.
Picture the situation. Your head of business development is in a sensitive Teams negotiation with a prospective client. A participant appears in the lobby called “Fireflies Notetaker” or “Read AI”. Nobody from your organisation invited it. It may have been added by an external attendee or by forwarding the meeting invite to the bot service. If admitted, it could record, transcribe and process meeting content through a third-party platform outside your tenant.
That is the gap Microsoft’s June 2026 rollout is designed to reduce. But the control only helps if your Teams policy is configured intentionally and your staff know what to do.
What The Microsoft Teams Rollout Does
Microsoft announced the external bot detection feature through Message Center notification MC1251206 on 13 March 2026. Targeted release began in mid-May 2026, with general availability for worldwide and GCC tenants rolling out in early June and expected to complete by mid-June 2026.
The feature detects external meeting assistant bots when they attempt to join meetings hosted by your organisation. When a bot is detected, Teams labels it clearly in the lobby and applies the meeting policy set by your administrator.
The control applies to external third-party automated bots and meeting assistants. Microsoft’s own Copilot is not treated in the same way because it operates within the Microsoft 365 tenant and permissions model.
The setting sits in Teams meeting policy and is called ExternalBotAccessMode.
| Setting | What it does | When to use it |
|---|---|---|
| AllowAllBots | Does not detect bots and allows them to join directly | Rarely appropriate unless there is a specific operational reason |
| RequireApprovalWhenDetected | Routes detected bots to the lobby for organiser approval | The Microsoft default and a reasonable minimum |
| BlockDetectedBots | Blocks detected external bots from joining | Suitable for sensitive meetings or organisations with stricter data controls |
The default is RequireApprovalWhenDetected. That means Teams will not automatically let detected external bots into meetings, but the organiser can still admit them.
For many businesses, especially those handling client data, employee matters, commercial negotiations or regulated information, BlockDetectedBots may be the better default. Exceptions can then be managed through an approved internal process.
Why This Matters Beyond Inconvenience
At first glance, an AI notetaker may seem harmless. Many are genuinely useful. The problem is not note-taking itself. The problem is uncontrolled recording and processing of meeting data.
The first issue is data leaving your control. Many third-party AI notetakers send audio, transcripts and summaries to their own cloud infrastructure. Vendor terms vary, and some tools treat meeting data differently depending on licence tier, retention settings and enterprise agreements. Once meeting content has left your Microsoft tenant, you need to be clear who controls it, where it is stored, how long it is retained and whether it can be used to improve the vendor’s services.
The second issue is UK GDPR. A meeting may contain personal data about staff, customers, suppliers or other third parties. If a bot records and processes that information without participants being told, you may have transparency and lawful basis problems. UK GDPR requires personal data processing to be fair, lawful and transparent. “Someone external added a bot and nobody noticed” is not a strong governance position.
The Data (Use and Access) Act 2025 also matters here. From 19 June 2026, organisations must have a clear process for handling data protection complaints, including acknowledging complaints within 30 days and responding without undue delay. If someone complains that an unauthorised AI bot recorded a meeting, you need a process and an audit trail.
The third issue is legal and commercial exposure. AI transcripts can preserve comments that would previously have been forgotten: offhand remarks, untested views, negotiating positions, internal uncertainty and informal comments in sensitive meetings. In a dispute, that transcript may become highly relevant. Board discussions, HR meetings, disciplinary matters, pre-contract negotiations and M&A conversations should not be transcribed by an unapproved third-party tool by accident.
How Bots Get Into Teams Meetings
There are three common routes.
The first is your own users enabling a third-party notetaker on their account. That bot then joins meetings they organise. This is usually controlled through Teams app permission policies, app consent settings and wider Microsoft 365 governance.
The second is an external attendee bringing their own notetaker into a meeting you host. This is the route the new ExternalBotAccessMode setting is designed to manage. Under the default setting, the bot is held in the lobby and the organiser must decide whether to admit it.
The third is the forwarded-invite route. An external participant forwards the meeting invitation to the bot service, so the bot appears as a separate attendee. Older controls, such as CAPTCHA for some anonymous or untrusted joiners, were not designed specifically for this behaviour. Microsoft’s new bot detection is intended to give organisers visibility at the meeting join stage, although Microsoft notes that some bots may still evade detection depending on their behaviour.
That limitation matters. The new feature is helpful, but it should sit alongside app controls, staff training and a written policy.
The Policy Decision Your Business Needs To Make
The technology setting is only part of the answer. Your business also needs a policy.
Start with the access mode. For many organisations, RequireApprovalWhenDetected is the minimum acceptable setting. For businesses that regularly discuss confidential client work, legal matters, HR issues, financial data, healthcare information or commercial strategy, BlockDetectedBots is often more defensible.
