How to Secure Teams | Teams Governance & Security Explained

Spurned on by the onset of the global pandemic, since the beginning of 2020, organizations worldwide have been aggressively migrating to cloud Software-as-a-Service (SaaS) offerings. As a result, the business workforce is now more hybrid than ever before. The modern distributed workforce is often comprised of employees from all over the world. This article

Microsoft 365, together with Microsoft Teams, has become wildly popular among businesses. As organizations look for modern productivity, communication, and collaboration, Microsoft Teams has many great features that allow enterprises to empower remote workers with the tools needed.

What is Microsoft Teams?

Microsoft Teams is a communication and collaboration app that allows distributed team members to stay organized, have conversations, and share resources in a single location. It has become wildly popular with businesses, especially since the onset of the global pandemic. Microsoft has touted the platform has surpassed 250 million monthly active users.

Microsoft Teams has over 250 million monthly active users

In Teams, users can see an easy listing of all the teams they are a part of, along with the various channels found in each team. Channels can be built based on topic, department, or other purpose needed by team members. In channels, team members can have conversations, hold meetings, and share files.

Microsoft Teams enables collaboration and productivity

You can think about Microsoft Teams as the central location for communication and collaboration for team members. It allows organizations to consolidate many smaller applications used for bits and pieces of functionality and consolidate these with the functionality provided by Teams. These capabilities may include:

• • Chat

• • Voice calls

• • Video conferencing

• • File sharing

• • Shared calendars

• • Internal Wikis

• • Others

Even with the app consolidation and streamlined collaboration and communication platform provided by Microsoft Teams, organizations may begin to find it challenging to manage and control the use of Teams across their organization. As a result, businesses need to have a plan to enforce Teams governance and security.

What is Teams Governance and Why is it Important?

A tremendously important requirement for businesses today is governance. With today’s compliance and security requirements, organizations must have a standardized way of ensuring their processes and procedures align with the business’s overall objectives. This structured or formal framework is known as IT governance.

With IT governance in place, companies can meet business goals, legal obligations and mitigate risks associated with security concerns. Without governance measures in place, the opposite is true. As a result, businesses open themselves up to compliance issues, data leak risks, and other major security concerns.

Microsoft Teams is a robust collaboration and communication platform that allows businesses to move into the modern era of cloud-centric productivity applications. However, with Teams, governance issues can quickly arise. As businesses begin using Microsoft Teams, several questions need to be considered, including:

• • Who can create Teams?

• • Who is allowed to invite people to become part of a Microsoft Team?

• • Do you allow external users to connect with internal users?

• • How do you avoid Microsoft Teams sprawl?

• • How are “stale” Teams and channels controlled?

• • How is data retained?

• • How do you audit Teams content and provide reporting?

• • How do you provide security guardrails around end-user activities in Microsoft Teams?

As you can tell by the questions listed above, businesses must think about the management and technical details of Teams day-to-day operations and how Teams activities and data align with the established overall governance policies decided upon by the business.

When Microsoft Teams governance is not in place, several challenges and issues can develop quickly. What are some of these?

• • Informal processes emerge – With little or no governance in place, informal processes and procedures may emerge which may not be consistent or align with governance objectives decided upon by the business.

• • Slow adoption – With additional challenges as a result of poor implementation of Microsoft Teams due to little or no governance, end-users in the organization may be slow to adopt Teams, causing issues with collaboration, communication, and overall productivity.

• • Exaggerated IT tickets – Governance helps to make sure processes and procedures are carried out in a particular way. When these guardrails are not in place, there is often a dramatic uptick in IT tickets.

• • Shadow IT issues – A lack of governance usually leads to lax security policies and protections in place. It can lead to shadow IT developing in the organization where end-users are using and integrating unsanctioned solutions into the cloud SaaS environment.

• • Inconsistent processes between departments – Inconsistent policies, processes and workflows can develop between departments, exacerbating confusion, inconsistency, and overall direction.

