In the last few years, adoption of Microsoft Teams has skyrocketed. As organizations adjust to the realities of distributed work, security is a key concern. Learn how to enable collaboration without compromising the security of your environment.
Microsoft Teams has become a staple within our distributed workforce, enabling organizations to function remotely while allowing them to remain agile enough to hit their goals.
A key concern with remote work is security. To best safeguard your environment, you’ll want to work closely with users to develop a strategy and guidelines that everyone can get behind. While it may be tempting to lock down your environment and restrict access to features, this approach only functions in the short term.
Security becomes a shared responsibility by involving users and entrusting them to make their own decisions. We always encourage enabling self-service in Teams because it promotes end-user productivity and adoption. In fact, according to Dresner Advisory Services’ 2020 Self-Service Business Intelligence Market Study, 62% of businesses say self-service is essential to their operations.
But giving people the power to create teams and share data without educating them on the platform’s best practices can compromise your environment’s security.
We’ve created this guide to help you find the sweet spot, allowing users enough freedom for effective collaboration while minimizing the risk involved in a more hands-off approach to governance.
Our guide will help ensure that you’re maximizing collaboration with Microsoft Teams while securing your environment:
- Keep self-service enabled to boost user adoption and drive productivity
Enable self-service and empower users to use the tools you provide while reducing the threat of shadow IT.
- Identify your sensitive data so you can keep it secure
Get to know your data. Take inventory, understand where it lives and who uses it, and label it according to level of sensitivity.
- Dos and don’ts of managing external users
Consider these pointers as a starting point to help keep your collaborative Teams content secure.
- Understand the structure of Microsoft Teams
Learn about the tools that make up the Teams user experience and where you can configure settings to protect your organization without being restrictive.
- Educate end users to keep security top of mind in every action they take
Set users up for success by providing them with the knowledge they need to avoid common cyber security attacks and to keep your sensitive data safe.
1. Keep self-service enabled to boost user adoption and drive productivity
Self-service features are an integral part of the Microsoft Teams experience. By keeping self-service switched on, you’ll empower users to actually use the tools you provide for them, which is kind of the whole point, right?
While it may seem daunting for IT admins to hand over some of their control, there are real benefits to keeping self-service enabled.
Encourage user adoption
Research indicates that learning by doing is the most effective method of retaining information. Over time, users will become better acquainted with the features and functionalities of the tool and will get more value from it. This will bring out the best in your users, allowing them to showcase their creative skills and collaborate in ways that work for them.
As users take on more responsibility, you’ll reclaim the time you previously spent managing their day-to-day tasks, freeing you up to tackle more big-picture administrative duties.
Reduce shadow IT security risks
It will also help you bypass another potential security pitfall, shadow IT. This is exactly what happens when users don’t have the necessary knowledge to use IT-approved systems (or the freedom to take the action they need) and instead find a backdoor approach. This can compromise the security of your environment and leave you vulnerable to data leaks and cyber-attacks.
Enabling self-service features will encourage your users to stay within Teams where you can keep an eye on what’s being created and shared.
Use guardrails to guide decision making
Remember, it’s not all or nothing. Enabling self-service doesn’t mean a free-for-all. You can still put restrictions in place to ensure users adhere to naming conventions and prevent sprawl.
So, with this in mind, consider that it might be time to allow your hatchlings to leave the nest, and watch them flourish as they create teams and share data to their hearts’ content.
2. Identify your sensitive data so you can keep it secure
When thinking about security, it’s important to understand that there is no one-size-fits-all solution. If the security measures across your organization are too lax, you risk compromising sensitive information. Too many restrictions and you risk hindering user adoption, defeating the purpose of enabling self-service in the first place.
Think about a multi-tiered approach to data protection
Depending on your organization, and the different types of data you’re working with, you’ll likely want to devise a multi-tiered approach to protecting your data. Different types of data necessitate different levels of protection.
This is why creating a clearly defined data classification scheme should be a key component of your Microsoft Teams security strategy.
To protect your data, start by creating a detailed inventory. Here are some things to consider:
- What data is necessary to keep?
- Where is the data located?
- Who has access to it, both internally and externally?
- How is the data used?
- What level of protection does the data warrant?
Best practices for creating a data classification scheme
There’s a lot that goes into creating an effective data classification scheme. We’ve identified the best practices to get you on the right foot.
- Consider what makes sense for your organization. If you’re not dealing with highly classified documents, you probably don’t need to have high levels of protection applied across all of your data. Understanding your organization’s specific needs will help you better determine how you can manage your data while still making it accessible to users who need it.
- Get your users involved. Users are the ones who deal with the content daily, and they likely have a pretty good idea of what exists and what level of protection it necessitates. Use that to your advantage, and invite users to be a part of the classification process.
- Keep it simple. Your data classification scheme should be easily comprehensible with several clearly defined levels of data sensitivity and corresponding protocols.
For a more in-depth exploration of data classification, check out our full blog post on defining an effective data classification scheme for Microsoft 365.
3. Dos and Don’ts of managing external users in Microsoft Teams
DO: Configure settings at each authorization level
Once you’ve authorized guest access in Teams, you can further configure settings at each authorization level to control the guest access experience according to the needs of your organization:
- Azure AD
- org-wide guest access settings: Determine how external collaborators can be invited into your tenant.
- Microsoft Teams
- Org-wide Teams settings: Configure external access and guest access settings, including guest access capabilities for calling, meeting, and messaging. These settings are applied across all of your teams in the Teams admin center.
- Guest permissions for individual teams: Control if guests can create, update, and delete channels on a team-by-team basis in the Teams app.
