According to a study conducted by Mio, 91% of businesses use at least two messaging apps, of which slack and Microsoft Teams are present in 66% of the organizations surveyed. Teams adoption has been growing quickly due to its interoperability with the rest of the Office 365 suite which makes collaborating easier than ever. While collaboration is great, security is a major concern for organizations who are still considering the move to Teams from Slack, Skype, etc. The great double-edged sword with Microsoft Teams is that its ability to collaborate with others both internally and externally presents concerns for security and data loss prevention. In this guide, I will show you what external and guest access controls Teams provides as well as some other security considerations you should be aware of.
Understanding Teams in Teams
When a Team is created, a site is created for the Team and every member of that Team is given access to it. When a file is shared in a Teams chat, a copy of that file is uploaded to that Team’s site so it is accessible in both locations. This is important to know when allowing External access or Guest access to your Teams tenant.
I’d like to clarify the difference between External access (federation) and guest access as they are different:
- Guest access gives individual access permission while external access gives access permission to an entire domain.
- Guest access allows a guest who’s been invited by a team owner access to various Teams resources such as:
- Team discussions
- Files (for a specific team) T
- The ability to chat with other Team members.
- External access (federated chat) is more limited and external users have no access to the inviting organizations’ teams or team resources. These external users can only participate in one on one conversations.
Tenant admins can choose between enabling External access, Guest Access (or both) communication, depending on which level of collaboration is desirable with the external party. However, due to the limitations on collaborative tools allowed via External access, we recommend enabling guest access for a fuller and more collaborative Teams experience.
Microsoft Teams Admin Controls
Navigate to the Microsoft Teams admin center from the O365 admin center and expand out the Org-wide settings node.
The external access tab reveals the External Access page which has two options for allowing communication with external users. Choose which external communication you would like to enable based on the settings shown below:
- Skype for Business and Teams users
- Skye for Business users can communicate with Skype users
This page also allows you to add domains to an allowed or blocked list. By default, your organization can communicate with all external domains. If you add blocked domains, all other domains will be allowed but if you add allowed domains, all other domains will be blocked. This makes it simple to configure cross-organizational trust to other Teams outside of your org or otherwise in separate domains. If your organization rarely collaborates with outside domains/organizations then setting up some known/trusted domain trusts here is a good idea. This way all other domains will be blocked until a formal request to add them is submitted and approved. In general, it’s better to be safe than sorry so if you’re not sure set up an inclusion to block all external domains which can be easily included later.
The guest access tab– A guest is someone who isn’t an employee, student, or member of your organization. They don’t have a school or work account with your organization but they do have some sort of business account (Azure AD account) or consumer email account like a Gmail. Disabling Guests is easy, but at the end of the day would you rather your users work in a place you have visibility or figure out alternative ways of communicating? My suggestion is the former, enable guest access to allow your users to enjoy the collaborative experience of Microsoft Teams and most importantly keep your users’ communication in a place you have visibility while taking advantage of setting up proper security controls and DLP policies, to collaborate safely. For some additional info on external sharing best practices check out my other blog post which goes in-depth on the available settings and policies!
Additional Guest controls:
1. Allow private calling: On or Off
2. Meeting settings:
- Allow IP video – turning this on will allow IP videos during meetings. This means users will be allowed to play video in meetings. IP Video, by definition is a short-form for Professional Video over IP.
- Screen sharing mode – options for limitations on screen sharing include:
- Single application
- Full screen
- Allow meet now – This setting is for allowing Guests to create meetings with other Team members.
The messaging settings are pretty straight forward and content related but these settings should not be overlooked as these bells and whistles can eat up resources especially in large organizations. For example, the IP video setting can be a resource hog if too many users are leveraging it as it takes up a lot of bandwidth. The same logic is true for other functions in teams, so in addition to controlling what your users are doing for security purposes, setting up a custom meeting or user policies to limit available functionality can help with performance as well.