• • Compliance issues – A lack of governance when using Microsoft Teams can lead to compliance issues which can lead to serious fines and other penalties.

Microsoft Teams Security Configurations

In terms of security, Microsoft has designed Teams with a focus on security. Many built-in mechanisms help to ensure Teams is trustworthy by design and by default. What security components has Microsoft built into Teams? It provides the following security protection by default:

1. 1. Strong PKI features – Microsoft has designed Teams with strong PKI features. It is built on top of the PKI infrastructure found in Windows Server. It includes key data exchange over TLS connections
   2. Denial-of-service protection – Attackers can carry out denial-of-service attacks on networks as a scheme for extortion. Teams helps to mitigate denial-of-service attacks using Azure DDOS network protection and client access throttling with AI-backed intelligence.
   3. Eavesdropping protection – With Teams mutual TLS server communication architecture and TLS from clients to the service, it is extremely difficult for attackers to carry out an eavesdropping attack.
   4. Identity spoofing protection – Microsoft Teams encrypts all traffic using TLS. This encryption helps to prevent an attacker from performing IP address spoofing on a specific connection. In addition, the certificate authentication used by Teams also makes it difficult to spoof the address of the domain name system (DNS) server.
   5. Protection against man-in-the-middle attacks – Teams uses SRTP to encrypt media streams in Microsoft Teams. After cryptographic keys are negotiated between two endpoints, then secure communication begins.
   6. Real-time Transport Protocol (RTP) replay attack protection – Teams’ SRTP-enabled secure signalling protects transmissions from replay attacks.
   7. Spim protection – Teams protects against instant messaging SPAM by providing the ability to block messages from senders as well as disable federation from partner connections with Teams.
   8. Protection against viruses and worms – Teams works in harmony with standard client security best practices such as virus scanning and next-generation endpoint protection, leveraging AI-based threat intelligence.

Let’s take a look at Microsoft Teams security configurations that help to minimize cybersecurity threats to your business-critical data. The core of Microsoft Teams security revolves around key areas of the architecture:

1. 1. Azure Active Directory
   2. TLS and MTLS security protocols
   3. Encryption
   4. User and client authentication
   5. Customer ownership of security

1. Azure Active Directory

Microsoft Teams uses Azure Active Directory (Azure AD) as the identity source for user accounts and authorization. Azure AD stores the account information and policy assignments used by Microsoft 365 and Office 365. In addition, Azure Active Directory enables security filtering and other solutions to be identity-based.

2. TLS and MTLS security protocols

Microsoft Teams secure communication is built on top of both TLS (Transport Layer Security) and MTLS (Mutual Transport Layer Security) protocols. These protocols provide encrypted communications and endpoint authentication on the Internet. These two security protocols are used to establish secure, trusted communication between end-users and Microsoft Teams services.

TLS handles user authentication to connect to Teams servers. The client requests a valid certificate from the Teams server. On verifying the certificate is valid, the client uses the public key in the certificate to encrypt the symmetric encryption keys to be used for the communication. Then the valid certificate owner (Teams) uses the private key of the certificate (only known to Teams) to decrypt the communication.

Microsoft Teams server-to-server communication relies on MTLS. All communication between servers relies on the exchange of security certificates between the servers. The certificates prove the identity of each server in the communication. Both of these security protocols are essential in preventing eavesdropping and man-in-the-middle attacks.

3. Encryption

Encryption is a vital security layer to protect the contents of your data. Encryption ensures the information contained in business-critical data is unreadable to unauthorized users. Microsoft Teams uses multiple layers of encryption to secure your data. Microsoft Teams data is encrypted in transit and at rest in Microsoft data centers.

Microsoft also uses TLS and SRTP to encrypt all data in transit between users’ devices and Microsoft data centers and between data centers.

We mentioned the MTLS encryption in server-to-server communications. Media, such as call flows, are encrypted using Secure RTP (SRTP). It provides confidentiality, authentication, and replay attack protection for RTP traffic. To protect against man-in-the-middle attacks, Teams uses a 20-digit security code from SHA-256 thumbprints of the caller’s and callee’s endpoint call certificates.

