- Microsoft Teams security risks<\/a>
- Guest access<\/a><\/li>
- Information leaks<\/a><\/li>
- Teams Privacy<\/a><\/li>
- User life cycle<\/a><\/li>
- Private channels ownership<\/a><\/li>
- Sharing highly sensitive information<\/a><\/li>
- Apps integration<\/a><\/li>
- Phishing attacks<\/a><\/li><\/ul><\/li>
- Microsoft Teams security best practices<\/a>
- 1. Define Microsoft Teams governance<\/a><\/li>
- 2. Configure data security features<\/a><\/li>
- 3. Configure guest access settings<\/a><\/li>
- 4. Use lobby for meetings with external users<\/a><\/li>
- 5. Enable multi-factor authentication<\/a><\/li>
- 6. Enforce Teams Privacy<\/a><\/li>
- 7. Create activity alerts<\/a><\/li><\/ul><\/li><\/ul>\n\t\t\t<\/div>\n\t\t<\/div><\/div>\n\n\n
Microsoft Teams security risks<\/h2>\n\n\n\n
<\/div>\n\n\n\nGuest access<\/h3>\n\n\n\n
One of the greatest capabilities of Microsoft Teams is communicating and collaborating with external users by granting them guest access to your teams, channels and meetings. This is why Teams is so widely used for conducting remote negotiations, making sales pitches, and discussing projects with partners.<\/p>\n\n\n\n
However, by granting guest access you\u2019re also allowing your guests to get a complete access to your team\u2019s files and other data that is shared through channels. Therefore, you risk having your guests see sensitive content, which poses potential data security risks.<\/p>\n\n\n\n
<\/div>\n\n\n\nInformation leaks<\/h3>\n\n\n\n
If External Sharing is turned on in Teams, then all the documents you store in SharePoint can potentially be shared with external users through chats. This can result in leaks of sensitive data and create serious security risks.<\/p>\n\n\n\n
Screen sharing capability can also let you down if not used carefully. If you or your employees accidentally share the wrong page with outside users, it can cause irreversible damage.<\/p>\n\n\n\n
<\/div>\n\n\n\nTeams Privacy<\/h3>\n\n\n\n
Teams owners can change your team privacy at any time, which is why it\u2019s important to oversee who owners of your teams are. Changing teams privacy can lead to security issues. So, you may want to choose them carefully and certainly not grant ownership to every member of the team.<\/p>\n\n\n\n
<\/div>\n\n\n\nUser life cycle<\/h3>\n\n\n\n
If your team has only one owner and this person, for example, leaves the company, this can become a problem. A team cannot be without an owner, so potentially any user can become one. This may sabotage your team\u2019s privacy since the owner can change settings of the team.<\/p>\n\n\n\n
<\/div>\n\n\n\nPrivate channels ownership<\/h3>\n\n\n\n
Private channels are a great way to discuss sensitive matters with a few members from the team (and even guest users) without having to create a whole new team. However, if the owner of the private channel is removed, any member can become a new owner. This can be risky as they could invite anyone to the private channel and, therefore, give access to confidential information to other users.<\/p>\n\n\n\n
<\/div>\n\n\n\nSharing highly sensitive information<\/h3>\n\n\n\n
It\u2019s against the law to share certain very sensitive data. That, for example, is true for social security numbers. Sharing this kind of data in Teams with external users is illegal. Enabling data loss prevention policies makes sure users do not accidentally slip sensitive information. <\/p>\n\n\n\n
<\/div>\n\n\n\nApps integration<\/h3>\n\n\n\n
When integrating a third-party app into Teams you may give it permission to access your team\u2019s data. Some apps can transfer data among their services, which can cause data loss and GDPR compliance violations.<\/p>\n\n\n\n
<\/div>\n\n\n\nPhishing attacks<\/h3>\n\n\n\n
Microsoft Teams users receive email notifications about activities in their teams. Knowing that, cyber-attackers started targeting Teams users for getting their credentials and accessing companies\u2019 intellectual property and strategies.<\/p>\n\n\n\n
<\/div>\n\n\n\nMicrosoft Teams security best practices<\/h2>\n\n\n\n