Building upon the section above, meeting policies can help with the security and performance of your Teams tenant. Here you can manage all of the functionality available to users during meetings if you apply this policy to them. Limitations here can help with both security and performance.
Here’s a breakdown of the settings available to you if you were to add a new custom Meeting Policy:
- Allow Meet now in channels
- Allow the Outlook add-in
- Allow channel meeting scheduling
- Allow scheduling private meetings
2. Audio & Video
- Allow transcription
- Allow cloud recording
- Allow IP video
- Media bit rate (KBs): This setting is the most important in terms of controlling bandwidth in your organization, consider setting limits on all of your users and Teams.
- This setting determines the media bit rate for audio, video, and video-based app sharing in meetings for people in your organization. This setting gives you granular control over managing bandwidth in your organization. Depending on the meetings scenario, Microsoft recommends having enough bandwidth in place for a good quality experience. The minimum value is 30 Kbps and the maximum value depends on the meeting scenario. For meetings that need the highest quality video experience, such as CEO board meetings and Teams live events, we recommend you set the bandwidth to 10 Mbps.
3. Content Sharing
- Screen sharing mode:
- Single application
- Entire screen
- Allow a participant to give or request control
- Allow an external participant to give or request control
- Allow PowerPoint sharing
- Allow whiteboard
- Allow shared notes
4. Participants and Guests
- Let anonymous people start a meeting :
- On or Off
- Automatically admit people
- Everyone in your organization
- Everyone in your organization and federated organizations
- Allow dial-in users to bypass the lobby
- Allow Meet now in private meetings
- Enable live captions
- Allow chat in meetings
These are all of the meeting policy settings which can be configured and set on a template which can then be applied to users or Teams. As you can see the settings get really granular so there is a lot of fine-tuning you can do depending on the performance and security requirements of your organization and a given user or Team. My recommendation is to keep it simple for guests and external users and limit their functionality as much as possible while reserving the flashy features like Cloud Recording for specific users who might benefit from it.
Additional Teams Security Considerations
You can also create DLP policies which will be enforced on Teams sites and Teams chats from within the Security & Compliance Center. These policies can be enabled on specific users and/or Teams to monitor chat messages and enforce DLP rules to protect sensitive or otherwise important data from being improperly shared. For more details on setting up a DLP policy check out my other blog which goes in-depth on the steps for creating an effective DLP policy.
Below is a screenshot illustrating all the locations a DLP policy can be configured to protect.
Specifying a User or Team for a DLP policy is straightforward. If you click on the Choose Accounts option above for any of those locations you will be prompted with the screenshot below. Here you can specify a user, group or team for which the DLP policy will be applied. In this example, I’m applying a HIPAA DLP policy to the SAFS team which will check for files and messages that may contain HIPAA information and protect it accordingly.
DLP policies only work against active data. In other words, DLP policies will only look at files that are being acted on in some way and not data at rest. For insight into your data at rest – especially if you are preparing for a migration – I recommend that you use a tool like StealthAUDIT to audit your structured and unstructured data prior to migrating to O365/SharePoint Online/Teams/OneDrive for business etc. With StealthAUDIT we can tell you what data you have, where it is, who has access and determine its stale and/or sensitive before migrating it into the cloud.
The added layer of DLP policy protection of Teams chats and sites gives your organization an important level of security anywhere your users may be collaborating in O365. The keywords here being in O365, which is why disabling guest access or external access is not recommended as your users will ultimately find an alternative route to collaborate when if they need to. That being said, Teams can be a great tool for collaborating and there are some great security features you can take advantage of to allow safe collaboration both internally and externally. Granular controls give admins the ability to manage what Teams users can use and see. Don’t be afraid to collaborate with guests or external users. Don’t be afraid to use Teams.
Chris studied Information Systems at Hofstra University before joining STEALTHbits where he took on the role as the Technical Product Manager of SharePoint, Dropbox and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled and orphaned animals.