4. User and client authentication

Going back to Azure AD, trusted users are users who have credentials validated using Azure Active Directory in Microsoft 365 or Office 365. Authentication provisions the user credentials to a trusted server or service. Microsoft uses a specific implementation of OAuth 2.0 for the client to server communications, called Modern Authentication (MA).

User and client authentication is carried out using Azure AD and OAuth. Clients’ requests to the server are authenticated and then authorized using Azure AD and OAuth 2.0 (MA). Only users with valid credentials are trusted and pass through the same process that scrutinizes native users.

5. Customer ownership of security

Microsoft cloud SaaS services, like other hyper-scale cloud service providers, operate on a shared responsibility model. It means that you, as the customer are ultimately responsible for your data and the security of your data. Note the published, shared responsibility model from Microsoft regarding the various levels of responsibility for cloud data:

Microsoft shared responsibility model

As shown in the infographic above, the customer always retains the responsibility for information and data, devices (mobile and PCs), and accounts and identities. This underscores the importance of enforcing strong cybersecurity hygiene for end-users, accounts, and devices used to access Microsoft Teams and other Microsoft cloud infrastructure.

Even with the built-in cybersecurity layers in Microsoft Teams, as mentioned above, there must be additional “people and processes” security protections in place. Organizations must do their due diligence to ensure users receive the appropriate security training and decide how to secure end-user devices that access Microsoft Teams.

This ownership of information and data also means organizations must take data backups of their Microsoft Teams data into their own hands and ensure they have a way to recover from data loss.

Microsoft Teams Security Issues

Going along with governance issues that are commonly encountered with Microsoft Teams, security is a critical area that must be given attention when deploying Microsoft Teams. Teams allows end-users to easily collaborate, share data, communicate, and even connect with users who may exist outside the organization. Today, data is arguably the most valuable possession of businesses and must be closely protected.

The consequences can be disastrous if an organization’s precious digital assets fall into the wrong hands. Malicious threat actors are continually looking for ways to compromise organisational data through ransomware, data leaks, and other malicious activities.

As a result, business leaders and other key stakeholders must ensure any solution, including Microsoft Teams, is properly secured and has the necessary policies to protect their data from any number of threats. What are the top security threats that are important to consider with Microsoft Teams?

1. 1. Guest users
   2. Access from unmanaged devices or untrusted locations
   3. Malware
   4. Data leak
   5. No backups

Take note of these other Microsoft 365 security questions answered: Your Office/Microsoft 365 Security Questions Answered (altaro.com)

1. Guest users

Following the standard capabilities of the cloud SaaS operating model, Microsoft Teams allows end-users to easily collaborate with others, even users who are external to the organization, guest users. For example, users may find it helpful to add external users such as vendors, customers, contractors, or others who may request access to documents, file resources, chat threads, or Teams channels to communicate directly with those needed in various conversations.

While adding external users to the environment may benefit effective communication, data security must take precedence. As part of the business’s governance policies, administrators can either enable or disable guest access, preventing guests outside the organization from accessing.

2. Access from unmanaged devices or untrusted locations

One aspect of cloud SaaS applications that provide flexibility and ease of access is using any device to access the sanctioned business environment. Some organizations may even allow employees to use “bring your own” (BYO) devices to access Microsoft Teams.

Again, this is a decision that the business must make. However, allowing access from unmanaged devices or untrusted locations can lead to elevated security risks and increased threats resulting from potentially suspect devices with existing security vulnerabilities, malware, or other concerns.

3. Malware

The recent attacks on Colonial Pipeline and JBS, a meat processing supplier, help to illustrate just how damaging a ransomware attack can be to an organization. In addition, ransomware attacks that target critical services lead to real-world fallout with disrupted services and other consequences. In the case of the Colonial Pipeline attack, it led to weeks of fuel shortages in the Eastern seaboard of the United States.