- Organization-level sharing settings: Decide whether to allow users to share content anonymously or limit sharing to authenticated external users. These settings are applied across every SharePoint site in your tenant. External sharing settings include more options such as limiting external sharing by domain and allowing only users in specific security groups to share externally.
- Site-level sharing settings: Apply more restrictive sharing settings on a site-by-site (and thus team-by-team) basis.
- Microsoft 365
- Global sharing settings: Manage access for people outside your organization and for groups and teams.
DON’T: Turn off external sharing completely
If external sharing is disabled in your organization, then guest access in Teams will also be shut down.
Because of the risks associated with external sharing, some Microsoft 365 admins think it’s better to disable it entirely. But this can lead to other problems, like employees turning to unapproved and external tools such as Box.com or Google Drive to send documents—the dreaded shadow IT.
We recommend keeping external sharing enabled and configuring the settings according to your business needs. If you simply turn it off, employees will find a way to accomplish their daily tasks by some other means.
DO: Review external users
Conduct regular access reviews to understand how sharing is used in your organization’s Teams. Reviewing external users by the owners of a team. As an IT admin, you need to proactively engage with team owners to make sure they review who has access to their resources. This can be done with Azure Access Reviews, or by automating the review process using ShareGate’s management solution for Microsoft 365.
DON’T: Let everyone outside—inside your organization—have access to your data
One of the downsides of inviting guests in Teams is the access they get to all standard channels. This could lead to sensitive content stored in standard channels falling into the wrong hands. Instead, you can directly invite a guest in Teams shared channels without allowing them access to the standard channels.
Authenticated or anonymous? If you decide to enable external sharing in Teams—and we recommend that you do!—only sharing with authenticated external users is the safest way to go. Decide whether allowing authenticated external users or allowing anonymous external users align with your organization’s needs. In most cases, it’s probably best to only allow authenticated external users, or to set an expiration date at the very least, which will automatically clean up your unused teams. This will allow you to maintain an efficient and organized environment over time and follow up with who has access to what.
DO: Use provisioning tools
By using provisioning tools, you can define templates that allow or block guests and the type of sharing link. This way, you can ensure the template has the right external access settings according to your organization’s requirements.
ShareGate’s Teams provisioning feature lets you easily build templates that help your business users create teams, with your organization’s policies in place for them to follow. Automating these processes will mitigate potential errors during team creation and prevent orphaned accounts, keeping your environment secure and organized.
3. Understand the structure of Microsoft Teams
Microsoft Teams is a user-facing interface that unites Microsoft 365 products on the back end. To understand how to secure Microsoft Teams, you first need to know where your Teams-related data lives.
Certain security settings can be managed from the Teams admin center, while others are managed within the tools related to your Teams experience.
Managing Microsoft Teams settings through its related tools
Teams is built on top of other Microsoft 365 services like Microsoft 365 Groups, SharePoint, OneDrive, and Exchange.
When a new team is created in Teams, a dedicated SharePoint site is automatically created. That’s where the files and folders visible in a team channel’s Files tab live. You can control what content can be shared and who has permission to access the contents of this SharePoint site by configuring settings within the SharePoint admin center.
Users’ personal OneNotes live in the OneDrive organizational document library. Files shared in private chat sessions, or a chat during a meeting or call, are uploaded and stored in the OneDrive account of the user who shared the files.
One-on-one chat conversation history, voicemails, and calendar meetings are stored in the Exchange mailboxes of individual users, while group and channel chat conversation history, team mail, and contacts can be found in the Exchange team mailbox.
Each team also has an affiliated Microsoft 365 group. You can manage the membership of your teams and assign permissions on a team-by-team basis by configuring the settings of the associated Microsoft 365 group within the Azure Active Directory.
You can assign specific roles to users (owner/guest/member) and configure the permissions associated with each role accordingly. These permissions will be applied consistently across all related tools, so if a user is designated as a member in a Microsoft 365 group, these same permissions will also apply to them in Teams.
Managing settings from the Microsoft Teams admin center
Within the Microsoft Teams admin center, you can configure organization-wide settings that apply specifically to the Teams app itself.
You can also set policies around team and channel creation, meetings, and messaging.
- Manage channels: Make channels accessible to all team members, or set to private and limit to a specific group of users. You get to decide who has the power to create channels and who can add connectors, apps, and tabs.
- Meetings: Allow meetings to be recorded, let users share content, take control of a PowerPoint presentation, or mute other participants.
- Messaging: Allow users to delete or edit sent messages, remove other users from a chat, and turn read receipts on or off.
To learn more about getting the most out of Microsoft Teams, check out our Teams 101 Cheat Sheet.
4. Educate end users to keep security top of mind in every action they take
According to IBM Security’s Cost of a Data Breach Report, 24% of data breaches are caused by human error. The best way to counteract security threats to your organization is by taking proactive measures and arming users with the necessary knowledge to implement the best practices of security in every action they take.
Here are some security awareness training best practices for end users across your organization:
- Anti-phishing: Phishing scams are some of hackers’ most commonly used attacks. Train users to be able to identify the telltale signs of a phishing scam and what to do when they receive a suspicious email.
- Password management: Educate end users on the best practices for creating strong passwords and password management, like not sharing their passwords with others.
- Data classification: We’ve mentioned this before, but it bears repeating—users should thoroughly understand how data is classified and the protections in place.
- Microsoft Teams best practices: Microsoft’s End User Training for Microsoft Teams is a great resource to help users navigate the ins and outs of Teams and avoid security pitfalls down the line.
End users are your first line of defense against potential cybersecurity attacks, so take the time to invest in training them.
Educating end-users and building a security strategy for your organization requires an up-front investment. This investment will pay off tenfold by providing peace of mind and allowing you to take a more collaborative approach to governance.