The primary purpose of this document is to keep Microsoft teams secure for a data breach or a compromised account by following best practices.
Setting up an information protection architecture is critical not only for preventing data leakage but also for meeting compliance and litigation requirements. Your Teams data resides in an assigned geographic region of the Azure cloud infrastructure, depending on your organization’s Microsoft 365 tenant. Since different regions may follow different data security standards, it’s a good idea to keep Microsoft teams secure for a data breach or a compromised account by following Microsoft security best practices and steps through the actual configuration.
Block External Access
You should not allow your users to communicate with Skype or Teams users outside your organization. While there are legitimate, productivity-improving scenarios for this, it also represents a potential security threat because those external users will be able to interact with your users over Skype for Business or Teams. Attackers may be able to pretend to be someone your user knows and then send malicious links or attachments, resulting in an account breach or leaked information.
- Go to Microsoft Teams Admin Center > Click Org-wide settings > Click External Access
- Here, turn the toggles off:
- You can whitelist certain domains. This allows users to discover external users as part of this domain and collaborate with them. This allows you to control the domains that users can collaborate with. Ensure that you have a proper, communicated method on how users can make a request to collaborate with external organizations.
- Users who search for external users in teams will see the following:
- If they are not whitelisted, they will get the following when trying to search externally
- If the domain is allowed but there are some issues in connecting two organizations, the following message will appear
- If the domain has been whitelisted, then users will have the following experience:
Limit Guest Access
By default, guest access in Teams is turned off. Team owners cannot add external users to any Teams channels. You can change this setting in the Teams admin center and external users can be invited to Teams Channels by owners of that channel. You should have a formal request process defined for adding external guest users to Teams channel where users submit business justification. Once you enable guest access, you can control the settings for the access rights that users have within the channel. Guest access should always be limited for a certain time period for security and compliance reasons.
- In the Teams Admin Center, click on Org-wide settings > Guest Access
- Temporarily turn on guest access and review the settings available
- If guest access is turned off, then owners of channels will not be able to invite external participants.
- If guest access is turned on, then owners can send invites to external participants.
- In the Security and Compliance Center, you can set up alerts to get a notification when guest users are added. In the Microsoft 365 Admin Center > Click Admin Centers > Select Security
- Click on Alerts > Alert policies > New Alert Policy
- Add Name, Description, Severity and Category
- Type ‘Guest’ and select Accepted Sharing Invitation>click Next
- Specify the email address you would like this to go to
- Review and turn on the alert
- In Azure Active Directory Center > Azure Active Directory >Users> User Settings > Manage external collaboration settings
- Limit the domains for external collaboration and configure other settings
Turn off File Sharing and File Storage Options
By default, users can add external third-party storage providers like Google and DropBox to their Teams channels for file storage. Only managed, trusted providers should be allowed for data loss prevention purposes.
- In the Teams Admin Center, click Org-wide Settings >Teams Settings
- Scroll down to the Files section and un-toggle each provider that is not managed by the company
Block Third-Party Applications
By default, all users have access to the Teams app store which contains applications published by Microsoft and other third parties. While we do not want to inhibit productivity, we do want to ensure we are preventing data loss and shadow IT at the organization. Any of these apps can be added to a Teams channel and users could begin to share corporate data back and forth with applications that are unmanaged. It is recommended that you whitelist applications that users can add and create a formal request process for additional applications.
- In the Teams Admin Center, go to Teams Apps > Permission Policies > Global
- Choose to allow specific apps you want to whitelist and block all others. You may allow all Microsoft Applications.
Restrict Users who can Create Teams Channels
- Users within a tenant have the ability to create a public or private Teams channel by default. Behind the scenes, creating a Teams channel also creates a Microsoft 365 or Office 365 Group and a SharePoint site with a document library that stores all documents shared within the Teams channel.
- Over time, if this is not managed, the environment could quickly get out of hand with the number of Teams channels being created. This could lead to data loss, insecure sharing of documentation, and overall confusion across the organization.
- We recommend limiting the creation of Teams channels to certain members within the organization and creating a formal request process for new channels.
- If you do not want to restrict this to a certain group, we recommend you at least set up expiration policies around Teams channels that are processed for review based on activity in the channel.
Note: It is very important that you properly plan and communicate any changes here before rolling them out. The goal is not to inhibit productivity and force users to go to outside channels to collaborate, causing shadow IT. It is imperative that you make the request for creating a new Teams channel as seamless as possible. Restricting the creation of Teams channels also restricts who can create Groups. The setting is all or nothing in this regard.
- In the Microsoft 365 Admin Center, go to Groups >Active groups > Add a group
- Add a 365 Group or Security Group. This will house the members who will have access to create 365 Groups and Teams Channels
- Name the Group, Save, and add the appropriate members once the group has finished being created.
Click on the link and scroll down to the PowerShell section
Run PowerShell ISE as Admin (64x version) and run the following command:
Copy and paste the script for the website and change the group name to the display name of the group you created.
- After you run the script, all users who are not part of the group will not be able to create new channels.
Set Teams Expiration
- Organizations with a large number of teams often have Teams channels that are never actually used. This can happen because of several reasons including product experimentation, short-term team collaboration, or team owners leaving the organization. Over time, such teams can accumulate and create a burden on tenant resources.
- To curb the number of unused teams, as an admin, you can use group expiration policy to automatically clean up unused teams. Because teams are backed by groups, group expiration policies automatically apply to teams as well.