Modern ransomware is becoming more “cloud-aware,” targeting cloud OAuth permissions with malicious applications integrated into cloud SaaS services, including Microsoft Teams. Ransomware today also uses the threat of data leak and data encryption to extort money from organizations.

Administrators must ensure proper security in their cloud SaaS environments, including Microsoft Teams, to help minimize the risk of a ransomware attack. Additionally, controlling third-party applications and other integrations is necessary.

4. Data leak

Data leaks can be extremely devastating to businesses. A data leak event can cost companies millions of dollars and lead to many intangible costs and damages such as lost customer confidence and damaged business reputation. In addition, a data leak can quickly happen if end-users can share data easily with those outside the organization, such as guest users.

As noted above, data leak threats are commonly used as threat tactics to force organizations to pay the ransom demanded when they fall victim to a ransomware attack. Disabling external sharing and introducing protections against ransomware and OAuth abuse can help to minimize this threat.

5. No backups

Data protection, consisting of backups, is considered one of the most basic forms of security. Unfortunately, many businesses assume their data is automatically backed up when located in the cloud. While cloud service providers do have basic mechanisms to provide limited rollbacks, these do not cover all forms of data loss.

Ransomware and accidental data deletion are two of the most common risks to data loss in the enterprise today. Therefore, using a third-party backup solution to back up your Microsoft Teams data is extremely important. Using a third-party solution allows meeting the best practices outlined in the 3-2-1 backup best practice rule, with multiple data copies, offsite storage, and other features.

What is Teams sprawl and why does it happen?

One of the advantages of using Microsoft Teams to empower users is they have the freedom to collaborate and communicate with fellow teammates and others which nurtures a natural workflow of creativity and productivity. However, when users are given the freedom to use Teams without any policies or other guardrails, users can create many different Teams on-demand and without supervision.

It reminds us of the explosion of virtualized environments where new virtual machines could be provisioned with reckless abandon. For example, in the early stages of virtualized environments, organizations might have hundreds of VMs provisioned, with little or no purpose, management, or security protections in place.

The same basic challenge exists with Microsoft Teams without the proper protections in place. Teams sprawl can happen due to the following reasons:

• • Multiple teams are created in the POC and testing phase – All too often, deployments of solutions such as Microsoft Teams transition from POC and testing into production without any real organization or forethought. This leads to disjointed, confusing, and unnecessary Teams and channels.

• • Multiple teams can be created on the same subject, topic, or project – A common culprit behind Teams sprawl is multiple teams created on the same topics and themes. It causes many issues and blurs consistent, clear communication within Teams.

• • Lack of end-user training – When users are not properly trained on how to use Teams, sprawl can certainly begin to occur as users create many unnecessary Teams and channels.

• • Rushed deployment of Microsoft Teams – A rushed deployment of Teams leads to a lack of forethought, organization, governance, and training to help provide the boundaries needed to ensure Teams is deployed effectively and aligns with governance decisions agreed upon by the business.

How can Organizations Manage the Naming of Teams

Microsoft has introduced Microsoft 365 groups naming policies (requires AAD Premium P1/M365 E3) to help organizations control the naming conventions used in Microsoft Teams. It allows enforcing a consistent naming strategy for groups created by users in your organization for services like Microsoft Teams, SharePoint, Planner, Yammer, etc.

Microsoft 365 groups naming policy allows enforcing the following features:

• • Prefix-Suffix naming – You can define prefixes or suffixes based on fixed strings or user attributes for the user creating the groups

• • Custom Blocked Words – Define a set of blocked words that are blocked in the group names. For example, blocking redundant words like “team” in a Microsoft Teams group can be beneficial.

Read more about Microsoft 365 groups naming policies here: Microsoft 365 groups naming policy | Microsoft Docs

Controlling File Storage Locations for Microsoft Teams

Microsoft Teams data resides in the region associated with your Microsoft 365 or Office 365 organization. Administrators can see which region stores Teams data in the Microsoft 365 admin center > Settings > Organization profile > Data location.