There are ways to increase your teams\u2019 security and minimize security risks. Below we list some of Microsoft Teams security best practices.<\/p>\n\n\n\n
<\/div>\n\n\n\n1. Define Microsoft Teams governance<\/h3>\n\n\n\n
One of the most reliable ways to enforce security in Teams is by setting up governance policies. Teams governance determines how the organization will function internally, how end-users can use the app, who can create teams, what information users can share, etc.<\/p>\n\n\n\n
If you\u2019d like to learn Teams governance best practices, we recommend checking out cet article<\/a>. There are many points to consider, and they revolve not only around security, but also the organizational structure.<\/p>\n\n\n\n
When it comes to security, you may want to consider the following points:<\/p>\n\n\n\n
<\/div>\n\n\n\nWho can create teams<\/em><\/h4>\n\n\n\n
The first thing you need to do is to decide who can create teams. This will allow you to minimize teams sprawl and all the security issues it arises.<\/p>\n\n\n\n
There are a few ways to do that:<\/p>\n\n\n\n
- You can create a security group of people who will be allowed to create Office 365 groups. You can find the instructions ici<\/a>. However, this can limit other users as besides Microsoft Teams, they won\u2019t be able to create groups in Planner, Outlook and other Office 365 apps.<\/li>
- By establishing Ciblage de l'audience<\/a> with Microsoft Teams Collaboration templates you limit templates\u2019 visibility to only certain groups of people. It allows you to set up targeting rules based on your users\u2019 profile data such as geolocation, spoken language, business department, email address or any Active Directory Attributes to target the right users with the templates available.<\/li><\/ol>\n\n\n\n
![\"Microsoft](\"https:\/\/img.salestim.com\/spai\/q_lossy+ret_img\/https:\/\/www.salestim.com\/wp-content\/uploads\/2020\/12\/66794842-7496-435B-9007-240D4EC6DE5A.jpeg\")
<\/figure>\n\n\n\n<\/div>\n\n\n\nTeams ownership and membership<\/em><\/h4>\n\n\n\n
Setting up the right ownership and membership policies will allow you to better monitor teams and private channels and control what information is being shared. Team owners can remove members, add guests, change settings, and perform some administrative tasks. So, you may want to make sure you have a few owners in each team so that in case one of them is removed from the team, the ownership will not go to a random member.<\/p>\n\n\n\n
Here are a few ways to do it:<\/p>\n\n\n\n
- Build guidelines for adding owners and members that you users will follow when creating a new team.<\/li>
- Do it manually in each team.<\/li>
- Mise en place Dynamic membership<\/a> for teams. This means the membership of a team can be defined by one or more rules that correspond to certain user attributes in Azure AD. As a result, users are automatically added or removed to the right teams if their attributes change.<\/li>
- Establish Permanent membership and ownership<\/a> at the template level with Collaboration templates by SalesTim. When you build a template, you can assign permanent owners and members that will be automatically added to new teams created from this template.<\/li><\/ol>\n\n\n\n
![\"Microsoft](\"https:\/\/img.salestim.com\/spai\/w_990+q_lossy+ret_img+to_webp\/https:\/\/cdn.shortpixel.ai\/spai\/w_546+q_lossless+ret_img+to_webp\/https:\/\/www.salestim.com\/wp-content\/uploads\/2020\/03\/A761461C-3C08-4ACA-8A86-2A6F400DEEA9.png\")
<\/figure>\n\n\n\n<\/div>\n\n\n\nThird-party apps<\/em><\/h4>\n\n\n\n
Open access to third-party apps for end-users puts at risks the security of your sensitive content. Managing third-party apps, therefore, is vital in ensuring effective collaboration while keeping confidential information safe.<\/p>\n\n\n\n
You can oversee third-party apps by:<\/p>\n\n\n\n
1. Managing app setup policies<\/a>.<\/p>\n\n\n\n
You can highlight and pin the most important apps in teams and install apps on behalf of users.<\/p>\n\n\n\n