- When you apply an expiration policy to a team, a team owner receives a notification for team renewal 30 days, 15 days and 1 day before the team’s expiration date. When the team owner receives the notification, they can click Renew now in team settings to renew the team.
- To prevent accidental deletion, auto-renewal is automatically enabled for a team in the group expiration policy. When the group expiration policy is set up, any team that has at least one channel visit from any team member before its expiration date is automatically renewed without any manual intervention from the team owner.
- In the Microsoft 365 Admin Center, go to Admin Centers > Azure Active Directory > Groups > Expiration
- Here you can define group lifetime, email contacts for groups with no owners, and the ability to scope the policy to certain Teams channels.
- If you choose All, then you will not have to review this in the future. Group lifetime can be custom. Choose custom policies to specify a
Set up Advanced Threat Protection Policies for Teams
With Microsoft 365 Advanced Threat Protection, you can configure safe link policies and safe attachment policies within many Office environments, including Teams. A safe links policy will allow you to have real-time click protection with any links shared over Teams chats. This will detonate the URL in a sandbox environment and scan for malicious content. If malicious content is detected, the user will be prevented from continuing.
- Safe attachments scan files shared in Teams and also the files part of the document library associated with the Teams channel.
- In the Microsoft 365 Admin Center, click Admin Centers > Security
- Click on Threat Management > Policy > ATP Safe Attachments
- Click the global settings
- Turn on ATP for SharePoint, OneDrive, and Microsoft Teams
- Create a new policy
- Add Name, Description, and choose Dynamic Delivery. For more on delivery methods, click here.
- Select the action as Dynamic Delivery
- Add the recipient domain and chose the main domain in the tenant.
- Click Next to review your settings and click Finish
- For Safe Links, go back to Threat management > Policy > ATP Safe Links
- Use the default policy or create a new policy and turn on the necessary settings displayed below.
- You can choose to whitelist certain URLs
- Like the safe attachments policy, apply to all users in the tenant by the domain name.
- Click Next to review your settings and click Finish
Set up app Protection Policies
App Protection Policies are part of the mobile application management (MAM) solution with Microsoft Intune. App protection policies allow you to protect applications on Windows, iOS, and Android devices, no matter if they are enrolled in the Intune MDM solution or not. These policies allow you to prevent data loss to untrusted or unmanaged applications. They prevent save and cut/copy/paste abilities to unmanaged locations.
- In the Microsoft 365 Admin Center, click on Admin Centers > Endpoint Manager
- Click Apps > App protection policies
- Click Create Policy >Windows 10 (We will only be covering Windows 10 in this guide)
- Here you can name the policy and chose devices enrolled in Intune or not enrolled. For this example, we will choose not enrolled:
- Click “+Add” and add appropriate applications. At the minimum, add the entire Office suite. You can import third-party applications using “+Import“
- When you are ready, click Next
- Here we can choose what actions will be taken. Block prevents users from sharing data outside the trusted applications. Silent will collect log data without actually enforcing anything.
- We will not configure anything on the Advanced Settings page
- Leave the default scope tag
- Last, we can scope the policy to certain users
- Review the policy and create
Set up Data Loss Prevention Policies
Data loss prevention policies allow us to prevent the sharing of sensitive information across Teams chats. Policies come with pre-defined templates that can detect for certain information being shared like PII, credit card numbers, social security numbers, etc. The policies are granular in the fact that we can prevent users from sharing the information or we can allow overrides with business justification.
Example: A user sending a credit card information
- In the Microsoft 365 Admin Center, click on Admin Centers > Compliance
- Click Policies > Data Loss Prevention
- Click Create policy
- Choose a template, if applicable
- Change the name and description if necessary
- Choose Locations.
Note: You can scope this to certain users using the choose account. The default option is All.
- Leave the default policy settings
- You can choose an external or internal policy here
- Customize the tip and email to receive notifications
- If you edit one of the rules you can set the actions that apply to the user such as blocking the message, allowing override, setting the policy tip, etc.
- You can choose to turn it on right away or test it out to better understand impacts. After you decide, you can create the policy.
- Review the policy and create it
In addition to the wealth of built-in Microsoft Teams security features, Teams allows IT and system administrators a robust variety of customizable options to make your deployment as secure as you need it to be. Teams automatically confers two security levels to users: Owners and Members. Any user, by default, who creates a new group is considered to be the Owner, and therefore has access to a flexible range of control settings for group members that sets restrictions on everything from viewing content to adding connections.
The great thing about this setup is that Owners are able to get as much granular control as needed. This gives them the opportunity to create a highly-structured control environment on how users access and share data.
Data security will always be a concern of IT teams and organizations. However, by getting the basics of Microsoft Teams security right by implementing security tools and protocols to take care of your data, you won’t have to worry about your sensitive information operating in the cloud. To create your own customizable security setups, you’ll be able to enjoy powerful collaborative and productivity tools that won’t put you at risk for a costly incident. Ultimately, these components allow Microsoft Teams to follow all security best practices to ensure that your organization’s data is kept safe and secure.
I hope this article provided you with some targeted guidance on Microsoft Teams secure.
Now I’d like to hear from you:
Which finding from today’s report did you find most interesting? Or maybe you have a question about something that I covered.
Either way, I’d like to hear from you. So go ahead and leave a comment below.