5 Tips for Hardening Microsoft Teams Security

1. Establish Global Teams Management

By default, any user with a mailbox in Exchange Online can create a team and become a team owner. If you want to limit the number of users with this privilege, consider managing teams in the Microsoft Teams admin center by creating an Office 365 group whose users have exclusive permissions to create new groups and, by extension, new teams.

Also configure the global Teams settings for your organization — you can specify organization-wide preferences such as:

• Whether users can communicate with individuals outside the organization
• Whether to enable file sharing and cloud storage capabilities
• Authentication requirements for accessing meeting content

As part of employee training, educate your users about the capability to create private channels, which are restricted to a selected subset of team members. If some team members want to collaborate on confidential content, they should create a private channel instead of a standard channel that all members and guests can access.

2. Set up Secure Guest and External Access

To understand guest access, we should point out that guest access differs from external access in Microsoft Teams. Any user can become a team owner by creating a team and inviting other users to join it. It’s easy to see how quickly this permissions model can lead to a data-sharing environment that’s great for collaboration but a headache for IT to track and control.

• Every team member has full access to all the data on the team’s public channels, including chat messages, meeting content and shared files. They can share files and create new channels.
• Any guest from outside the organization can share files and even create new channels within the team.

Guest Access

Guest access is when you invite an external user to be a member of the team—it gives access permission to an individual rather than a domain. Once a team owner has granted someone guest access, they can access that team’s resources, share files, and join a group chat with other team members.

The guest access feature enables team owners to invite parties from outside the organization to participate in team activities. Guests have full access to team channels, chats, shared files and meetings. Beyond the requirement that guests have a business or consumer email account, there are no restrictions or vetting procedures to govern who can or cannot receive guest access privileges. This raises obvious concerns about how easily sensitive or proprietary data can be exposed to entities outside the organization.

You can use the Guest access settings in the Teams admin center to configure the level of access granted to guest users by following the Microsoft Teams guest access checklist. For maximum security, you can leave guest access disabled by default. Or you can turn on guest access but disable certain privileges like screen sharing or peer-to-peer calls.

External Access

External access gives access permission to an entire domain—allowing Teams users from other domains to find, contact, and set up meetings with you. External users can call you through Teams and send instant messages. But if you want them to be able to access teams and channels, guest access might be the better option.

Use external access when:

• You have users in different domains who need to collaborate. For example, Bob@Inversion6Tech.com and Alice@TruWestCo.com are working on a project together.
• You want the people in your organization to use Teams to contact people in specific businesses outside of your organization.

Plan for external access:

By default, external access is turned on in Teams, which means that your organization can communicate with all external domains. If you add blocked domains, all other domains will be allowed; and if you add allowed domains, all other domains will be blocked. There are three scenarios for setting up external access in the Teams admin center (Org-wide settings > External access):

• Open federation: This is the default setting in Teams, and it lets people in your organization find, call, chat, and set up meetings with people external to your organization in any domain. In this scenario, your users can communicate with all external domains that are running Teams or Skype for Business AND are using open federation OR have added your domain to their allow list.
• Allow specific domains: By adding domains to an Allow list, you limit external access to only the allowed domains. Once you set up a list of allowed domains, all other domains will be blocked. To allow specific domains, click Add a domain, add the domain name, click Action to take on this domain, and then select Allowed.
• Block specific domains: By adding domains to a Block list, you can communicate with all external domains except the ones you’ve blocked. To block specific domains, click Add a domain, add the domain name, click Action to take on this domain, and then select Blocked. Once you set up a list of blocked domains, all other domains will be allowed.

3. Build an information protection architecture

Setting up an information protection architecture is critical not only for preventing data leakage but also for meeting compliance and litigation requirements.

Your Teams data resides in an assigned geographic region of the Azure cloud infrastructure, depending on your organization’s Office 365 tenant. Since different regions may follow different data security standards, it’s a good idea to make sure that the location of your Teams data is appropriate for your business requirements.

