5 Tips for Hardening Microsoft Teams Security
Overview of Microsoft Teams
Microsoft Teams is an online collaboration platform that empowers team members to work together seamlessly and productively. A part of the Office 365 suite, Microsoft Teams runs on Windows, Mac, Linux, iOS and Android, enabling remote communication across virtually every desktop and mobile device.
Teams offers the following main features and services:
- Chat — This function allows users to send private messages to each other and attach files to messaging threads. OneDrive for Business serves as the underlying mechanism for file sharing in chats.
- Teams — This tab lets users create teams or join existing teams to start group collaboration and conversations in team channels. When a user creates a team, they essentially create an Office 365 Group on the backend.
- Calendar — This service syncs with users’ Outlook calendars so they can schedule meetings and plan out projects.
- Calls — This tab lets users initiate and receive peer-to-peer voice and video communications. Calls is built on the Skype framework, and in fact, many companies are replacing Skype for Business with Microsoft Teams as their enterprise communications platform.
Concerns About Microsoft Teams Security
Microsoft Teams is a powerful tool for supporting cross-functional and even cross-organizational collaboration, but its openness introduces concerns about unfettered file and data sharing between an unlimited number of users. In particular, the following features and concerns present security challenges for IT professionals.
- Guest access — The guest access feature enables team owners to invite parties from outside the organization to participate in team activities. Guests have full access to team channels, chats, shared files and meetings. Beyond the requirement that guests have a business or consumer email account, there are no restrictions or vetting procedures to govern who can or cannot receive guest access privileges. This raises obvious concerns about how easily sensitive or proprietary data can be exposed to entities outside the organization.
- Permissions model — To promote agile, self-organizing collaboration between individuals from different functional groups, Microsoft intentionally designed Teams with an open permissions model:
- Any user can become a team owner by creating a team and inviting other users to join it.
- Every team member has full access to all the data on the team’s public channels, including chat messages, meeting content and shared files. They can share files and create new channels.
- Any guest from outside the organization can share files and even create new channels within the team.
It’s easy to see how quickly this permissions model can lead to a data-sharing environment that’s great for collaboration but a headache for IT to track and control.
- App management — Users can extend the capabilities of team channels by adding apps, which can take the form of custom tabs, bots or connectors. An app lets users in a channel get content and updates directly from their favorite third-party services, such as Trello and GitHub. However, these apps often request (or even require) users to allow them to access their data, which opens the door to improper transfer of company information to external third parties. With so many partners eager to publish their productivity apps in the Teams store, IT now has an additional security concern to monitor and manage.
- Data lifecycle management — The Teams ethos of open communications and file sharing runs counter to the practices of secure data governance, which has strict protocols for the collection, usage, retention and removal of sensitive information. In addition, security and compliance standards like HIPAA and PCI DSS mandate data governance measures such as enterprise-wide labeling, oversight and tracking of content, as well as appropriate handling of data that has expired or changed classification. It’s challenging to impose this level of control on the dispersed ecosystem of chat messages and data files circulating through Teams.
- Data leakage — Without adequate security enforcement, a Teams user can deliberately or accidentally share confidential information with unauthorized recipients, which can put the company’s intellectual property, compliance status and reputation at risk. In addition, because Teams is a SaaS platform that sends and receives packets through the cloud, there is a risk that malware or bad actors will intercept files in transit and use them for malicious ends.
Security Basics of Microsoft Teams
Fortunately, Teams benefits from its integration with key elements of the Microsoft security framework:
- The file-sharing experience is powered by SharePoint.
- Team conversations are stored in a dedicated group mailbox in Exchange Online.
- Azure Active Directory (Azure AD) stores and manages team data and membership. It also manages user authentication for the Teams platform as a whole.
Before you make Teams generally available to your organization, be sure to review and configure the following:
- Authentication setup in Azure AD for user logins to Teams
- Global security settings in Office 365 — many settings carry over to Teams or to SharePoint, OneDrive and Exchange, which work in tandem with Teams
Security Tips for Microsoft Teams
In addition, you can bolster Microsoft Teams security by using a combination of built-in features and third-party tools. Here are five best practices that will help you roll out a secure deployment of Teams to your organization.
1. Set up app management.
Apps in the Teams store fall under one of three categories:
- Built-in apps provided by Microsoft
- Apps built by third parties
- Custom-built internal apps
Consider restricting the use of certain apps based on their source and how they handle data:
- To control which apps to block or make available to your organization, use the settings on the Manage apps page in the Teams admin center.
- You can also use app permission policies to block or make certain apps available to specific sets of users.
2. Establish global Teams management.
By default, any user with a mailbox in Exchange Online can create a team and become a team owner. If you want to limit the number of users with this privilege, consider creating an Office 365 group whose users have exclusive permissions to create new groups and, by extension, new teams.
Also configure the global Teams settings for your organization — you can specify organization-wide preferences such as:
- Whether users can communicate with individuals outside the organization
- Whether to enable file sharing and cloud storage capabilities
- Authentication requirements for accessing meeting content
As part of employee training, educate your users about the capability to create private channels, which are restricted to a selected subset of team members. If some team members want to collaborate on confidential content, they should create a private channel instead of a standard channel that all members and guests can access. However, keep in mind that at the time of this writing, Microsoft does not yet offer full security and compliance support for content in private channels.