![\"Microsoft](\"https:\/\/img.salestim.com\/spai\/w_990+q_lossy+ret_img+to_webp\/https:\/\/docs.microsoft.com\/en-us\/microsoftteams\/media\/app-setup-policies-add.png\")
<\/figure>\n\n\n\n2. Managing app permission policies<\/a>.<\/p>\n\n\n\n
You can control what apps are available for users in admin center:<\/p>\n\n\n\n
- Autoriser toutes les applications<\/li>
- Autoriser des applications sp\u00e9cifiques et bloquer toutes les autres<\/li>
- Bloquer certaines applications et autoriser toutes les autres<\/li>
- Bloquer toutes les applications<\/li><\/ul>\n\n\n\n
![\"\"\/](\"https:\/\/img.salestim.com\/spai\/q_lossy+ret_img\/https:\/\/www.salestim.com\/wp-content\/uploads\/2020\/10\/MicrosoftTeams-image.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/img.salestim.com\/spai\/q_lossy+ret_img\/https:\/\/www.salestim.com\/wp-content\/uploads\/2020\/12\/63F92371-4DA5-4ACF-9928-B18B50401467-1024x308.jpeg\")
<\/figure><\/div>\n\n\n\nThere’s also a possibility to filter apps by restricting them to only those certified by Microsoft. <\/p>\n\n\n\n
<\/div>\n\n\n\n2. Configure data security features<\/h3>\n\n\n\n
Office 365 provides additional features to secure your data.<\/p>\n\n\n\n
Data loss prevention (DLP)<\/em><\/h4>\n\n\n\n
DLP feature identifies very sensitive data, such as Social Security and credit card numbers, and prevents from sharing it with external and guest users.<\/p>\n\n\n\n
For example, if sensitive information is shared with an external user through a message, it will be automatically deleted.<\/p>\n\n\n\n
![\"Microsoft](\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/media\/dlp-teams-blockedmessage-notification.png?view=o365-worldwide\")
<\/figure>\n\n\n\nIn case a document that contain such information is shared with an external users, the document won\u2019t open for those users.<\/p>\n\n\n\n
![\"\"\/](\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/media\/dlp-teams-blockedmessage-possibleactions.png?view=o365-worldwide\")
<\/figure>\n\n\n\nYou can learn more about DLP and how to enable it ici<\/a>.<\/p>\n\n\n\n
<\/div>\n\n\n\nSensitivity labels for information protection<\/em><\/h4>\n\n\n\n
To get the job done your staff collaborates both internally and externally, posing potential data security risks if a highly confidential document accidentally falls into wrong hands.<\/p>\n\n\n\n
Sensitivity labels let you classify and protect your company\u2019s data, while making sure that user productivity and their ability to collaborate isn’t impeded.<\/p>\n\n\n\n
Sensitivity labels can encrypt emails and documents, mark the content when you use Office 365 apps, protect content in containers such as sites and groups, and Apply the label automatically to files and emails, or recommend a label.<\/p>\n\n\n\n
En savoir plus sur les \u00e9tiquettes de sensibilit\u00e9 ici<\/a>.<\/p>\n\n\n\n
![\"Microsoft](\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/media\/sensitivity-label-grouped-labels2.png?view=o365-worldwide\")
<\/figure>\n\n\n\n<\/div>\n\n\n\n3. Configure guest access settings<\/h3>\n\n\n\n
With Microsoft Teams you can invite external guest to your teams, which might raise some data security concerns. Which is why it\u2019s essential set up the right guest access rules.<\/p>\n\n\n\n
<\/div>\n\n\n\nAdmin center<\/em><\/h4>\n\n\n\n
You can configure guest access settings in the Teams admin center. You can disable it completely, although if you use Teams to communicate with clients and partners you might want to keep this capability. Instead, you can grant them with the least privileges, just enough to discuss matters of mutual interest.<\/p>\n\n\n\n
If you\u2019re concerned about accidental leaks of information during video meetings, you may choose to disable the screensharing capability.<\/p>\n\n\n\n
![\"\"\/](\"https:\/\/img.salestim.com\/spai\/q_lossy+ret_img\/https:\/\/www.salestim.com\/wp-content\/uploads\/2020\/10\/guest-access-1.jpg\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/img.salestim.com\/spai\/q_lossy+ret_img\/https:\/\/www.salestim.com\/wp-content\/uploads\/2020\/10\/guest-access-2.jpg\")
