Microsoft Teams Security Best Practices

Microsoft Corporation invests huge amounts of time and money into security of their systems, including Microsoft Teams. Their engineering team constantly improves and adds new security features, making it one of the safest tools for collaboration. At the same time, there are always data security risks, no matter what platform you use for operating your business. And it’s a responsibility of each organization to ensure the safest use of the tool and protection of data.

In this article we will outline the most common security risks in Microsoft Teams and best practices to help minimize them.

Microsoft Teams security risks

Guest access

One of the greatest capabilities of Microsoft Teams is communicating and collaborating with external users by granting them guest access to your teams, channels and meetings. This is why Teams is so widely used for conducting remote negotiations, making sales pitches, and discussing projects with partners.

However, by granting guest access you’re also allowing your guests to get a complete access to your team’s files and other data that is shared through channels. Therefore, you risk having your guests see sensitive content, which poses potential data security risks.

Information leaks

If External Sharing is turned on in Teams, then all the documents you store in SharePoint can potentially be shared with external users through chats. This can result in leaks of sensitive data and create serious security risks.

Screen sharing capability can also let you down if not used carefully. If you or your employees accidentally share the wrong page with outside users, it can cause irreversible damage.

Teams Privacy

Teams owners can change your team privacy at any time, which is why it’s important to oversee who owners of your teams are. Changing teams privacy can lead to security issues. So, you may want to choose them carefully and certainly not grant ownership to every member of the team.

User life cycle

If your team has only one owner and this person, for example, leaves the company, this can become a problem. A team cannot be without an owner, so potentially any user can become one. This may sabotage your team’s privacy since the owner can change settings of the team.

Private channels ownership

Private channels are a great way to discuss sensitive matters with a few members from the team (and even guest users) without having to create a whole new team. However, if the owner of the private channel is removed, any member can become a new owner. This can be risky as they could invite anyone to the private channel and, therefore, give access to confidential information to other users.

Sharing highly sensitive information

It’s against the law to share certain very sensitive data. That, for example, is true for social security numbers. Sharing this kind of data in Teams with external users is illegal. Enabling data loss prevention policies makes sure users do not accidentally slip sensitive information.  

Apps integration

When integrating a third-party app into Teams you may give it permission to access your team’s data. Some apps can transfer data among their services, which can cause data loss and GDPR compliance violations.

Phishing attacks

Microsoft Teams users receive email notifications about activities in their teams. Knowing that, cyber-attackers started targeting Teams users for getting their credentials and accessing companies’ intellectual property and strategies.

Microsoft Teams security best practices

There are ways to increase your teams’ security and minimize security risks. Below we list some of Microsoft Teams security best practices.

1. Define Microsoft Teams governance

One of the most reliable ways to enforce security in Teams is by setting up governance policies. Teams governance determines how the organization will function internally, how end-users can use the app, who can create teams, what information users can share, etc.

If you’d like to learn Teams governance best practices, we recommend checking out this article. There are many points to consider, and they revolve not only around security, but also the organizational structure.

When it comes to security, you may want to consider the following points:

Who can create teams

The first thing you need to do is to decide who can create teams. This will allow you to minimize teams sprawl and all the security issues it arises.

There are a few ways to do that:

  1. You can create a security group of people who will be allowed to create Office 365 groups. You can find the instructions here. However, this can limit other users as besides Microsoft Teams, they won’t be able to create groups in Planner, Outlook and other Office 365 apps.
  2. By establishing Audience Targeting with Microsoft Teams Collaboration templates you limit templates’ visibility to only certain groups of people. It allows you to set up targeting rules based on your users’ profile data such as geolocation, spoken language, business department, email address or any Active Directory Attributes to target the right users with the templates available.
Microsoft Teams Security Best Practices: who can create teams - audience targeting

Teams ownership and membership

Setting up the right ownership and membership policies will allow you to better monitor teams and private channels and control what information is being shared. Team owners can remove members, add guests, change settings, and perform some administrative tasks. So, you may want to make sure you have a few owners in each team so that in case one of them is removed from the team, the ownership will not go to a random member.

