July 9, 2020
Teams is Microsoft’s fastest growing technology platform with over 42 Million daily active users. With remote working becoming increasingly common, and right now the new and only normal, organisations are struggling to grapple with securing information within their cloud applications. Since Teams is the window into multiple applications in Office 365, naturally companies want to make sure that they can protect content uploaded and shared in Teams. This article takes you through the top 5 ways to secure your Microsoft Teams environment.
1. Multifactor Authentication (MFA)
Even in today’s world where users are securing their social media applications with 2-Factor authentication, many companies have yet to embrace MFA because a.) They do not understand how it works, and b.) They fear that the rollout of MFA will adversely impact how users work with the platform.
Microsoft has provided a plethora of guides on how to roll out MFA within Office 365. Naturally, this extends to Microsoft Teams. In the same way, users are prompted when initially logging into any Office 365 application, so too will users be prompted to provide additional security information when logging into Microsoft Teams. There are multiple ways of providing 2-step authentication for Office 365. This can be achieved using: (via a mobile phone)
- Verification Code – SMS/Call/Email/Microsoft Authenticator App
- App Password
With phishing scams continuing to grow, this is a sure fire way of making sure that, even if the users account has been compromised, the attacker/hacker is unable to log into the platform.
Additional consideration: Enable Self-Service Password Reset for all your users when you enable MFA. This will help with the onboarding process as most users forget what their passwords were to begin with.
2. Conditional Access
Conditional access for Office 365 is Microsoft’s silver bullet to locking down access control of Office 365 apps and services even more. Think of it as supercharging your access control. Conditional Access policies provide organisations with the ability to “police” user devices; if their device is in compliance or not, and also location; is where they are accessing the platform from safe or not.
Conditional Access uses either the corporate identity (Active Directory) or Intune (Additional license required) to risk profile the user, and based on that risk, certain restrictions are applied. My favourite is the “impossible travel” policy where if a user is found logging in from different locations at the same time, the user is flagged and can be blocked from accessing the platform.
Additional consideration: Devices can be remotely wiped at an app level. i.e. Since most users have personal devices like tablets and mobile phones accessing the platform, if the device is compromised, the applications pertaining to the organisation can be removed remotely, including all related data.
3. External Access
What is the point of being able to collaborate with just users that are internal to your organisation? In order to communicate with people outside of your organisation, IT Administrators will need to enable External access. This can be done in one of two ways: (External access is turned on by default)
- All external Skype for Business and Teams users
- Allowing users from a specific domain access (If you add a domain, all other domains will automatically be blocked so be careful)
Note: External Access alone does not allow for external users to interact with your organisations Teams and Channels. Enabling Guest Access is required for this.
Additional Consideration: Even though External and Guest Access is enabled, it does not mean that external users will have access to files in your Team (SharePoint) or files shared through chat (OneDrive). These settings are managed in either the SharePoint or OneDrive Admin centers.
4. Teams Policies
Microsoft Teams has its own set of policies that can be applied to the entire organisation or to individual Teams, based on the policy type. These policies are for enabling or disabling certain features inside of Teams. These policies apply to:
Meetings – These policies are used to manage what users can do in meetings.
App permissions – What apps are made available or unavailable to users and or Teams and Channels
Messaging – What can and cannot be used or done in messages
Teams – This policy only has two options: Discover private teams and Create private channels (Most important!!)
Live events – Settings for features in live events in Teams
Voice – Call park, Calling and Caller ID. These govern the ability to route, make and identify traditional telephone calls through Teams
Additional Consideration: When documenting your user types, by logically grouping users to features, you can create policy packages that will apply predefined policies to a group of users so that you do not have to repeatedly create policies for each Team, app or channel.
5. Content Protection
As with everything in Office 365, all content stored in your tenant, be it in SharePoint, OneDrive or Exchange can be protected. This is done through the M365 Security and Compliance Centers. (Yes, Microsoft has split out the Security and Compliance Center).
Emails, chats, messages, and content can be protected using:
- Sensitivity Labels – Labels are used to apply restrictions (no copying, forwarding, printing, sharing, editing) to not only content stored inside the Team but also to the connected Office 365 group-connected Team site. This allows the organisation to apply a default label to all content stored inside the Files Tab in team that meets a certain criterion.
- Retention – Retention in Office 365 is used to make sure that content is retained for a predetermined amount of time and then disposed of. Organisations can create Retention policies that apply to chats, channel messages, SharePoint sites and OneDrive accounts so that content that may be deleted, is in fact, retained, based on the retention and disposition of the policy.
- Safe Attachments – Teams content is protected by Office 365’s Advanced Threat Protection. This means that any content that is uploaded that is deemed malicious, will be blocked.
- Data Loss Prevention – With DLP policies, organisations can apply rules to content that contain specific words and or phrases. These rules can either passively notify a DLP administrators or actively encrypt and restrict access to content.
In closing Microsoft Teams is touted as being the new digital dashboard for users productivity suite, so it is of vital importance that organisations get to grips with what is available from Microsoft 365 in the form of content security, and how to use the tools available to secure content more effectively when using Microsoft Teams. By applying some of the tips listed here, organisations can breathe a sigh of relief when their users create, collaborate around, and share content internally and externally.
NOTE: Private channels operates differently so be weary when working through security for it. More information can be found here. https://docs.microsoft.com/en-us/microsoftteams/private-channels
Resources for more information:
Multifactor Authentication – https://www.microsoft.com/en-us/security/business/identity/mfa
Conditional Access – https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
External Access – https://docs.microsoft.com/en-us/microsoftteams/manage-external-access
Teams Policies – https://docs.microsoft.com/en-us/microsoftteams/teams-policies
Content Protection – https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview
M365 Partner Accelerators | Secure Remote Work Workshop – https://www.microsoft.com/microsoft-365/partners/microsoft-365-accelerators#microsoft-365-partner-accelerators-secure-remote-work
Collaboration means two-way communication!
Did you like this article? Are you interested in this topic? Would you like to share your knowledge and experience with the authors and other readers? Our #communityrocks group on Facebook is bringing everyone involved together: authors, editors and readers. Join us in sharing knowledge, asking questions and making suggestions. We would like to hear from you!
Join us on Facebook
How to Create Microsoft 365 Groups: Find Your Favorite Flavor
With so many recipes for making a Group, it’s helpful to find an approach that suits your palate. Here’s what all chefs should know.
Using Synology NAS, Microsoft Azure and Microsoft Teams to back up and show photos
The impetus for this article is a little bit odd and worth recalling, after I mentioned on Facebook how I was dealing with sorting, managing, and archiving family photos, quite a discussion developed. This short article answers many of the questions that were asked there.
Microsoft Information Protection – now and in the weeks to come
Many organizations are presented with a major challenge regarding the protection of privacy sensitive and confidential information.