<\/figure>\n\n\n\n<\/div>\n\n\n\nPrivacy labels for teams<\/em><\/h4>\n\n\n\n
You can create and configure \u00e9tiquettes de sensibilit\u00e9<\/a> that, when applied during teams creation, enable users to choose privacy settings for a new team. <\/p>\n\n\n\n
![\"Screenshot](\"https:\/\/docs.microsoft.com\/en-us\/microsoftteams\/media\/sensitivity-labels-confidential-example.png\")
<\/figure>\n\n\n\nTeams created with a highly confidential label won\u2019t allow guest access and will only be available to your employees. People outside your organization can’t join the team.<\/p>\n\n\n\n
<\/div>\n\n\n\nBuild your own app with Azure logics apps<\/em><\/h4>\n\n\n\n
There\u2019s also a way to enable guest access only for select authorized teams by creating a new Azure AD App Registration that allows to utilize Microsoft Graph for creating teams and set its priorities. You can find a step-by-step guide ici<\/a>.<\/p>\n\n\n\n
![\"\"\/](\"https:\/\/miro.medium.com\/max\/1050\/1*6pbFZZMo6PfDnj8qf526FA.png\")
<\/a><\/figure>\n\n\n\n<\/div>\n\n\n\n4. Use lobby for meetings with external users<\/h3>\n\n\n\n
To prevent external users from accessing your meetings in Microsoft Teams, you can leverage Lobby capability. You can enable\/disable it in Microsoft Teams admin center.<\/p>\n\n\n\n
Your external users will be redirected to a virtual lobby where they will need to wait for admission. This can be useful, for example, if you\u2019re having a negotiation meeting with your team and a client and wish to have a talk with your team members before the official meeting starts.<\/p>\n\n\n\n
![\"\"\/](\"https:\/\/docs.microsoft.com\/en-us\/microsoftteams\/media\/meeting-policies-lobby.png\")
<\/figure>\n\n\n\n<\/div>\n\n\n\n5. Enable multi-factor authentication<\/h3>\n\n\n\n
Multi-factor authentication<\/a> greatly increases the security of users logins. It\u2019s definitely one of the Microsoft Teams security best practices if you want to protect your system from phishing attacks that steal you employees\u2019 credentials.<\/p>\n\n\n\n
Aside from entering username and password to log in, users must verify their credentials with a multi-authentication factor, by receiving a phone call, text message or a notification.<\/p>\n\n\n\n
![\"\"\/](\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/user-help\/media\/multi-factor-authentication-end-user-manage-settings\/mfa-security-verification-page.png\")
<\/figure>\n\n\n\n<\/div>\n\n\n\n6. Enforce Teams Privacy<\/h3>\n\n\n\n
If you would like to enable privacy for certain teams, you can do that at the template level with SalesTim Mod\u00e8les de collaboration<\/a>.<\/p>\n\n\n\n
You can decide if new teams created from the template will be Private<\/em> ou Public<\/em>. Private teams will only allow team owners to add members, while in public teams anyone from the organization will be able to join without validation.<\/p>\n\n\n\n
![\"\"\/](\"https:\/\/salestim.intercom-attachments-1.com\/i\/o\/165306841\/f961885dd925e94114232305\/securityPolicy.png\")
<\/figure>\n\n\n\n
- Establish Permanent membership and ownership<\/a> at the template level with Collaboration templates by SalesTim. When you build a template, you can assign permanent owners and members that will be automatically added to new teams created from this template.<\/li><\/ol>\n\n\n\n
- By establishing Ciblage de l'audience<\/a> with Microsoft Teams Collaboration templates you limit templates\u2019 visibility to only certain groups of people. It allows you to set up targeting rules based on your users\u2019 profile data such as geolocation, spoken language, business department, email address or any Active Directory Attributes to target the right users with the templates available.<\/li><\/ol>\n\n\n\n
- 2. Configure data security features<\/a><\/li>
- Information leaks<\/a><\/li>
- Guest access<\/a><\/li>
![\"\"\/](\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/media\/53888bd5-9fa2-4398-8ccc-1a9dc72517ac.png?view=o365-worldwide\")
<\/figure>\n\n\n\n