 

Viewing Microsoft Teams data locations

Organizations can also leverage retention policies (requires Office 365E3+) and labels from Microsoft 365 to effectively manage how information is retained to meet the organization’s internal policies, regulations, or legal requirements. Teams supports retention policies for chat and channel messages. Administrators can proactively decide whether to retain data, delete it, or retain it for a specific period. Learn more about Microsoft Teams retention policies here: Manage retention policies for Microsoft Teams – Microsoft Teams | Microsoft Docs

Secure Internal Microsoft Teams Collaboration

One of the benefits of using Microsoft teams is the ability to communicate and collaborate with team members. This includes sharing sensitive information with only those who should have access to it. When it comes to internal sharing with Microsoft Teams, organizations must define the right level of protection for each project.

Microsoft recommends three levels of protection for sharing:

• • Baseline – Includes public and private teams and restricts sharing to “Site Owners.”

• • Sensitive – This team is “private.” Only members can find the team, and only owners can add new members. Sensitivity labels are used to set policies around guest sharing and unmanaged device access.

• • Highly sensitive – This is recommended for organizations that need to comply with government regulations or protect trade secrets or highly sensitive data. It blocks access from unmanaged devices and uses sensitivity labels to encrypt files.

Learn how to limit sharing within Microsoft 365 Teams here: Limit sharing in Microsoft 365 | Microsoft Docs

Secure External Microsoft Teams Collaboration

The external Microsoft Teams collaboration capabilities allow collaborating with partners, vendors, customers, and others without an account in your directory. You can share entire teams, sites, or just individual files and folders. Sharing in Microsoft 365 is governed at its highest level by the B2B external collaboration settings in Azure Active Directory.

Guest sharing must be enabled in Azure AD before guests can be added to shared content existing in your organization.

Setting external collaboration settings in Azure AD

Teams also has a master on/off setting for guest access and other settings to control what guests can do in a team.

Controlling guest access in Microsoft Teams

Since Microsoft Teams is built on top of SharePoint Online, you can control and secure external collaboration using the SharePoint organization sharing settings. These settings determine what settings are available for individual sites. For instance, you can allow file and folder sharing with unauthenticated users. You can also specify if guests need to authenticate.

Controlling external sharing in SharePoint Online

Administrators can also limit or prevent sharing SharePoint or OneDrive files or folders with people outside the organization. This is accomplished by turning off guest sharing for the entire organization or an individual site.

Controlling external sharing in Microsoft Teams sites

You can learn more about how to collaborate with guests in a team here: Collaborate with guests in a team | Microsoft Docs.

How to Govern Communications in Microsoft Teams

Microsoft Teams contains several controls that help to govern communications. These include messaging and meetings settings. Note the following:

• • Messaging – Control which chat and channel messaging features are available to users using messaging policies. Different policies can be created and assigned to different users and groups. Administrators can also control who can start new posts and reply to posts in a Microsoft Teams channel. View the manage messaging policies in Teams link here: Manage messaging policies in Teams – Microsoft Teams | Microsoft Docs

• • Meetings – Administrators can control the features available to Teams meeting participants. These features include scheduling, content sharing, participants, and audio/video policies. Anonymous joins can also be controlled by policy. Teams: Manage meeting policies – Microsoft Teams | Microsoft Docs

• • Communication compliance – Organizations can scrutinize communications for sensitive information, offensive language, and any information related to compliance concerns. Using communication compliance requires M365 E5, E3+Compliance/Insider Risk add-ons or Office365 E5 licensing. Administrators can monitor chat, email, and Yammer messages and generate alerts. These can be used to respond to messages with policy matches quickly.

How to Manage Microsoft Teams Lifecycles

It is essential to understand the teams, channels, and other related resources in Microsoft Teams are created to serve a purpose. Once a project or purpose has finished its lifecycle, the associated Microsoft Team will also reach the end of its lifecycle. The following lifecycle stages are associated with the teams created.

