Microsoft strips EXIF metadata from Teams images to protect employee privacy

Person using Microsoft Teams with EXIF metadata being scrubbed

On March 2026’s feature rollout, Microsoft updated Teams to automatically remove EXIF metadata from images shared in chats and channels. The change aims to prevent accidental leaks of GPS coordinates, device details, and time stamps—data that can be exploited for targeted attacks or unwanted location disclosure. The move is part of a broader push to bake privacy and security into default collaboration tools.

The hidden risk in photos

EXIF (Exchangeable Image File Format) stores technical and contextual data inside photos: camera model, exact date and time, and often GPS coordinates. In enterprise settings that hidden data can transform an innocuous image—an office whiteboard, a home workspace, or a conference backdrop—into an OSINT source for social engineering or physical tracking. Removing EXIF before images leave a user’s device reduces that silent exposure.

What Microsoft is changing

Microsoft Teams will now strip EXIF metadata automatically for images uploaded to direct chats and team channels. This sanitization is enforced at the platform level and is described as unchangeable for standard sharing flows; users who need to include original metadata must instead share files via alternatives like OneDrive links. The intent is to remove user friction: employees no longer need to remember to manually scrub photos before sharing.

Related security tightening: modern browser requirement

Alongside EXIF removal, Microsoft is tightening Teams-on-the-web requirements. By May 15, 2026, web access will require ECMAScript 2022 (ES2022)-compliant browsers. This phase-out of older browsers aims to close legacy attack vectors and ensure Teams runs in a more resilient, modern runtime environment.

What this means for organisations

– Reduced accidental exposure: Lower risk that images shared inside the organisation will reveal sensitive location or device forensics.
– Policy adjustments: Security teams should update acceptable-use policies to reflect that embedded metadata will be removed and clarify approved methods for sharing originals when necessary.
– Technical guidance: Encourage employees to use OneDrive or other sanctioned file-sharing methods when metadata preservation is required for auditing or forensic needs.
– Testing and compatibility: IT should verify that browser and client inventories meet the new ES2022 requirement and plan upgrades where needed.

Practical tips for users and admins

– Educate staff about why metadata matters and how automatic removal enhances safety.
– Map workflows that previously relied on embedded metadata and replace them with secure alternatives (e.g., shared files with explicit metadata fields).
– Audit third-party tools and integrations that accept uploaded images; ensure they don’t inadvertently reintroduce metadata downstream.
– Schedule browser updates and communicate timelines so web access remains uninterrupted after the ES2022 cutoff.

Why this matters

The change is small in engineering effort but meaningful in impact: it eliminates a persistent, low-cost intelligence source for attackers and reduces the burden on individual users to sanitize content. As hybrid work and visual collaboration grow, platform-level privacy defaults like EXIF removal help organisations shift toward a secure-by-design posture without relying solely on user vigilance.