Background image

Microsoft Teams quick start guide to security

Msteamsguidetosecurity Featured Msteamsguidetosecurity Featured

In the last year, adoption of Microsoft Teams has skyrocketed. As organizations adjust to the realities of distributed work, security is a key concern. Learn how to enable collaboration without compromising the security of your environment.

In October 2020, Microsoft Teams reached 115 million daily active users. The platform has become a staple within our newly distributed workforce, enabling organizations to function remotely while allowing them to remain agile enough to hit their goals.

A key concern with remote work is security. In order to best safeguard your environment, you’ll want to work closely with users to develop a strategy and guidelines that everyone can get behind. While it may be tempting to lock down your environment and restrict access to features, this approach only functions in the short-term.

According to Dresner Advisory Services’ 2020 Self-Service Business Intelligence Market Study, 62% of businesses say self-service is essential to their operations.

By involving users and entrusting them to make their own decisions, security becomes a shared responsibility. We always encourage the enabling of self-service in Microsoft Teams as they promote end user productivity as well as adoption. In fact, according to Dresner Advisory Services’ 2020 Self-Service Business Intelligence Market Study, 62% of businesses say self-service is essential to their operations.

However, giving people the power to create teams and share data without educating them on the best practices of the platform can compromise the security of your environment.

We’ve created this guide to help you find the sweet spot, allowing users enough freedom for effective collaboration while minimizing the risk involved in a more hands-off approach to governance.

Our guide will help ensure that you are maximizing collaboration with Microsoft Teams while securing your environment:

  1. Keep self-service enabled to boost user adoption and drive productivity

    Enable self-service and empower users to use the tools you provide for them while reducing the threat of shadow IT.

  2. Identify your sensitive data so you can keep it secure

    Get to know your data. Take inventory, understand where it lives and who uses it, and label it according to level of sensitivity.

  3. Understand the structure of Microsoft Teams

    Learn about the tools that make up the Teams user experience and where you can configure settings to protect your organization without being restrictive.

  4. Educate end users to keep security top of mind in every action they take

    Set users up for success by providing them with the knowledge they need to avoid common cyber security attacks and to keep your sensitive data safe.


State of Microsoft 365
ShareGate logo

Stay up-to-date on the latest migration, modernization, and security trends!


1. Keep self-service enabled to boost user adoption and drive productivity

Self-service features are an integral part of the Microsoft Teams experience. By keeping self-service switched on, you’ll empower users to actually make use of the tools you are providing for them, which is kind of the whole point, right?

While it may seem daunting for IT admins to hand over some of their control, there are real benefits to keeping self-service enabled.

Encourage user adoption

Research indicates that learning by doing is the most effective method of retaining information. Over time, users will become better acquainted with the features and functionalities of the tool and will get more value from it. This will bring out the best in your users, allowing them to showcase their creative skills and collaborate in ways that work for them.

As users take on more responsibility, you’ll reclaim some of that time you previously spent managing their day-to-day tasks, freeing you up to tackle more big-picture administrative duties.

Reduce shadow IT security risks

It will also help you bypass another potential security pitfall, shadow IT. This is exactly what happens when users don’t have the necessary knowledge to use IT-approved systems (or the freedom to take the action they need) and instead find a backdoor approach. This can compromise the security of your environment and leave you vulnerable to data leaks and cyber-attacks.

Enabling self-service features will encourage your users to stay within Microsoft Teams where you can keep an eye on what’s being created and shared.

Use guardrails to guide decision making

Remember, it’s not all or nothing–enabling self-service doesn’t mean a free-for-all, and you can still put restrictions in place to make sure users are adhering to naming conventions and to prevent sprawl.

So, with this in mind, consider the fact that it might be time to allow your hatchlings to leave the nest, and watch them flourish as they create teams and share data to their hearts’ content.


2. Identify your sensitive data so you can keep it secure

When thinking about security, it’s important to understand that there is no one-size-fits all solution. If the security measures across your organization are too lax, you risk compromising sensitive information. Too many restrictions, and you risk hindering user adoption–which defeats the purpose of enabling self-service in the first place.

Think about a multi-tiered approach to data protection

Depending on your organization, and the different types of data you’re working with, you’ll likely want to come up with a multi-tiered approach to protecting your data. Different types of data necessitate different levels of protection.

This is why creating a clearly defined data classification scheme should be a key component of your Microsoft Teams security strategy.

In order to protect your data, start by creating a detailed inventory. Here are some things to consider:

  • What data is necessary to keep?
  • Where is the data located?
  • Who has access to it, both internally and externally?
  • How is the data used?
  • What level of protection does the data warrant?

