Don’t make me think about security in Microsoft Teams

Microsoft Teams is a part of Office 365 and must be licensed along that way. Due to the current situation with the COVID-19 virus, Microsoft has made the Office 365 Feature Teams available free of charge for everyone until 01.2021. The details can be found in this article: https://news.microsoft.com/en-my/2020/03/17/our-commitment-to-customers-during-covid-19/

Many companies and schools around the world have now taken advantage of this offer. The topics Data Security, Data Protection and IT Security often fades into the background behind urgent business needs.

13 steeps to quickly secure you Microsoft Teams environment

Security and also Compliance aspects in Microsoft Teams are configured in the Teams Admin Center. Multiple policy packages can be created for different scenarios, users and groups. A policy package combines settings that relate to typical work processes of these users and groups.

Teams Settings

1. E-mail integration - Security impact: low

E-mail integration allows mail to be sent directly to a Team channel. The content of the e-mail is displayed in the chat in the channel and is visible to all members.

2. Files - Security impact: medium

Enable or disable file sharing and cloud file storage options for the Files tab in teams.

3. Devices - Security Impact: low

Settings for devices in the meeting room.

Meetings & Messaging Policies

Meeting policies are used to control what features are available to users when they attend Teams meetings.

4. Audio & Video - Security impact: medium

The audio and video settings can be used to turn on or off specific functions used in Teams.

5. Content Sharing - Security impact: high

Content Sharing" controls which functions are available in a Teams meeting in this context.

6. Participant & Guest - Security impact: high

The settings for participants and guests control access to Teams meetings.

7. Meeting Settings - Security Impact: high

Meeting settings are used to control whether anonymous users can attend Teams meetings.

8 Live Events Policies - Security Impact: high

Live event policies are used to configure, for example, whether participants can transcribe or whether live events can be recorded.

9. Messaging Policies - security impact: high

Messaging policies are used to control which chat and channel messaging features are available to users in Teams.

Teams Apps

10 Org-wide App Settings - Security Impact: high

This function controls which applications are available to users in Teams. Furthermore, it can be configured which 3rd party apps can be used.

11 App Permission Policies - Security Impact: high

The App Permission Policies control which apps users can use, depending on the settings in the previous step.

Org-Wide Settings

12 External Access - Security Impact: high

External access allows users to communicate with other users outside your organization. By default, users can communicate with all external domains.

13 Guest Users - Security Impact: high

Teams allows users to invite external users to join Teams. When external users are added to a team, they receive an invitation that they must accept before they can access it. Microsoft has provided a checklist for Guest Users in Teams: https://docs.microsoft.com/en-us/microsoftteams/guest-access-checklist  

What rights guest users have is set in the Team Admin Center.

Some permissions are configured directly in Teams.

Advanced Features (Office 365 E3 / E5) - Information Protection and Labeling for Teams

Microsoft has consolidated the topic of classification / labeling under the name Unified Labeling, which can be found in the Office 365 Security & Compliance Center. The menu Classification->Sensitivity Labels let you create labels that also affect Microsoft teams.

Encryption:

Who can access files and e-mail messages that are labeled, regardless of the user rights that person has in Teams.

Content labeling:

Add custom headers, footers, and watermarks to email messages or documents that are labeled.

Prevent data loss:

Currently, only endpoint DLP features offered by Windows Information Protection (WIP) are available. DLP settings for Office 365 applications will be available soon.

Site and Group Settings (also affecting Microsoft Teams):

Note that these settings are not applied to files, so they have no effect on downloaded copies of files.

Auto-labeling for Teams:

An auto label policy always includes the location of a file. For example, all files that are stored in a particular Team can automatically get a label. This function can be supplemented by rules that only assign the label if the defined parameters also exist, such as a specific phrase in a document.