Microsoft Teams security
No. Sharing passwords on Microsoft Teams is not safe. Teams is deeply integrated with Microsoft 365's compliance and archiving infrastructure, which means messages sent on Teams — including private chats — are retained, searchable, and potentially subject to eDiscovery in ways that most users do not expect. A password shared in a Teams message is not a private exchange. It is a record in Microsoft's cloud infrastructure with a retention life that extends well beyond the conversation itself.
Teams is built on Microsoft 365 infrastructure. Chat messages are not stored in a standalone Teams database — they are stored in Exchange Online mailboxes (for private chats and channel messages) and SharePoint Online (for files and some channel content). This has significant implications.
Exchange Online storage. Private chat messages in Teams are stored in the Exchange Online mailbox of each participant — specifically, in a hidden folder called Substrate. Channel messages are stored in a dedicated mailbox associated with the team. This means Teams messages are subject to the full retention and compliance capabilities of Exchange Online.
Indefinite retention by default. In most Microsoft 365 configurations, Teams messages are retained indefinitely unless a specific retention policy is configured to delete them. Most organisations never configure such a policy. A message sent in Teams today may still exist in Exchange Online in ten years.
This is where Teams diverges most significantly from consumer messaging apps. Microsoft 365 includes a powerful compliance and eDiscovery infrastructure — Microsoft Purview — that allows authorised administrators and compliance officers to search, preserve, and export Teams message content.
Content search. Microsoft 365 compliance administrators can run content searches across Teams chat, channel messages, and files. This search covers all Teams content across the organisation — including private chats between two people. A password shared in a private Teams chat is searchable by compliance administrators.
Litigation holds. If an organisation has a litigation hold applied to a user's mailbox, all Teams messages associated with that user are preserved — including messages the user may have deleted from the Teams UI. Deletion from the Teams interface does not remove a message that is subject to a hold.
eDiscovery cases. In legal proceedings, organisations may be required to produce Teams message content as evidence. A password in a Teams message could appear in a legal document production.
In a default Microsoft 365 configuration, Teams messages are not directly readable by standard tenant administrators through the admin interface. However, compliance administrators — a separate role with broader permissions — can access Teams content through the compliance portal.
The privacy of a Teams private chat depends on who has been granted compliance administrator roles in your organisation, whether eDiscovery or content search has been run against your messages, whether a litigation hold is active on your mailbox, and whether your organisation's IT policies permit admin access to message content. In many corporate environments — particularly large organisations, regulated industries, and companies that have been through legal proceedings — Teams messages are routinely accessed and reviewed.
Teams supports guest access and external federation, which allows people outside your organisation to participate in Teams chats and channels. This is common in client-facing organisations, consultancies, and projects involving multiple companies.
Guest users added to a Teams channel or private chat can see all messages in that channel or chat from the moment they are added. External access (federation) allows users from other organisations to chat via Teams. These chats are stored in both organisations' Exchange Online infrastructure — meaning the message is subject to both your organisation's retention policies and the external organisation's. A password shared in a Teams chat that includes a guest or external user is now in a system you do not control.
Microsoft has been deeply integrating Copilot across Microsoft 365, including Teams. Copilot features in Teams can summarise meetings, recap missed messages, and surface relevant content from chat history — processing message content including the content of private chats where Copilot is available. A password shared in a Teams chat could potentially be processed by Copilot features and appear in AI-generated summaries or recaps.
The right approach is to never put the credential in a Teams message. Share a one-time encrypted link instead.
For a broader look at work chat risks across Slack, Teams, and Discord, see sharing passwords on work chat platforms.
In the everyday sense — yes, only the intended participants see them in the UI. In the legal and compliance sense — no. Private chats are stored in Exchange Online mailboxes, subject to compliance search, potentially preserved by litigation holds, and accessible to compliance administrators.
You can delete a message from the Teams UI, which removes it from the visible chat history. However, if the message is subject to a retention hold, deletion from the UI does not remove it from compliance storage — it moves to a hidden preserved state. Deletion is better than leaving it visible, but it is not a reliable security control in environments with active retention policies.
Personal Microsoft accounts have a different storage model than Microsoft 365 work accounts. The compliance and eDiscovery risks described here apply specifically to Teams used through Microsoft 365 work or school accounts.
Neither. Both create persistent records with broad access potential. A one-time encrypted link is the right tool for any credential handoff, regardless of whether the link is shared via Teams, email, or any other channel.
Microsoft Teams messages are stored in Exchange Online — not just in Teams. They are subject to Microsoft 365's compliance infrastructure, searchable by compliance administrators, preserved by litigation holds, and potentially included in eDiscovery exports. This is especially significant in enterprise environments where compliance tooling is routinely used. A one-time encrypted link shared in Teams ensures the credential itself never enters this infrastructure at all.
Try it now
No account required. Paste a credential, get a one-time link, share it in Teams.
Create a secret link →