• Data retention policies— You can create retention policies that specify when to keep Teams data to stay compliant with business, regulatory or litigation requirements. You can also use retention policies to direct the removal of data that no longer needs to be retained.
• Data loss prevention (DLP) — You can set up DLP policies that automatically block unauthorized users from sharing sensitive data in a Teams channel or private chat. Use DLP policies to enforce secure user behavior in Teams and prevent data breaches.
• Automated information labeling — To ensure that your DLP policy actions are applied correctly, you need to accurately classify and label the data shared in Teams, which requires an automated data discovery and classification solution that ensures high precision in classification.

We recommend also reviewing a 3^rd party data security solution like Varonis that offers robust data classification technology to ensure that sensitive information in Teams is accurately and systematically tagged.

4. Audit user activity

You can use Microsoft’s Communication Compliance policies to monitor chats and team channels. You can also monitor usage through various built-in reports and functionality:

• Go to Analytics & reports in the Microsoft Teams admin center.
• Go to Reports > Usage in the Microsoft 365 admin center.
• Use Microsoft 365 usage analytics in Power BI.

5. Set up app management

Apps in the Teams store fall under one of three categories:

• Built-in apps provided by Microsoft
• Apps built by third parties
• Custom-built internal apps

Consider restricting the use of certain apps based on their source and how they handle data:

• To control which apps to block or make available to your organization, use the settings on the Manage apps page in the Teams admin center.
• You can also use app permission policies to block or make certain apps available to specific sets of users.

FAQs for Microsoft Teams

What is Microsoft Teams?

Teams offers the following main features and services:

• Chat — Allows users to send private messages to each other and attach files to messaging threads. OneDrive for Business serves as the underlying mechanism for file sharing in chats.
• Teams — Lets users create teams or join existing teams to start group collaboration and conversations in team channels. When a user creates a team, they essentially create an Office 365 Group on the backend.
• Calendar — This service syncs with users’ Outlook calendars so they can schedule meetings and plan out projects.
• Calls — This lets users initiate and receive peer-to-peer voice and video communications. Calls is built on the Skype framework, and in fact, many companies are using Microsoft Teams as their enterprise communications platform.

Is Microsoft Teams secure?

Teams is a Tier D service, meaning that it is compliant with the EU Model Clauses (EUMC), HIPAA, ISO 27001, ISO 27018, and SSAE 16 SOC 1 and SOC 2 standards.

Is data in Microsoft Teams encrypted?

Microsoft Teams does not yet support end-to-end encryption. Data is encrypted in transit, at every stage of the data journey, and at rest. Intermediate services can decrypt content when needed, for example, to store data in retention records.

At-rest files are stored in SharePoint using SharePoint encryption. Notes are stored in OneNote using OneNote encryption. Chat content is encrypted in transit and at rest.

If you’re concerned about data security at mobile endpoints, the Microsoft Teams mobile client supports App Protection Policies from Microsoft Intune.

What protocols does Microsoft Teams use?

Microsoft Teams uses the following protocols:

• 264 for video
• ICE to establish media
• MNP24 for signaling
• OPUS for meetings
• SILK for peer-to-peer and voice calls
• VBSS for desktop sharing

Can activity in Microsoft Teams be monitored?

Yes. You can use the following out-of-the-box features to monitor activity and usage in Teams:

• Supervision policies
• Analytics & reports in the Microsoft Teams admin center
• Reports > Usage in the Microsoft 365 admin center
• Microsoft 365 usage analytics in Power BI

Get Expert Support for Your Security Goals

Inversion6 has been assisting companies with their information security challenges and goals since 1985. Our chief information security officers (CISOs) are experts in working with your organization at all levels to not only assess usage and best practices for platforms like Microsoft Teams, but also in managing risk, identifying vulnerabilities, creating cybersecurity strategy, and communicating it throughout the company. And with 24/7/365 managed security services, we can ensure your technology environment remains secure at all times.

Contact us today to learn more about our services.