Microsoft Teams Security Part 3 – Security Configurations
In this blog post, we will discuss more security configurations for Microsoft Teams. We’ll take a look into MFA (Multi-Factor Authentication or Two-Factor Authentication), Conditional Access, Security Defaults, Advanced Threat Protection, Data Loss Prevention, the new Safe Links feature, and Cloud App Security. These configurations need not impact users’ experience with collaboration.
This is the last part of our three-part blog series about Microsoft Teams Security. Here we will dive into Microsoft Teams Security settings related to basic as well as high-level security aspects. In Part 1, we took a deeper look at the settings for collaboration options in Microsoft Teams, while part 2 covered the specific configuration of compliance settings in Microsoft Teams.
Before we get started: Microsoft provides an excellent, up-to-date guide on security in Microsoft Teams – their security framework, their SLD (security development lifecycle), etc. Depending on how deep you want to dive into Microsoft Teams security settings, make sure to familiarize yourself with the document.
But now let’s take a look at the most important topics ourselves!
1. MFA / 2FA: Multi-Factor Authentication for Microsoft Teams
MFA is automatically part of Microsoft’s Conditional Access as well as the Security Defaults settings. As Multi-Factor Authentication is a significant feature to ensure security in Microsoft Teams, make sure you activate either or both of those.
As per Microsoft’s official docs, it enabled MFA to ensure that users’ accounts have the least possible chance of being compromised.
With Conditional Access protocols, you can determine specific criteria that need to be met in order to access your environment. Criteria can include the locations, networks or IP addresses from where to log in, the device used, the browser or the operating system. Logins can be limited to or excluded from these conditions. You can even set different criteria for your administrators.
In order to enable multi-factor authentication for your organization, block legacy auth protocols and activate Conditional Access for Microsoft Teams in Azure Active Directory. Go to Microsoft Azure Active Directory at https://portal.azure.com and select “Security”.
Then select “Conditional Access” and click on “Create a policy”.
However, it has to be noted that Microsoft Teams uses data from SharePoint and Exchange. In order to secure access to these areas as well, a comprehensive Conditional Access policy is required.
If you don’t intend to get started with Conditional Access right away, you should instead enable Security Defaults in Microsoft Azure. In order to do so, open your Microsoft Azure, go to “Properties” and click on “Manage Security defaults” at the bottom of the page.
2. Microsoft Security Defaults
Security Defaults are basic identity security mechanisms recommended by Microsoft, protecting your users and administrators from identity-related attacks.
To understand the security defaults of Microsoft, you need to know that security management can be complicated with identity-related attacks such as password spray and phishing becoming ever more popular with time.
When we talk about Microsoft security policy, security defaults have made it pretty much convenient to protect your organization from getting this kind of attack with the help of preconfigured security settings.
- Block legacy authentication protocols.
- All users are required to register for Azure AD MFA.
- Administrators are required to use and enforce MFA.
- All users need to practice MFA when required.
2.1 Who can have access?
Microsoft has made security defaults available to every organization. The primary purpose is to ensure that every organization has a basic security level enabled with no extra cost. You can activate the security defaults in Azure.
For tenants created after October 22, 2019, there is a fair possibility that security defaults are already enabled. For protecting all Microsoft users, security defaults are rolled out to the new tenants created by, well, default.
2.2 Who can benefit from Security Default settings?
- Organizations looking to increase security posture in a quick and easy way without diving too deeply into Microsoft Teams security settings.
- Organizations with the free tier of Azure AD licensing still have access to Security Defaults.
2.3 In which case should you rather use Conditional Access instead of Security Defaults?
- Organizations already using Conditional Access policies to bring signals together, to enforce existing organizational policies or to make decisions should not go with security defaults.
- Organizations with complex security needs, we suggest you consider Conditional Access as the possibilities are much more varied.
- Organizations using Azure Active Directory Premium licenses probably have too complex security requirements as well and should rather use Conditional Access.
You can find more information on Security Defaults in Microsoft Docs.
2.4 Unified MFA Registration
With Security Defaults you can enfore that each user in your tenant needs to register for MFA (multi-factor authentication) in the form of Azure AD MFA.
Users get a timespan of fourteen days to register with Azure AD MFA by using the Microsoft Authenticator app. If the fourteen days have passed, the user won’t be able to log in until the registration is completed.
User’s countdown to the fourteen days starts after the first interactive login after activating security defaults.
Maintain control over your data by easily managing guest users with External User Manager.
3. ATP: Advanced Threat Protection for documents
Two additional protection layers can easily be added with Microsoft’s advanced threat protection. You can find these settings in the Microsoft 365 Security center, directly at https://security.microsoft.com/safeattachmentv2.
Here you need to open the “Global Settings”.
One part of ATP is to enable Defender for Office 365 for SharePoint, OneDrive and Microsoft Teams. The second part is turning on Safe Documents for Office clients.