Here are a few ways to do it:

  1. Build guidelines for adding owners and members that you users will follow when creating a new team.
  2. Do it manually in each team.
  3. Set up Dynamic membership for teams. This means the membership of a team can be defined by one or more rules that correspond to certain user attributes in Azure AD. As a result, users are automatically added or removed to the right teams if their attributes change.
  4. Establish Permanent membership and ownership at the template level with Collaboration templates by SalesTim. When you build a template, you can assign permanent owners and members that will be automatically added to new teams created from this template.
Microsoft Teams Security Best Practices: permanet owners and members

Third-party apps

Open access to third-party apps for end-users puts at risks the security of your sensitive content. Managing third-party apps, therefore, is vital in ensuring effective collaboration while keeping confidential information safe.

You can oversee third-party apps by:

1. Managing app setup policies.

You can highlight and pin the most important apps in teams and install apps on behalf of users.

Microsoft Teams Security Best Practices: third-party apps management

2. Managing app permission policies.

You can control what apps are available for users in admin center:

  • Allow all apps
  • Allow specific apps and block all others
  • Block specific apps and allow all others
  • Block all apps

There’s also a possibility to filter apps by restricting them to only those certified by Microsoft.

2. Configure data security features

Office 365 provides additional features to secure your data.

Data loss prevention (DLP)

DLP feature identifies very sensitive data, such as Social Security and credit card numbers, and prevents from sharing it with external and guest users.

For example, if sensitive information is shared with an external user through a message, it will be automatically deleted.

Microsoft Teams Security Best Practices: data loss prevention

In case a document that contain such information is shared with an external users, the document won’t open for those users.

You can learn more about DLP and how to enable it here.

Sensitivity labels for information protection

To get the job done your staff collaborates both internally and externally, posing potential data security risks if a highly confidential document accidentally falls into wrong hands.

Sensitivity labels let you classify and protect your company’s data, while making sure that user productivity and their ability to collaborate isn’t impeded.

Sensitivity labels can encrypt emails and documents, mark the content when you use Office 365 apps, protect content in containers such as sites and groups, and Apply the label automatically to files and emails, or recommend a label.

Learn more about sensitivity labels here.

Microsoft Teams Security Best Practices: sensitivity labels

3. Configure guest access settings

With Microsoft Teams you can invite external guest to your teams, which might raise some data security concerns. Which is why it’s essential set up the right guest access rules.

Admin center

 You can configure guest access settings in the Teams admin center. You can disable it completely, although if you use Teams to communicate with clients and partners you might want to keep this capability. Instead, you can grant them with the least privileges, just enough to discuss matters of mutual interest.

If you’re concerned about accidental leaks of information during video meetings, you may choose to disable the screensharing capability.

Privacy labels for teams

You can create and configure sensitivity labels that, when applied during teams creation, enable users to choose privacy settings for a new team.

Screenshot of Confidential sensitivity label

Teams created with a highly confidential label won’t allow guest access and will only be available to your employees. People outside your organization can’t join the team.

Build your own app with Azure logics apps

There’s also a way to enable guest access only for select authorized teams by creating a new Azure AD App Registration that allows to utilize Microsoft Graph for creating teams and set its priorities. You can find a step-by-step guide here.

4. Use lobby for meetings with external users

To prevent external users from accessing your meetings in Microsoft Teams, you can leverage Lobby capability. You can enable/disable it in Microsoft Teams admin center.

Your external users will be redirected to a virtual lobby where they will need to wait for admission. This can be useful, for example, if you’re having a negotiation meeting with your team and a client and wish to have a talk with your team members before the official meeting starts.

5. Enable multi-factor authentication

Multi-factor authentication greatly increases the security of users logins. It’s definitely one of the Microsoft Teams security best practices if you want to protect your system from phishing attacks that steal you employees’ credentials.

Aside from entering username and password to log in, users must verify their credentials with a multi-authentication factor, by receiving a phone call, text message or a notification.

6. Enforce Teams Privacy

If you would like to enable privacy for certain teams, you can do that at the template level with SalesTim Collaboration templates.

You can decide if new teams created from the template will be Private or Public. Private teams will only allow team owners to add members, while in public teams anyone from the organization will be able to join without validation.

7. Create activity alerts

You can leverage Office 365 Audit Log to monitor potential security issues. After creating an activity alert you will receive email notification each time users perform specific activities in Office 365.

You may set activity alerts for external sharing, creating of sharing invitation, uploading/downloading files, site permissions modifications, and so on.

This way you’ll be able to oversee any potential security risks from user activity.

By following these Microsoft Teams security best practices you will ensure a high level of protection of your organization´s system and its data.


Read Related Blog Posts