If you know that you should have a security strategy for your Microsoft Teams, but you’re not sure what should be included, we’ve got you covered.
With organizations around the world increasingly relying on virtual collaboration, Microsoft Teams security is more important than ever. But knowing that you need to properly secure your Teams environment isn’t the same as knowing exactly how to kickstart security.
Microsoft Teams security is complex, layered, and, at times, confusing. Creating a governance strategy focused on security can help make it clearer for yourself, your end users, and your organization as a whole.
What’s in this blog?
Why Microsoft Teams security governance is so essential
There are lots of reasons to use Microsoft Teams, but one of the main reasons is for end users to be able to work and collaborate productively. They’re who you’re setting Teams up for, they’re the ones who will be creating teams, sending messages, and sharing files with each other.
So, you have to make sure that there are guardrails in place that protect sensitive information without hindering productivity. And you have to make sure that your end-users know why those guardrails exist and how to use Teams in a way that doesn’t put your organization at risk.
That’s why establishing a governance plan for Microsoft Teams security is so critical.
Governance strategies are not one-size-fits-all. You’ll need to determine what works best for your organization. But if you think the easiest and safest route to take is to turn off self-service and prohibit guest access and external sharing, first consider how that might affect productivity.
Your users may not be able to complete their work efficiently. Or, they may turn to unapproved, unsecured shadow IT to collaborate and get their work done.
Thankfully, there are ways to customize security settings for different teams, so you can make sure that each team has the freedom they need to excel without posing a significant risk to your business.
1. Classify and label Microsoft teams
The first step in building a Microsoft Teams security governance strategy is identifying and organizing all of your teams and the content in them.
A classification scheme is the process of organizing data into categories that make it easier to understand, leverage, and protect it. In Microsoft Teams, each team should fall into a security classification. As an example, Microsoft’s classification scheme includes:
Microsoft’s data classification scheme.
Once you’ve classified all of your teams, you’ll be able to configure security settings around them. For example, you may want to stipulate that if a team is labeled as “Highly confidential”, members won’t be able to invite guests to that team.
Make sure there’s no ambiguity between the classifications. If a user creates a new team and doesn’t know the difference between “Highly confidential” and “Confidential,” they could accidentally mislabel their team, leading to confusion, security risks, or unnecessary restraints on productivity.
You need to educate end users about the classification scheme so that it’s used properly. This will make your job easier, especially when it comes to configuring security settings.
It’s also possible to label teams based on their classifications. The Microsoft Information Protection (MIP) framework allows you to attach sensitivity labels to content, Microsoft teams, and SharePoint sites.
You can implement privacy settings based on sensitivity labels throughout your Azure AD Tenant, Microsoft 365, and Microsoft Teams to ensure your end users follow the security settings that you’ve established for content and teams based on their classification and sensitivity labels.
Built-in sensitivity labels from the MIP framework are managed through a single portal—the Microsoft 365 compliance center—which unifies labeling and protection policy management across Azure Information Protection labels (AIP), Microsoft 365, and Windows.
For a more automated solution, ShareGate, our Microsoft 365 migration and management platform, can be a great help for automating Microsoft Teams governance. It has a “Group sensitivity” feature that enables you to automatically apply custom security settings to your teams and Microsoft 365 groups depending on each one’s level of sensitivity. Being able to do this in-app gives you more granular control and doesn’t require an Azure AD Premium license.
2. Configure Microsoft Teams guest access settings
Remote work is a reality everywhere, so virtual collaboration is more crucial to productivity than ever. However, not all organizations need the same kind of guest access settings.
To configure organization-wide guest access settings in Microsoft, you have to start at the top: your Azure tenant. From there, you can also configure settings in Microsoft Teams and SharePoint. At each of these different levels, you can configure guest access settings to determine policies such as who has the ability to invite new guests, which features guests have access to, and how guests can access content.
In the Azure portal, you can configure organization-wide guest access settings.
For more details on how to configure all of these settings, check out our article about configuring guest access settings for secure collaboration in Microsoft Teams.
Configuring organization-wide guest access settings is a critical step, but Microsoft also allows you to customize guest access settings at the individual team level. This is hugely helpful because not all teams are created equal. For example, a team dedicated to a project that requires contributions from consultants probably shouldn’t have the same kind of security settings that a team containing employee salary information has.
Being able to configure guest access settings based on each team’s purpose ensures your data is sufficiently secured without hindering productivity.
You can manually configure guest access settings for individual teams.
You can configure these customizations manually for each individual team, but that can be a hassle. It’s also an ongoing job as new teams are created regularly within your organization.
Instead, you can automate this process using the classification strategy and sensitivity labels that we just discussed!
With an Azure AD Premium P1 license, you can use Microsoft’s Information Protection unified labeling to apply security settings to teams based on the sensitivity labels given to them. The service automatically applies the same sensitivity label to the associated Microsoft 365 group and the connected SharePoint team site, as well.