• • Beginning – The team is created, and the goals associated with the team are defined. n this phase, the channels are configured that relate to the collaboration project.

• • Middle – The channel hierarchy continues to evolve along with the team members.

• • End – In this phase, the team’s work has run its course, and the team, channels, and potentially various other resources are no longer needed. As part of the housekeeping of Microsoft Teams, it is good to initially archive and then delete Teams that are no longer needed.

How to Manage Private Channels in Microsoft Teams

Private channels are used to limit collaboration to only certain team members or if you want to provide the means to communicate between a group of people assigned to a project without creating an entirely new team. By default, only a team owner or team member can create a private channel. Guests do not have this ability.

Like other aspects of Microsoft Teams, private channels need to be managed. As an admin, you can control whether members can create private channels in specific teams. You can also create a private channel on behalf of a team member.

Administrators may require getting all messages and replies posted in a private channel for auditing purposes. In addition, it may be necessary to perform eDiscovery or legal hold on files in a private channel. You may also need to list and update the roles of owners and members in a private channel.

In these and more scenarios, the Graph API is a robust tool that allows administrators to query and find information regarding private channels that help to manage these.

Set whether team members can create private channels:

PATCH /teams/<team_id>

{“memberSettings”:

{

“allowCreatePrivateChannels”: false

}

}

Get private channel messages

GET /teams/{id}/channels/{id}/messages

GET /teams/{id}/channels/{id}/messages/{id}/replies/{id}

Get a list of private channel IDs:

GET https://graph.microsoft.com/beta/teams/<group_id>/channels?$filter=membershipType eq ‘private’

Review of Microsoft Teams Governance and Security FAQs

• • How can I govern Teams sprawl in my organization? – By putting governance policies in place, training end-users, and using technical, policy-based controls in Microsoft Teams to control how teams are created.

• • How can I manage the naming of Teams? – Use Microsoft 365 groups naming policies to control prefix, suffix, and blocked words.

• • How can I control file storage locations for Teams? Monitor and audit data region localities and leverage retention policies to control data for legal, regulatory, and other means.

• • How can I secure internal collaboration in Teams? – Use the three levels of protection in Microsoft Teams, including Baseline, Sensitive, and Highly sensitive protection. It includes using security labels, file encryption, and controlling guest access.

• • How can I secure external collaboration in Teams? Control guest access from Azure Active Directory, Teams, and SharePoint Online. Admins can also enable or prevent sharing of files and folders with guests outside the organization.

• • How can I govern communications in Teams? – Use messaging and meeting policies and monitor communications for specific types of flagged content.

• • How do I manage the lifecycle of Teams? The lifecycle of teams follows the lifecycle of the project or collaboration. Once this is over, administrators can end the associated team, channels, and other resources.

• • How do I manage private channels in Teams? Administrators can easily manage private channels using the Graph API.

Final Thoughts

Microsoft Teams is a robust communication and collaboration platform allowing organizations to communicate and empower remote workers effectively. However, for the security and safety of their data, businesses must give due attention to governance and security considerations.

Governance is a vital aspect of operating Microsoft Teams as it helps to ensure the user activities, processes, and workflows align with what has been decided upon by the business. It can also help prevent Teams “sprawl” as users have guardrails that help ensure they are using Teams in a way that aligns with the business.

Cybersecurity concerns have never been more paramount than today. With large-scale ransomware attacks affecting businesses worldwide, companies must develop effective security strategies to protect their data. Microsoft Teams has been engineered with security built into the core of the product. However, customers must also take responsibility for their data as part of the shared responsibility model. It requires more than the default settings enabled in the Microsoft Teams environment.

Businesses must decide on how data can be shared, both internally and externally. In addition, how governance is applied, how do they manage lifecycle operations, channels, and many other aspects of their Teams environment.

There are other critical security features in Office/Microsoft 365 admins simply can’t ignore that you need to give attention as well. Learn more in an in-depth webinar covering this topic here.