Security and compliance considerations for Microsoft Teams

Admins will need to make these decisions around security and governance when porting from Office 365 Pro Plus to Microsoft Teams.

Office 365 Pro Plus users were recently upgraded from Skype for Business to Microsoft Teams, joining some 13 million users of Microsoft’s new collaboration platform. Teams can provide a great deal of productivity and communication, but it can also introduce security and compliance issues. Take the time to plan and you can build in security and compliance from the initial roll-out.

If you are deploying Office 365 Pro Plus, you need to do some security and governance framework tweaks for Teams Those currently using Skype for Business will need to plan on governance and security decisions surrounding Teams as you face a deadline to upgrade by July 31, 2021.

Tracking and logging options

Like many other Office 365 products, the options you have for tracking and logging depends on your license. Unless you have a Azure AD P1 or Azure AD P2 license, you won’t be able to set some guidelines on Microsoft Teams that may have impacts relevant to human resources. This includes actions such as setting rules for team and channel naming, setting policies of naming including rules that set prefixes or suffixes, and custom blocked words that allow you to block any potentially harmful or dangerous words inside your organization.

With the basic access to Microsoft Teams, you can allow or prevent guests from being added to teams and can limit team creation to administrators.  By default guests are not allowed to be added to a team.  You must go into the admin portal to enable guest access.  Anyone with an email address can be added to a team.  If you want to perform any advanced functions in governance you will need an Azure AD P1 license, including assigning classifications to teams or to limit team creation to security group members.

Setting message policies

Think of the limits you may wish to set for a team that will have HR impact. For example, you can set a policy that team members can edit sent messages or delete sent messages.

To set this policy, be logged in as the administrator, click on the “Microsoft Teams admin center” dashboard. Click on “Teams”, “Manage teams”, highlight the team in question, and click on “Edit”. Slide the bar if you do not want users able to delete messages.

bradley teams 1 Susan Bradley

Set policies for deleting messages in the teams admin portal

If you want to add Advanced Threat Protection (ATP) to Teams, you will need the proper license. To set ATP, which will protect you from inadvertently sharing malicious files, first make sure that Logging is enabled in your Office 365 environment. Next, go to https://protection.office.com, and sign in with your admin account. Then go to the “Security & Compliance Center”, and in the left navigation pane under “Threat management”, choose “Policy > Safe Attachments”. If you don’t see this setting, you aren’t licensed for it.

bradley teams 2 Susan Bradley

ATP safe attachments screen

Click on “ATP Safe attachments”, and then click to enable the ability to scan files and attachments.

bradley teams 3 Susan Bradley

Enable ATP safe attachments

If you want to use PowerShell to set this policy, ensure that you are set to connect remotely by downloading the Exchange PowerShell module or use a PowerShell script to set up the module. If you want to set this via PowerShell, run this command:

Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $True

If you want to confirm that ATP is enabled using PowerShell, Connect to Teams using Connect-EXOPSSession. Then run this PowerShell command:

Get-AtpPolicyForO365 | fl Name,EnableATPForSPOTeamsODB

Verify the value for EnableATPForSPOTeamsODB is set to “True”.

Next ensure that external domains are not allowed to connect to your Teams setup. If external domains are allowed to connect, attackers may be able to pretend to be someone a user knows and then send malicious links or attachments to the users resulting in breach or leakage of information.

To verify that access with external users is disabled, use the Microsoft 365 Admin Center:

  1. Select “Admin Centers” and go to the “Teams” section.
  2. Toward the bottom, select “Org Wide Settings” and “External Access”.
  3. Verify “External access” and “Users can communicate with external Skype for Business and Teams users” are set to “Off”.
bradley teams 4 Susan Bradley

Disable external access

Next, ensure that external file sharing is disabled. To verify external file sharing in Teams, use the Microsoft 365 Admin Center:

  1. Select “Admin Centers” and go to the “Teams” section.
  2. Toward the bottom, select “Org Wide Settings” and “Team Settings”.
  3. Verify “Files” is set to “On” only for authorized cloud storage options.
bradley teams 5 Susan Bradley

Choose which cloud file sharing options you want to allow

Don’t forget to sign up for TechTalk from IDG the new YouTube channel for tech news of the day.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!