Five tips for securing Microsoft Teams

Introduction

With more than 145 million daily users (as of April 2021, that is), Microsoft Teams is one of the biggest success stories coming out of Redmond these last couple of years. Many organizations already started using Microsoft Teams as a communications and collaboration platform. The Covid-19 pandemic added to this with the necessity to work from home or other remote locations. And Microsoft Teams was the go-to platform for supporting this. And from the technology side there’s little to stop you from using it; A license, web-browser/installable client and some support is all it takes.

For some organizations, remote work was the primary reason to roll-out Microsoft Teams ahead of schedule. Less attention was given to (cyber)security, staying in control or the need to comply with certain rules and regulations. For a mature roll-out of Microsoft Teams, we need to take these aspects into account. And that’s why in this article I will cover five relevant subjects;

1. Stay in control of your Microsoft Teams platform;
2. Protect access to your Microsoft Teams environments;
3. Know how to manage mobile access;
4. Understand guest and external access;
5. Provide protection for the more sensitive information.

Please note; Many of the options described in this article are part of the Microsoft 365 E3 licenses. Some however, are not, and this is noted in the text. Also note that when I use the term “team” or “teams” (without the capital T), I mean one collaboration environment (for example: “Experts”).

Subject 1: Stay in control

One side-effect we commonly notice when Microsoft Teams has been introduced within the organization is the speed with which it envelops the organization. For example: many new teams are created, or existing teams are not removed when no longer needed. Also, some of the initial configurations have been set to broadly. This might lead to certain (unwanted) apps being introduced within the organization. So: how do we stay in control?

First – a bit of governance.

Let’s say that we don’t allow our end-users to create their own teams. In this case, we need to delegate this to specific people within the organization. And this is relatively easy. Using PowerShell we can set a specific Azure Active Directory security group to be the “Microsoft 365 Groups creators”. This might be the admins within the organization. But beware: this option is related to the Microsoft 365 Groups and not just Microsoft Teams. All other functions within Microsoft 365 which uses these types of groups (Planner for example), will also be affected.

Do you want to allow your end-users to create teams on their own? Then do please look into the options for enforcing a naming convention and expiration policy for Teams. The first option allows you to add a prefix and suffix to the Microsoft 365 Group name and even using attributes from Azure Active Directory. It also allows for blocking “unwanted” terms to be used in the name; For example: HR or Management.

The expiration policy can be used to clean-up teams. The owners of the team receive an email asking them if the team is still in use. If this is no longer the case, then the corresponding Microsoft 365 Group will be (soft)deleted.

Some notes on this.

1. These settings are related to the Microsoft 365 Groups and not just Microsoft Teams. All other functions within Microsoft 365 which uses these types of groups (Planner for example), will also be affected;
2. There are no “adaptive scopes” for the expiration policy. It’s more or less “all, selected or nothing”;
3. If a team has a retention policy or hold applied, then the team will not be removed;
4. Have a process in place for dealing with teams that are to be removed – know what to do with the information stored in these teams.

Now that we have the Teams creation (and expiration) sorted, it’s time to look at some of the Microsoft Teams administrative settings. These settings are set on a platform (and user) level and impact the way Teams meetings are held, how the lobby is used and if we can add external apps. To name but a few.

Please note that from the Microsoft Teams admin center you can modify the “settings” and “policies”. Settings are applicable to all users and the entire environment. Policies can be applied to specific users within your organization.  The so-called Global (Org-wide default) is (no surprise here) the default policy for a selected component. Any user can only be part of one such policy. And a policy can only contain users, not groups.

To make this a bit more complicated – the meeting policies are defined into “per-organizer”, “per-user” sections. The first controls what settings are applicable for the meeting itself. For example: Automatically admit.  The second controls what an end-user can/cannot do. For example: Meet now. And you can combine the two sections into one policy – as is the case for the default.

It’s imperative to check these settings and to modify these for your organization.

Subject 2: Protect access to your Microsoft Teams environments

Any person using Microsoft Teams needs an identity to login and gain access. For Office 365 in general and Microsoft Teams as a platform, we use Azure Active Directory. And using this identity, we can access applications, platforms like Microsoft Teams and (sensitive) information.

