Security in Microsoft Teams
Many companies have already introduced Microsoft Teams or are in the process of doing so. However, due to unanswered questions about security in Microsoft Teams, there is often hesitation. More specifically, we are talking about these topics:
- close security gaps and
- avoid proliferation of new teams
Microsoft offers a variety of settings and configurations to customize Microsoft Teams to individual needs.
The challenge for many administrators, however, is to know which options exist at all and where to make which settings.
Index
Identity security in MS Teams
Each user must log in via their Microsoft account to use Microsoft Teams. So the type of authentication depends on the settings in your Entra ID.
Since this is usually the same login as for Windows or other Office apps, it can be forwarded to Microsoft Teams. This eliminates the need for the user to re-enter their username and password (single sign-on).
For mobile users, you can make additional configurations to set stricter authentication rules. For example, you can work with Intunes to further restrict authorized accounts and devices.
It is also possible to work with a certificate-based authentication, provided that your Exchange Online account is configured accordingly.
Compliance
Compliance, in other words, the ability to comply with rules, is provided in Microsoft Teams through features of Microsoft 365. These include:
- information barriers,
- communication compliance and
- retention policies.
Information barriers are used to prevent communication and thus the exchange of information between certain users or user groups. Such setting options can be useful, for example, if employees working on a project with a high security level are not allowed to disclose information about it to the outside world (accidentally or intentionally).
These policies are configured via the Microsoft 365 “Security & Compliance Center” via PowerShell cmdlets.
Communication compliance means scanning chats and team content for inappropriate content so that it can be acted upon. This can be offensive content as well as confidential and internal information. Microsoft always provides some predefined rules in Microsoft 365 as a basis. However, these can also be supplemented with your own rules.
Retention policies for data in Microsoft Teams are designed to ensure that
- important data is not lost
- redundant or even unlawful data, on the other hand, is automatically removed.
Accordingly, one can configure both retention and deletion policies. By default, information about chats and channels in Microsoft Teams is retained indefinitely until manually deleted. After a manual deletion, the data is permanently deleted unless you use third-party software to back it up.
Rules for data retention and deletion can be defined differently for channels and chats. In addition, it can be specified whether these apply to the entire organization or only individual user(s). The configuration can be done either via the Microsoft 365 “Compliance Center” or the “Security & Compliance Center” via PowerShell cmdlets.
Conditional access
Microsoft Teams uses Exchange Online, SharePoint Online and Skype for Business Online for basic features such as meetings, calendars, chats and file sharing. Therefore, the configurations for conditional access to these features are also based on the associated apps.
In addition, you can also define your own policies for conditional access to Microsoft Teams. These policies are “if-then” statements. It can be determined whether access is blocked, allowed, or permitted depending on other rules when the rules are met.
We recommend that you set the policies for Microsoft Teams for the above apps as well, otherwise unexpected behavior may occur. For example, access to resources in SharePoint Online may be granted to users because the policies for this app are less strict than for Microsoft Teams.
Read more about how Microsoft Teams is embedded in the M365 world in our article: “What happens when I create a new team in Microsoft Teams?”
Guest access
Guests on your teams represent a possible vulnerability in your security. Therefore, Microsoft offers a number of configuration options:
- allow or not allow guests altogether
- allow or not allow guests in teams
- who may invite guests
- whether guests are allowed to access documents or not
- and more
These settings are made directly in Entra ID, or in the case of data (files), directly in SharePoint. In addition, further settings can be made directly on individual teams by the team admin. For example, you can regulate the creation of channels by guests.
Data Loss Protection (DLP)
Policies can be set up in all Microsoft 365 services to identify, monitor and automatically protect sensitive data. Such sensitive data can include credit card numbers, medical records, or social security numbers.
Provided there is a suitable DLP policy, confidential information in chats is automatically deleted and documents cannot be opened by user (groups).
The configuration of such policies for Microsoft Teams is handled via the Microsoft 365 “Security & Compliance Center”. You can also view where your data is stored via the Microsoft 365 “Admin Center”. This information could be relevant for your company with regard to GDPR.
eDiscovery and monitoring protocols
Microsoft Teams stores most of the information by default. It allows you to search and analyze the information later. This helps you find and understand security vulnerabilities faster. For example, this data includes chat messages, channel messages in a team, gifs, emojis, chat links and edited messages. However, audio recordings, code snippets, reactions, and channel names are not covered.
Additionally, users or entire groups can be set to “legal retention“. This protects data related to these users from manipulation. You can make this setting in the Microsoft 365 “Security & Compliance Center”.
In the Microsoft 365 “Security & Compliance Center”, the recording of monitoring logs can also be activated. This logs how users use Teams and thus can find activities that indicate security problems. For example, users (groups) have more rights than intended.
Monitoring protocols exist, for example, for team creation and –deletion, add channel and modification of settings.
Good to know: Monitoring logs only record from the moment of activation.
Protection of meetings and calls
Meetings can be protected by meeting policies. You can set these in the “Teams Admin Center“. You can define which users have to wait in the lobby and who is allowed to join the meeting directly. You can also configure what rights a participant has vs. the leader of the meeting, e.g. in terms of presentation rights or the ability to mute other participants.
Independent of meetings, policies can be set for calls. These can determine, for example, whether private calls can be made via Microsoft Teams, call forwarding or voicemail settings. In the Teams Admin Center, you can configure voicemail encryption and voicemail transcription, which is activated by default.
Furthermore, calls can be blocked in Microsoft Teams. However, this then applies to the entire client and cannot be restricted to individual users. These policies are primarily intended to prevent phishing and spam.
Summary
Microsoft Teams offers many different security features that are enabled due to interaction with other Microsoft apps. This also means that they have to be configured in different portals.
| Settings | Location | Comment |
| Authentication | Azure Portal | These are the general authentication settings to Entra ID. |
| Information barriers | Microsoft 365 “Security & Compliance Center” via PowerShell cmdlets | |
| Communication compliance | Microsoft 365 “Compliance Center” | |
| Retention policies | Microsoft 365 “Compliance Center” or “Security & Compliance Center” via PowerShell cmdlets | |
| Data storage location | Microsoft 365 “Admin Center” | Can only be viewed. |
| Conditional access | Azure Portal | Must be configured for MS Teams, including apps used by MS Teams, to ensure security. Apps: Exchange Online, SharePoint Online und Skype for Business Online |
| Guest access | Azure Portal & Microsoft Teams App (for the relevant team) | In the Azure Portal, settings can be made at various points, such as Entra ID configuration, group configuration, SharePoint configuration |
| Data loss protection (DLP) | Microsoft 365 “Security & Compliance Center” and Microsoft 365 “Admin Center” | |
| eDiscovery and monitoring protocols | Microsoft 365 “Security & Compliance Center” | |
| Meeting and call policies | “Teams Admin Center” | |
| Voicemail protection | “Teams Admin Center” |
Conclusion
With its many settings, Microsoft Teams offers a versatile security system through which you can protect your company.
With the complex interaction of various Microsoft services within Microsoft Teams, it can be difficult for the administrator in charge to keep track of everything. It is important to set the security configurations correctly in all services, otherwise unwanted behavior may occur.
This article was compiled based on Microsoft’s documentation to provide a broad and quick overview of the topic of security in Teams. If you need more information, we recommend taking a look at this documentation from Microsoft.
For more information and support in implementing Microsoft Teams, please feel free to contact us.