Next, decide which internal AI meeting tools are approved. If your organisation has microsoft 365 support services london and uses Microsoft 365 Copilot, Teams meeting recap and transcript features can be governed through your Microsoft tenant, retention policies, permissions and compliance controls. The advantages of Microsoft 365 Copilot, the key features of Microsoft 365 Copilot for business and the article is your business using Microsoft 365 Copilot yet give useful context. The governance argument for AI tools like Microsoft Copilot is that they can be managed within your existing Microsoft 365 environment rather than through unmanaged external tools.
Finally, write a short staff policy. It should explain what tools are allowed, what tools are not allowed, and what a meeting organiser should do when an unfamiliar bot appears in the lobby. Without that, someone will eventually click “Admit” because they do not want to delay the call.
Where This Connects To Broader Governance
Meeting bot governance does not sit in isolation. It connects directly to Microsoft 365 governance, data protection, security monitoring and user awareness.
The same issues discussed in Copilot in Teams governance apply here. Meeting recordings and transcripts become searchable, shareable and retainable documents. They can contain more sensitive information than a standard email thread.
An Office 365 assessment should now include meeting policies, app permissions, external sharing, transcript settings, retention settings and bot controls. The useful Office 365 features piece is a helpful reminder of what you may already have available inside the Microsoft stack.
The security fundamentals also matter. Business email compromise and how to spot a phishing email are relevant because attackers increasingly use meeting invites, calendar links and impersonation as part of social engineering. Anti-phishing controls and anti-phishing basics help reduce that risk. As an anti phishing testing london provider, we include meeting-based social engineering scenarios where relevant.
Credentials exposed through compromised accounts can be monitored through dark web monitoring explained and our dark web monitoring company service. IT compliance matters explains why governance needs to be evidenced, and IT service management keeps controls maintained.
Device and identity hygiene sit underneath all of this. Password best practices, Microsoft Intune, practical endpoint hardening steps, endpoint security for remote teams and why EDR matters all reduce the chance that an attacker can use an account or device to access meetings, data or transcripts.
Cross-Border And Multi-Site Realities
If your business runs meetings across several countries, bot governance becomes more complex. A Teams meeting involving UK staff, an EU subsidiary and a US-based AI notetaker may raise data protection, contractual and regulatory questions.
The issue is not only where the meeting happens. It is where the transcript is processed, who controls it, who can access it and whether participants were told.
Our european it services and multinational it support services help businesses apply consistent policies across locations. Our platform migration services include governance review as part of tenant consolidation or Microsoft 365 change projects. The full range of services and our consulting team can help you decide what level of control is right for your organisation.
As a managed IT support services London partner, we are helping businesses update Teams policies as Microsoft’s June rollout completes. The broader benefits of structured support are covered in outsourcing your IT to an MSP.
Frequently Asked Questions
What Is Microsoft’s New Default Setting For External Bots In Teams?
The default setting is RequireApprovalWhenDetected. When Teams detects an external automated bot or meeting assistant trying to join a meeting, it sends the bot to the lobby and requires the organiser to approve it.
Can I Stop External Guests From Bringing AI Notetakers Into My Meetings?
Yes. Admins can use BlockDetectedBots to block detected external bots from joining meetings hosted in your tenant. You should also use app permission policies and staff guidance to stop internal users from authorising unapproved tools.
Does Microsoft Copilot Get Blocked By These Controls?
No. ExternalBotAccessMode applies to external third-party automated bots and meeting assistants. Microsoft Copilot operates within your Microsoft 365 tenant and is governed separately through Microsoft 365 licensing, permissions and compliance settings.
Is It A UK GDPR Problem If An External Guest Brings A Notetaker Bot?
It can be. If the meeting includes personal data and participants are not told that a third-party tool is recording, transcribing or processing the meeting, you may have transparency and lawful basis issues. The safest approach is to require approval before any recording or transcription tool is used.
What Should I Do If I See An Unfamiliar Bot In The Lobby?
Do not admit it automatically. Check the display name, ask the attendee who brought it, and confirm whether the tool is approved. If it is not approved, reject it and continue the meeting without the bot.
Will These Controls Stop Every External Bot?
No control is perfect. Microsoft says some bots may not be detected in all scenarios. Use the Teams policy alongside app controls, staff training, meeting sensitivity labels, recording controls and clear governance.
The Sensible Next Step
Open Teams Admin Center, go to Meetings and then Meeting Policies, and check your ExternalBotAccessMode setting. Decide whether RequireApprovalWhenDetected is enough for your business or whether BlockDetectedBots is the safer default.
Then write a short staff policy. Make it clear which AI meeting tools are approved, which are not, and what organisers should do when a bot appears in the lobby.
If you use Microsoft 365 Copilot, explain that it is the sanctioned alternative for meeting recap and notes where appropriate, subject to your internal data and compliance rules.
If you would like help configuring the right Teams policy, reviewing wider Microsoft 365 governance, or making sure your meeting controls would stand up under a data protection assessment, speak to Northern Star. We will help you make a deliberate choice rather than relying on a default setting.
