According to a study conducted by Mio, 91% of businesses use at least two messaging apps, of which slack and Microsoft Teams are present in 66% of the organizations surveyed. Teams adoption has been growing quickly due to its interoperability with the rest of the Office 365 suite which makes collaborating easier than ever. While collaboration is great, security is a major concern for organizations who are still considering the move to Teams from Slack, Skype, etc. The great double-edged sword with Microsoft Teams is that its ability to collaborate with others both internally and externally presents concerns for security and data loss prevention. In this guide, I will show you what external and guest access controls Teams provides as well as some other security considerations you should be aware of.
When a Team is created, a site is created for the Team and every member of that Team is given access to it. When a file is shared in a Teams chat, a copy of that file is uploaded to that Team’s site so it is accessible in both locations. This is important to know when allowing External access or Guest access to your Teams tenant.
I’d like to clarify the difference between External access (federation) and guest access as they are different:
Tenant admins can choose between enabling External access, Guest Access (or both) communication, depending on which level of collaboration is desirable with the external party. However, due to the limitations on collaborative tools allowed via External access, we recommend enabling guest access for a fuller and more collaborative Teams experience.
Navigate to the Microsoft Teams admin center from the O365 admin center and expand out the Org-wide settings node.
The external access tab reveals the External Access page which has two options for allowing communication with external users. Choose which external communication you would like to enable based on the settings shown below:
This page also allows you to add domains to an allowed or blocked list. By default, your organization can communicate with all external domains. If you add blocked domains, all other domains will be allowed but if you add allowed domains, all other domains will be blocked. This makes it simple to configure cross-organizational trust to other Teams outside of your org or otherwise in separate domains. If your organization rarely collaborates with outside domains/organizations then setting up some known/trusted domain trusts here is a good idea. This way all other domains will be blocked until a formal request to add them is submitted and approved. In general, it’s better to be safe than sorry so if you’re not sure set up an inclusion to block all external domains which can be easily included later.
The guest access tab– A guest is someone who isn’t an employee, student, or member of your organization. They don’t have a school or work account with your organization but they do have some sort of business account (Azure AD account) or consumer email account like a Gmail. Disabling Guests is easy, but at the end of the day would you rather your users work in a place you have visibility or figure out alternative ways of communicating? My suggestion is the former, enable guest access to allow your users to enjoy the collaborative experience of Microsoft Teams and most importantly keep your users’ communication in a place you have visibility while taking advantage of setting up proper security controls and DLP policies, to collaborate safely. For some additional info on external sharing best practices check out my other blog post which goes in-depth on the available settings and policies!
Additional Guest controls:
1. Allow private calling: On or Off
2. Meeting settings:
The messaging settings are pretty straight forward and content related but these settings should not be overlooked as these bells and whistles can eat up resources especially in large organizations. For example, the IP video setting can be a resource hog if too many users are leveraging it as it takes up a lot of bandwidth. The same logic is true for other functions in teams, so in addition to controlling what your users are doing for security purposes, setting up a custom meeting or user policies to limit available functionality can help with performance as well.
Building upon the section above, meeting policies can help with the security and performance of your Teams tenant. Here you can manage all of the functionality available to users during meetings if you apply this policy to them. Limitations here can help with both security and performance.
Here’s a breakdown of the settings available to you if you were to add a new custom Meeting Policy:
2. Audio & Video
3. Content Sharing
4. Participants and Guests
These are all of the meeting policy settings which can be configured and set on a template which can then be applied to users or Teams. As you can see the settings get really granular so there is a lot of fine-tuning you can do depending on the performance and security requirements of your organization and a given user or Team. My recommendation is to keep it simple for guests and external users and limit their functionality as much as possible while reserving the flashy features like Cloud Recording for specific users who might benefit from it.
You can also create DLP policies which will be enforced on Teams sites and Teams chats from within the Security & Compliance Center. These policies can be enabled on specific users and/or Teams to monitor chat messages and enforce DLP rules to protect sensitive or otherwise important data from being improperly shared. For more details on setting up a DLP policy check out my other blog which goes in-depth on the steps for creating an effective DLP policy.
Below is a screenshot illustrating all the locations a DLP policy can be configured to protect.
Specifying a User or Team for a DLP policy is straightforward. If you click on the Choose Accounts option above for any of those locations you will be prompted with the screenshot below. Here you can specify a user, group or team for which the DLP policy will be applied. In this example, I’m applying a HIPAA DLP policy to the SAFS team which will check for files and messages that may contain HIPAA information and protect it accordingly.
DLP policies only work against active data. In other words, DLP policies will only look at files that are being acted on in some way and not data at rest. For insight into your data at rest – especially if you are preparing for a migration – I recommend that you use a tool like StealthAUDIT to audit your structured and unstructured data prior to migrating to O365/SharePoint Online/Teams/OneDrive for business etc. With StealthAUDIT we can tell you what data you have, where it is, who has access and determine its stale and/or sensitive before migrating it into the cloud.
The added layer of DLP policy protection of Teams chats and sites gives your organization an important level of security anywhere your users may be collaborating in O365. The keywords here being in O365, which is why disabling guest access or external access is not recommended as your users will ultimately find an alternative route to collaborate when if they need to. That being said, Teams can be a great tool for collaborating and there are some great security features you can take advantage of to allow safe collaboration both internally and externally. Granular controls give admins the ability to manage what Teams users can use and see. Don’t be afraid to collaborate with guests or external users. Don’t be afraid to use Teams.
Chris studied Information Systems at Hofstra University before joining Stealthbits – now part of Netwrix where he took on the role as the Technical Product Manager of SharePoint, Dropbox, and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled, and orphaned animals.
Adopting a Data Access Governance strategy will help any organization achieve stronger security and control over their unstructured data. Use this free guide to help choose the best available solution available today!Read more
Start a Free Stealthbits Trial!
No risk. No obligation.