Our identity is very important. And therefore, bad actors will use means like phising and social engineering to get to these identities. To protect access to Microsoft Teams, follow some easy steps.

1. Always use multifactor authentication for your internal and external identities;
2. If possible, use the Microsoft Authenticator app (more on this later);
3. Use Azure Active Directory Identity Protection if possible;
4. Use Azure Active Directory Identity Governance for Privileged Identity Management and Access Reviews;
5. Limit the number of (global) administrator accounts.

Please note that Azure AD Identity Protection and Governance will require additional licenses.

Subject 3: Know how to manage mobile access

Being a cloud-native platform, Microsoft Teams is accessible from any device. Either by using a web-browser, the Microsoft Teams client, or the mobile app. Using any of these options allows you to access conversations, chats and to work on documents.

And currently, our end-users probably want to use either their managed device, like a Windows 10 machine or iPad, but also their own mobile device.

The biggest problem with these Bring Your Own Devices (BYOD) or other un-managed devices is the lack of control. We cannot be sure that information accessed using these devices will not end-up in the hands of unauthorized people. And let’s be honest: a mobile phone does get lost sometimes and people do leave the organization.

Using the combined solutions of Mobile Application Management (Microsoft Endpoint Manager) and Azure AD Conditional Access, we can still be in control. Even if we don’t manage the devices themselves.

In a nutshell; Azure AD Conditional Access is used to check if access to the organization information is allowed using the device. Mobile Application Management or MAM creates a separate container on the iOS or Android device. Organizational information is stored (encrypted) in this container and only specific apps can have access to the information. Should the employee leave the organization, then this container is wiped, leaving intact any personal apps and information on the device.

For example

Let’s assume that our employee has a company managed iPhone, but also used a personal Android device. Company policy states that access to Microsoft Teams and Microsoft Office is only allowed when using the original apps, that a pin code is required, and that the information is encrypted when stored on the device. Additional restrictions apply copy/pasting of information is prohibited as is taking screenshots.

Here’s where Azure AD Conditional Access and Mobile Application Management come together. A Conditional Access rule is set-up to check if the Android device uses an approved app to access company information. If so, access to the information is allowed.

The MAM policy has multiple components. First, the policy only applies to unmanaged devices. This rules out the company iPhone, as this is managed. The policy also includes settings like the pin code and copy/paste restrictions. A list of approved apps (Microsoft Teams and Office) completes this policy.

Please note; For this solution to work, the employee will need to install and use the Microsoft Company App. This app serves as a broker and creates the container on the device. This app is not required for iOS as the broker-function is part of the Microsoft Authenticator app for iOS.

When accessing Microsoft Teams from the Android device, the employee will need to login using the Company App. He/she will be prompted for the pin code, and the Teams app will open. Documents can be easily opened in the Office Apps, but the restrictions will apply.

Please note; For personal Windows 10 devices the MAM principle can apply. But this is more complex. For accessing Microsoft Teams using unmanaged Windows 10 devices, you are better off using sensitivity labels and the unmanaged devices setting. This allows you to prevent download and printing of sensitive information.

Subject 4: Understand guest and external access

The ability to collaborate and share information inside and outside of the organization is one of the great advantages for Microsoft Teams. And to work together with external parties, Office 365 and Microsoft Teams use the principle of Azure AD Business to Business (B2B). Or, in other words: guest access. When added as a guest, an external party can open the teams for which he/she has been invited. There’s some complexity when working with guests. And let’s look at some of these.

Anonymous

Let’s start with the elephant in the room: anonymous access. The setting “Anonymous users can join a meeting” is enabled by default. Disabling this option will disallow participation in meetings without providing any authentication. And many organization will disable this setting for this reason. But beware!

When you disable this option, any participant for a meeting will have to login to the Teams environment. Otherwise, you are seen as an anonymous user. And this has side-effects; When you create a meeting request from Outlook, this request is sent to the participants of the meeting. If this is a Teams meeting, then the link to the meeting is part of the invitation. When someone from outside of the organization uses this link and is not logged into your Teams environment, Microsoft Teams will see this as an anonymous request. And this person will not be able to participate in the meeting.

So, in my opinion, this anonymous option is better left on. But only when combined with the lobby functionality. And better still: wait for Microsoft – they are working on enhancing this experience.