Also, ShareGate has a feature that allows you to automatically apply custom-fit security settings to each team based on its level of sensitivity. It enables you to manage a Microsoft 365 group or team’s individual security settings directly in-app, giving you more granular control over each team’s security settings—and without the need for an Azure AD Premium license.
3. Conduct external access reviews
Depending on your settings, users can invite anyone with an email address to join existing teams and channels, where they can access team resources, conversations, and shared files as a guest. But the convenience of self-service has led to a need for better access management capabilities.
There are two ways to do manual external access reviews:
- Review guest membership in individual teams
- Review sharing links for each team’s SharePoint sites
Review guest membership in individual teams
As an IT admin, you need to proactively engage with team owners to make sure they review who has access to their resources. Within Microsoft Teams, it’s easy for you and team owners to see the guest members of each team. If the members of the team are still collaborating with those guests, great! If not, they should probably be removed to ensure they aren’t given unnecessary access to your organization’s content.
You can review the guests of individual Microsoft teams in the Microsoft Teams admin center or in the Microsoft Teams app.
You’ll probably need to follow up with various owners to make sure they’ve actually reviewed membership. Then, you still have to log any changes they make for audit and compliance purposes. After all of that is finally said and done, you’ll be just about ready to start on the next review; for ongoing security, you need to review guest access regularly.
Aside from requiring quite a bit of manual work, this option is problematic because you can only see external users that were added as members to that team (i.e. granted guest access). If a user shares a file directly with someone outside the organization, that external individual won’t be listed as a guest.
Review sharing links for each team’s SharePoint sites
To make sure you catch all external sharing links, including those shared with external users who aren’t team guests, it’s possible to generate a report on file and folder sharing in each team’s associated SharePoint site.
The resulting CSV file will tell you if any files or folders are being shared with guests. It includes sharing info for every unique file, user, permission, and link on that SharePoint site.
You can run a report to view all links that have been shared externally from a Microsoft team’s associated SharePoint site.
To get full visibility, you need to run a report for every single SharePoint site connected to one of your Microsoft teams—so right off the bat, this option requires quite a bit of heavy lifting for IT.
Then once you’ve run all those reports, you still need to send each team’s report to the team owners so they can validate or revoke external access to the links. You’ll have to be in communication with team owners to make sure they’re taking any necessary actions so that you can document all changes made for compliance and internal auditing reasons.
Similar to reviewing guest membership in teams, reviewing sharing links is ongoing because new links are being shared externally all the time.
If having to do both guest membership and sharing link reviews continually seems like a lot of work, it’s because it is. Thankfully, there’s a third way to conduct external access reviews.
Schedule automatic sharing reviews
The truth is, there’s simply no easy way to manually review external access for each of your teams using Microsoft’s out-of-the-box solutions. You’re much better off leaving all that work to ShareGate.
ShareGate allows you to schedule automatic sharing reviews, giving you full visibility into who’s shared what, when, and with whom. Simply connect your tenant to our software to see every single link to files shared externally by each of your teams. We do all the heavy lifting for you—no need to code, script, search audit logs, or manually pull reports anymore.
ShareGate automates the process of reviewing guest access in Microsoft Teams.
Once your external sharing policy is set, the team owners you’ve entrusted will receive an automatic email asking them to review all of their team’s external sharing links. They have 14 days to respond, with a follow-up email sent after the first week, so you don’t have to worry about chasing people down for answers.
In just a few clicks, entrusted owners can delete links to sensitive files through our easy-to-use interface—no need to go to each of their SharePoint team sites to revoke access.
4. Enforce multi-factor authentication
One of the fastest and easiest ways to protect your Microsoft Teams environment (and Microsoft tenant more generally) is to use enforce multi-factor authentication (MFA).
It’s a great out-of-the-box tool from Microsoft that forces people who want to sign in to your tenant to successfully present two or more pieces of evidence to authenticate that they are who they say they are. This is especially useful now as remote work is complicating security, with more people signing into Teams from work computers, home computers, tablets, and phones—sometimes all on the same day.
According to Microsoft, enabling MFA ensures your accounts are up to 99.9% less likely to be compromised. Passwords, regardless of how many characters and symbols they’re made up of, aren’t as effective at keeping your data secure as using a second form of authentication.
MFA is typically deployed with Conditional Access, which allows you to require additional attributes for administrators to sign in and also control where users connect and authenticate—for example, what location, IP address, etc.
If you haven’t already, you should enforce MFA organization-wide.
Microsoft Teams security is a complex topic. To try and list every security feature or tool that can help ensure your data is protected, we would have to write a book rather than a blog. But with these four steps, you’ll be well on your way to securing your Microsoft Teams data, users, and environment.