Best practices for creating a data classification scheme

There’s a lot that goes into creating an effective data classification scheme. We’ve identified the best practices to get you started on the right foot.

  1. Consider what makes sense for your organization. If you’re not dealing with highly classified documents, you probably don’t need to have high levels of protection applied across all of your data. Understanding the specific needs of your organization will help you better determine how you can manage your data while still making it accessible to users who need it.
  2. Get your users involved. Users are the ones who deal with the content on a daily basis, and they likely have a pretty good idea of what exists and what level of protection it necessitates. Use that to your advantage, and invite users to be a part of the classification process.
  3. Keep it simple. Your data classification scheme should be easily comprehensible with several clearly defined levels of data sensitivity and corresponding protocols.

For a more in-depth exploration of data classification, check out our full blog post on defining an effective data classification scheme for Microsoft 365.


3. Understand the structure of Microsoft Teams

Microsoft Teams is essentially a user-facing interface that unites Microsoft 365 products on the back end. In order to understand how to secure Microsoft Teams, you first need to know where your Teams-related data lives.  

Certain security settings can be managed from the Microsoft Teams admin center, while others are managed within the tools that are related to your Microsoft Teams experience.

Teams is built on top of other Microsoft 365 services like Microsoft 365 Groups, SharePoint, OneDrive, and Exchange.

When a new team is created in Teams, a dedicated SharePoint site is automatically created. That’s where the files and folders visible in a team channel’s Files tab actually live. You can control what content can be shared and who has permission to access the contents of this SharePoint site by configuring settings within the SharePoint admin center.

Users’ personal OneNotes live in the OneDrive organizational document library. Files shared in private chat sessions, or a chat during a meeting or call, are uploaded and stored in the OneDrive account of the user who shared the files.

One-on-one chat conversation history, voicemails, and calendar meetings are stored in the Exchange mailboxes of individual users, while group and channel chat conversation history, team mail, and contacts can be found in the Exchange team mailbox.

When users engage in one-on-one chat conversations

Each team also has an affiliated Microsoft 365 group. You can manage the membership of your teams and assign permissions on a team-by-team basis by configuring the settings of the associated Microsoft 365 group within the Azure Active Directory.

You can assign specific roles to users (owner/guest/member) and configure the permissions associated with each role accordingly. These permissions will be applied consistently across all related tools, so if a user is designated as a member in a Microsoft 365 group, these same permissions will apply to them in Teams, as well.

Managing settings from the Microsoft Teams admin center

Within the Microsoft Teams admin center, you can configure organization-wide settings that apply specifically to the Teams app itself.

You can also set policies around team and channel creation, meetings, and messaging.

  • Manage channels: Make channels accessible to all team members, or set to private and limit to a specific group of users. You get to decide who has the power to create channels and who can add connectors, apps, and tabs.
  • Meetings: Allow meetings to be recorded, let users share content, take control of a PowerPoint presentation, or mute other participants.
  • Messaging: Allow users to delete or edit sent messages, remove other users from a chat, and turn read receipts on or off.

To learn more about getting the most out of Microsoft Teams, check out our Teams 101 Cheat Sheet.


4. Educate end users to keep security top of mind in every action they take

According to IBM Security’s Cost of a Data Breach Report, 24% of data breaches are caused by human error. The best way to counteract security threats to your organization is by taking proactive measures and arming users with the necessary knowledge to implement the best practices of security in every action they take.

According to IBM Security’s Cost of a Data Breach Report, 24% of data breaches are caused by human error.

Here are some security awareness training best practices for end users across your organization:

  • Anti-phishing: Phishing scams are some of the most commonly used attacks by hackers. Train users to be able to identify the telltale signs of a phishing scam and what to do when they receive a suspicious email.
  • Password management: Educate end users in the best practices for creating strong passwords and password management, like not sharing their passwords with others.
  • Data classification: We’ve mentioned this before, but it bears repeating—users should have a thorough understanding of how data is classified and the protections that are in place.
  • Microsoft Teams best practices: Microsoft’s End User Training for Microsoft Teams is a great resource to help guide users through the ins and outs of Microsoft Teams and avoid security pitfalls down the line.

End users really are your first line of defence against potential cybersecurity attacks, so take the time to invest in training them.

Educating end-users and building a security strategy for your organization requires an up-front investment, but this investment will pay off tenfold by providing you with peace of mind and allowing you to take a more collaborative approach to governance.

Recommended by our team

What did you think of this article?

Create a dream Teams! Watch our MVP-led masterclass on Microsoft Teams lifecycle management