Microsoft Teams

This page will list security settings and configurations that is advisable to implement in your environment.
Each environment is different where I believe the below settings are easy to setup and provides a way to get to a more mature security level.

  1. Disable external and guest access in Teams
  2. Disable external cloud service storages
  3. Enable modern authentication

Disable external and guest access in Microsoft Teams

This setting depends on your organization where it is advisable to first disable external and guest users. A guest user can be granted access to Teams and they are able to view the documents related to that team. An external user can’t be added to a Team, but internal users can chat and share their desktop with them. It is also possible to add a white or blocklist for external users where you limit the domains your users can chat with. Guest users are currently disabled by default and external users are allowed.

How will this impact my users?

Users are unable to chat with external users or share content using Teams.

 

Using the user interface

This setting needs to be changed at the Teams admin center. The direct link is https://admin.teams.microsoft.com/

For external users go to Org-wide settings -> external access

For guest users go to Org-wide settings -> Guest access

Using PowerShell

You can use PowerShell to automatically change the settings in Microsoft Teams. It still uses the old SkypeOnlineConnector

Import-Module SkypeOnlineConnector
$CSSession = New-CsOnlineSession
Import-PSSession -Session $CSSession

Set-CsTeamsClientConfiguration -AllowGuestUser $False -Identity Global

Note that this PowerShell command is only for guest access as there is currently not PowerShell command for external access.

Disable external cloud service storages

This setting depends on your organization and the external cloud services you use or allow. SharePoint Online is the default storage service in Microsoft Teams where you can add Dropbox, Box, GoogleDrive and ShareFile as external storage. These are enabled by default where we advise to disable them if not allowed.

How will this impact my users?

Users are unable to add Dropbox, Box, GoogleDrive or ShareFile as tab in Microsoft Teams.

Using the user interface

This setting needs to be changed at the Teams admin center. The direct link is https://admin.teams.microsoft.com/ and go to Org-wide settings -> Team settings

Disable all services and make sure to save the changes

Using PowerShell

You can use PowerShell to automatically change the settings in Microsoft Teams. It still uses the old SkypeOnlineConnector

Import-Module SkypeOnlineConnector
$CSSession = New-CsOnlineSession
Import-PSSession -Session $CSSession

Set-CsTeamsClientConfiguration -AllowDropbox $False -AllowBox $False -AllowGoogleDrive $False -AllowShareFile $False

Enable modern authentication

Modern authentication makes it able to logon using multi-factor authentication, smartcard or using certificates. It is advisable to enforce modern authentication if possible. Multi-factor authentication can be circumvented if basic authentication is still allowed. Should the need arise to allow basic authentication you can also use conditional access to further protect the environment to only allow some users from some locations using basic authentication.

How will this impact my users?

Users will no longer be able to use older or third party applications that only work with basic authentication like Office 2010.

Using PowerShell

You can only use PowerShell to change the settings in Microsoft Teams. It still uses the old SkypeOnlineConnector

Import-Module SkypeOnlineConnector
$CSSession = New-CsOnlineSession
Import-PSSession -Session $CSSession

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.