Both Defender and Safe Documents protect your organization from malicious email attachments and files in MS Teams, OneDrive and SharePoint. Defender verifies contents before allowing users to ‘trust’ opened files, while Safe Documents prevents users from opening and downloading suspicious files in the first place.
4. DLP: Data Loss Prevention in Teams messages
Another way to enhance security in your organization is to use data loss prevention policies for Microsoft Teams chat and channel messages.
You can find these settings in the Microsoft Compliance Center at https://compliance.microsoft.com under “Data Loss Prevention”.
DLP policies prohibit users from sharing sensitive content with guest users (external users).
You can easily add predefined DLP policies for protecting e.g. personal information such as driving license numbers, social security numbers, passport numbers, or sensitive financial information such as credit card numbers. You can also create new customized policies for any other kind of data.
In order to add Microsoft Teams to existing Data Loss Prevention policies, select the policy you want to edit and click on “Edit” next to “Locations”. Then activate the slider for Teams chat and channel messages.
Creating a new Data Loss Prevention policy is easy as well. In the overview screen, click on “Create a policy”, then select the kind of information you want to block, add the locations. In addition to Microsoft Teams chat / channel messages, you can also select Exchange email, SharePoint sites and OneDrive accounts.
The DLP policy will then automatically delete the chat message or channel post with the sensitive information.
Data Loss Prevention can also be used to prevent guest users from accessing SharePoint documents with sensitive information.
For more details, check out this Microsoft doc on Data Loss Prevention in Microsoft Teams.
5. Safe Links and MS Teams
Safe Links is part of the Microsoft Defender package. It is a feature that scans URLs for potentially malicious links used in phishing attacks or similar, not just in emails but also in Microsoft Teams. Safe Links protection for links in Teams works in conversations, group chats and channels.
The controls for Safe Links can be found in the new Microsoft Security center at https://security.microsoft.com/. Go to “Policies and regulations” in the Email & Collaboration block. Select “Threat Policies” and then “Safe Links” in the Policies section.
Safe Links for Teams lets you decide what should happen with URLs that are unknown, suspicious or malicious.
Possibilities include:
- You can configure a list of specific URLs that should be blocked before opening the website.
- For malicious links, a warning page will be displayed and stop the user from opening the website.
- Downloadable files can be checked before the download.
Safe Link protection for Microsoft Teams in Safe Links policies can be enabled or disabled accordingly. By clicking on On to Select action for unknown or potentially malicious URLs with Microsoft Teams from the setting. The highly suggested value is On.
Safe Links policies which apply to links in emails can also be applied to links in Teams:
- Real-time URL scanning for suspicious links and linked files
- Tracking of user clicks is prevented
- Users are not allowed to open the original URL
This is how Safe Links works for links in Microsoft Teams:
- Users open Teams.
- The system checks if the organization uses Microsoft Defender for Office 365, and if the user in part of a Safe Links policy with activated protection for MS Teams.
- As soon as a URL is clicked in chats, channel posts or tabs, Safe Links checks the link.
Here you can find the full Microsoft doc on Safe Links settings for Microsoft Teams with lots of additional information.
6. Cloud App Security
Microsoft Cloud App Security – recently renamed Microsoft Defender for Cloud Apps – is a big step toward more security for your Microsoft Teams environment. Just like Safe Links, it is also part of the Microsoft Defender package. Cloud App Security can be used to configure special authentication protocols, policies, warnings and reports for lots of different scenarios.
At the moment the Cloud App Security portal can still be found at https://portal.cloudappsecurity.com.
Cloud App Security is a whole topic all by itself and to discuss it in detail would go beyond the scope of the Microsoft Teams security settings in this article.
We recommend starting with Microsoft docs providing an overview of Microsoft Cloud App Security and a rundown on the options for protecting apps with Conditional Access App Control.
This concludes our third and last article about Security in Microsoft Teams. Take a look at Part 1, where we went over the settings for collaboration options in Microsoft Teams, or Part 2 with specific configurations of compliance in Microsoft Teams with security in mind.
When we talk about Microsoft Teams Security settings, there are multiple options Microsoft offers to prevent different issues. Here we have tried to cover every topic that could be of help. While we did not go into much detail on some specifics, please do contact us for more information on how to secure your Teams environment.
Our mission is to build apps for Microsoft Teams to make your live easier and your security better:
- Teams Manager improves Teams governance with team templates, lifecycles, naming conventions and more.
- External User Manager helps you manage and control guest users.
- Intranet brings your SharePoint intranet to Microsoft Teams with a multilingual mega menu.
CEO and Governance Expert – Christian Groß is a Teams expert from the very beginning. In the last 4 years he developed 6 Teams Apps, built up his own service company and additionally founded the largest German-speaking Teams conference.