3. Set up secure guest access.
You can use the Guest access settings in the Teams admin center to configure the level of access granted to guest users. For maximum security, you can leave guest access disabled by default. Or you can turn on guest access but disable certain privileges like screen sharing or peer-to-peer calls.
4. Build an information protection architecture.
Setting up an information protection architecture is critical not only for preventing data leakage but also for meeting compliance and litigation requirements.
Your Teams data resides in an assigned geographic region of the Azure cloud infrastructure, depending on your organization’s Office 365 tenant. Since different regions may follow different data security standards, it’s a good idea to make sure that the location of your Teams data is appropriate for your business requirements.
Use the following out-of-the-box and third-party tools to establish information management in Teams so that your data stays trackable, protected, and compliant.
- Electronic Discovery and legal hold — Electronic Discovery (eDiscovery) is an Office 365 tool that lets you create and manage eDiscovery cases to comply with legal You can assign members with specialized permissions to an eDiscovery case and define the parameters of a search query for content relevant to an investigation.
To preserve crucial evidence, you can place the contents of a user mailbox or team mailbox on a legal hold. The hold ensures that immutable copies of the content will remain available through eDiscovery search even if the original content is altered in Teams.
- Content search — Office 365 provides content search capabilities with rich filters to search through all your Teams data for target content. For example, you can use the search tool to find content associated with a compliance standard. Or you can perform a content search as part of an eDiscovery workflow to gather legal evidence.
- Data retention policies— You can create retention policies that specify when to keep Teams data to stay compliant with business, regulatory or litigation requirements. You can also use retention policies to direct the removal of data that no longer needs to be retained.
- Advanced Threat Protection (ATP) — This feature that detects and blocks user access to malicious content in Teams. ATP also wards off malicious files in SharePoint and OneDrive for Business, the platforms that power the file-storage and file-sharing services in Teams. Make sure that you turn on ATP for SharePoint, OneDrive and Teams.
- Data loss prevention (DLP) — You can set up DLP policies that automatically block unauthorized users from sharing sensitive data in a Teams channel or private chat. Use DLP policies to enforce secure user behavior in Teams and prevent data breaches.
- Backups — Configure automatic backups of all your Office 365 data to OneDrive or an on-premises storage drive.
- Automated information labeling — To ensure that your DLP policy actions are applied correctly, you need to accurately classify and label the data shared in Teams, which requires an automated data discovery and classification solution that ensures high precision in classification.
Netwrix Data Classification offers robust data classification technology to ensure that sensitive information in Teams is accurately and systematically tagged. Netwrix Data Classification let you control the use of tags so that sensitive files receive the correct classification. You can also apply workflows to remove tags from files whose sensitivity level has expired so that Teams users can access the files again without business disruption.
5. Audit user activity.
You can use Microsoft’s Supervision policies to monitor chats and team channels. You can also monitor usage through various built-in reports and functionality:
- Go to Analytics & reports in the Microsoft Teams admin center.
- Go to Reports > Usage in the Microsoft 365 admin center.
- Use Microsoft 365 usage analytics in Power BI.
To get even more insight into activity in Teams, use a solution like Netwrix Auditor. Netwrix Auditor provides comprehensive and detailed monitoring of events and activities, including:
- User logins to Teams
- Membership and changes to teams
- All data manipulations around the data exchanged in both regular and private conversations in Teams
- Permissions to data and changes to those permissions
- Installation of applications in Teams
FAQ for Microsoft Teams
Is Microsoft Teams secure?
Teams is a Tier D service, meaning that it is compliant with the EU Model Clauses (EUMC), HIPAA, ISO 27001, ISO 27018, and SSAE 16 SOC 1 and SOC 2 standards.
In addition, Teams is backed by Azure AD, which offers security controls such as single sign-on and two-factor authentication.
Is data in Microsoft Teams encrypted?
Microsoft Teams does not yet support end-to-end encryption. Data is encrypted in transit, at every stage of the data journey, and at rest. Intermediate services can decrypt content when needed, for example, to store data in retention records.
At-rest files are stored in SharePoint using SharePoint encryption. Notes are stored in OneNote using OneNote encryption. Chat content is encrypted in transit and at rest.
If you’re concerned about data security at mobile endpoints, the Microsoft Teams mobile client supports App Protection Policies from Microsoft Intune.
What protocols does Microsoft Teams use?
Microsoft Teams uses the following protocols:
- 264 for video
- ICE to establish media
- MNP24 for signaling
- OPUS for meetings
- SILK for peer-to-peer and voice calls
- VBSS for desktop sharing
Can activity in Microsoft Teams be monitored?
Yes. You can use the following out-of-the-box features to monitor activity and usage in Teams:
- Supervision policies
- Analytics & reports in the Microsoft Teams admin center
- Reports > Usage in the Microsoft 365 admin center
- Microsoft 365 usage analytics in Power BI
You can also use Netwrix Auditor to monitor logins, membership, permissions and data access in Teams.