Microsoft Teams was designed from the ground up to be an open, accessible collaborative environment—and that’s great. It’s very effective. But all that openness can also open up some security vulnerabilities that should make any IT professional at least a little uncomfortable. Here are 10 ways that you can tighten things up a bit—without ruining people’s Teams experience.
1. Limit Who Can Create a Team
By default, anyone with an Exchange account can create and manage a team. Teams is designed to be open like that, on purpose. Is that really what you want, though? It’s great in terms of promoting collaboration, but it’s a headache for security people.
Consider restricting team creation privileges to certain people or groups. You can create an Office 365 group with the ability to create new groups, and that will give the people in that group the right to create new teams. Then take the team-creation privileges away from anyone not in that group.
2. Control Guest Access
By default, team owners can invite outside participants who have full access to the team’s resources and files. Many teams use the guest access feature to allow clients and other non-employees to participate in certain activities, such as contributing to group chats or downloading files. Not all teams need this, though. You can turn guest access off in the Teams Admin Center. If you leave guest access enabled, lock it down by granting only minimal permissions to guests.
3. Control Application Usage
Team members can install applications in Microsoft Teams to extend its functionality, but that raises a security threat. Do you trust that app? Do you trust end users to decide which apps are trustworthy? Some apps come from Microsoft itself, and these are fine, but third-party apps can be risky. Some apps require access to user data, and that can compromise sensitive company information.
In the Teams Admin Center, you can specify which apps can be installed, and also which users are allowed to install them. Don’t hesitate to use this administrative power to head off problems.
4. Pay Attention to User Activity
Don’t run your Teams systems on auto-pilot—be an active, aware daily caretaker. Pay attention to changes in permissions and memberships, who is signing in (and when and where), and what files are being uploaded and downloaded. A third-party tool like CoreView can come in really handy for this monitoring because it shows all information in a single pane; you don’t have to jump around to various screens to collect it.
5. Clean Your Teams
Security breaches often come from accounts that should have been deprovisioned but weren’t for some reason. This is definitely the case with Teams. Team owners often create guest accounts for outside people who need to participate in a team for a limited time, and then they forget to remove that access when the project is over.
CoreView can help with that. It can let you know which teams and users are inactive, so you can clean them up. It can even send reports to the specific people responsible for this cleanup, and those reports can contain active links that enable the recipient to act on the data right there from within the report.
6. Set Up Multi-Factor Authentication
You’ve probably been reminded of this many times—but it bears repeating every time. You can dramatically decrease phishing and malware damage on your systems by making multi-factor authentication the default for all accounts. MFA makes it more difficult for bad actors to steal login credentials, trick users into downloading malware, and impersonate legitimate users.
7. Stick to the Principle of Least Privilege
Just like in the other systems that you might administer; Teams is the most secure when nobody has any permissions that they don’t need. That’s what the principle of least privilege is about: figuring out who needs to do what and locking everything else down. CoreView can help with this too, by showing you permissions assigned to various people at a glance and enabling you to make on-the-fly changes as appropriate.
8. Set Teams Policies
As a Teams admin, you have access to a variety of policies that you can apply to individual teams or across the board. These policies enable you to turn certain features on or off—which helps with enforcing the principle of least privilege. There are policy settings you can adjust for meetings, app permissions, messaging, team discovery and channel creation, live events, and voice services. You can create policy packages and apply them to groups of users, so you don’t have to tweak the settings individually for each team and channel.
9. Be Selective About Management Permissions
There are various administrator roles available for Teams, such as Teams administrator, Teams communications administrator, Teams devices administrator, and so on. The main problem with these is that they’re global. If someone is a Teams Administrator, then they have administrator permissions across the entire tenant. And because hacked admin accounts can do more damage, the more admins you have, the more vulnerable your systems are.
For better security, assign management permissions in a more granular way. You can’t do this with the default Teams admin capabilities, but you can do it with CoreView by using virtual tenants. Virtual tenants enable you to have functional access control, where you can assign permissions to do certain admin functions individually, and also limit the scope. You can divide up duties by almost any Active Directory attribute, like department, location, or job role.
10. Educate Users
As an admin, you can only do so much to save users from themselves, right? For each problem you identify, there are two more that you don’t catch until it’s too late. The ultimate long-term solution to that is to teach your users how to protect themselves. Make sure team owners understand the importance of keeping their team membership tidy and limiting guest permissions. Make sure end-users know what suspicious links and attachments look like, and what to do when they notice them. Make sure users with elevated privileges understand that the benefits of using MFA outweigh the inconveniences. Over time, users may even start educating each other! And then you’ll finally get to take that long coffee break you’ve been dreaming about.
How CoreView Can Help
Many of the things suggested in this article become much easier when you allow CoreView to help manage your M365 and Teams platforms. CoreView offers a free M365 tenant security audit that can help you baseline your current system and make a plan for improving it; click here to request an audit and get started.