Guest and external

Second, take note of the difference between guest access and external access. The settings for external access are relevant for communication (chat) using Teams, Skype for Business and Skype. It allows or disallows this type of communication between people in your Teams environment and people outside of the organization. Guest access on the other hand allows for inviting people to teams and participating in the team’s functionality.

Guests

Now for guest access. As stated earlier, a guest is part of your Azure Active Directory. This functionality is per-default available. If you don’t want to enable guest access, want to restrict this to specific domains or specific people within you organization, then go to your Azure Active Directory External Collaboration Settings.

Any guest user will need to open your Teams environment to access teams. This is done when opening Teams for the first time. When the guest user is already working from another Teams environment, then he/she will need to switch to the other tenant.

There are some default restrictions for these guest users. They are not able to send any document in a chat (because of OneDrive for Business), they cannot add apps to a channel, new teams cannot be discovered or created, and the organizational chart is not accessible. These are default restrictions. As an admin or teams owner, we can set other restrictions or lift them. For example: we can allow guest users to add additional channels to the teams.

Beware SharePoint Online

As Microsoft Teams uses several Office 365 architectural components, it cannot be a surprise that you need to consider these when working with guests. Especially when these components have guest access permission settings themselves. One of these is SharePoint Online.

Beware that the guest access settings for Microsoft Teams and SharePoint Online might differ. For example: you’ve set guest access for SharePoint Online to none. In this case, the guest user will be able to access the team. When trying to open the documents tab or the connected SharePoint Online site, an error-message will be displayed.

Best way to deal with this: work with sensitivity labels and configure the external access level for guest access using this label.

Stay in control

One last remark on guest users; Please have a process in place to check if your guest users still require access to your Teams environment. If you don’t have the ability to do so using Azure Active Directory Access Reviews (which requires an additional license), then make this part of the team owner “rules and regulations”.

Subject 5: Provide protection for the more sensitive information

Information exchanged in Microsoft Teams can be (very)sensitive. And as with all sensitive information, we will need to provide adequate protection measures. Microsoft 365 offers many of those.

First, let’s look at data loss prevention. This functionality (part of an additional license) allows us to prevent sensitive information in conversations and documents to be leaked or accessed by unauthorized people. There are many configuration options for this. For example; When such information is shared and detected in a Teams conversation, the message is automatically blocked, and a notification is sent to the compliance officers.

Sensitivity labels allow us to classify an entire team. But these labels allow for more (information protection) settings as well:

• Privacy setting (is the team visible);
• Guest access for the team;
• External sharing settings for the corresponding SharePoint Online site(s);
• Access from unmanaged devices.

These labels work great when you allow people to create their own teams. The label policy will allow you to provide a default label for your teams – that is: when new ones are created.

There is (still) a catch though: a team owner can still change the label if there are more than one. So proper education of your team owners is crucial here.

Additional options are available when you are using Microsoft Cloud App Security. This does require an additional license and is not part of this article.

Insider risk is another and more complex level of data loss within the organization. Some organizations prohibit information sharing and communications between specific departments or teams when insider trading might be a big risk. As Microsoft Teams aims to enhance communication and collaboration within the organization, this might be a problem.

But there is also a solution, albeit when using the required licensing. Information barriers can be set-up to prevent unwanted or unlawful communications between these parts of the organization. When the barrier is in place, it will not allow conversations or chats between these parts, nor can people be added to a team if this is not allowed. Even Voice over IP traffic will be stopped. It will not stop people from discussing items around the watercooler though 😊

All-in-all

Microsoft Teams is here to stay. It will continue to grow as a platform and its usage will skyrocket, in my opinion. Employees expect a secure working environment in which to have conversations, work with documents and use applications – all from Microsoft Teams.

This all requires the right measures for compliance, security, and risk. Some of these need and can be applied right away; Guest access, Teams policies and settings and Microsoft 365 Groups settings. Others need more time to prepare; sensitivity labels, Conditional Access, and Mobile Application Management.

Without these, we run the risks of losing control over our Microsoft Teams environment and the information which is exchanged and stored inside.

So, take a couple of days to look at these options and start to create the correct level for compliance, security & risk now.