How do we secure Microsoft Teams?

Cyclotron’s Security Practice has conducted many enterprise deployments of Microsoft Teams, helping clients ensure long-term security in their Microsoft 365 investment. Our company has developed a robust framework for Teams deployment spanning security, compliance and governance across Microsoft 365. In this blog, we demonstrate a high-level overview of our Teams security framework.

Nathan Berger

Director of Security

nathan.berger@cyclotron.com 

The risk of Microsoft Teams

The risks of using Microsoft Teams without a proper security framework are immense, and broad - they span the entire Microsoft 365 security framework.

Imagine the following scenarios:

• A guest account is compromised by an attacker to download company data from Teams and sell it to a competitor.

• A disgruntled user steals company data onto his personal laptop and takes it to a competitor.

• An external attacker sends phishing attempts over federated messaging to internal users appearing as the IT helpdesk.

• A compromised user shares a malicious file or link with co-workers.

• A contractor discovers he can access any public Team, including sensitive files and company names he wasn’t authorized to access or know about.

• A careless user deletes a critical set of folders on a Team site, interrupting business workflows.

• A compromised OAuth application used in Teams steals sensitive files without detection.
  

These scenarios combined with the commonplace usage of Teams means that risk grows exponentially with a larger user population – therefore, enterprises face the greatest level of risk.

What do clients get wrong when securing Teams?

Here's where existing client designs are most unsecured:

• Data protection on personal devices: Many clients spend lots of effort on DLP but miss that a user can log into their personal PC and download any data. Cyclotron uses a combination of access policy, device integrity and proxy controls to prevent this, all native to M365. Also, don’t forget that a user can sync a Team on any device that can use OneDrive sync, so sync settings should be reconfigured.

• Malware protection: Did you know that Teams does not include malware protection by default? Only E5 licenses add this capability, but clients often believe E3 includes malware protection when it does not.

• Licenses: Clients less familiar with the breadth of Microsoft 365 sublicenses often disable several thinking they’re not needed, accidentally disabling auditing, DLP and security controls.

• Guests: Though you can certainly block guests access entirely, the productivity impact is significant. Instead, we use a combination of governance policies and access policies to ensure guests adhere to the principle of least-privilege.

• Team sprawl: Clients using Teams heavily for more than a year tend to find lots of stale data, orphaned teams and an overall lack of understanding toward confidentiality of these repositories. This must be remediated and also addressed proactively with governance controls. TeamsHub especially excels in preventing team sprawl.

Lastly, securing Teams is not a one-time effort. Regular maintenance and revision of security controls are essential to ensuring your policies adapt to usage (and behavior of some clever users). For monitoring, Entra audit logs with report-only policies work wonderfully along with the usage reports in the Microsoft Admin Center – and TeamsHub reports for advanced analytics.

How we secure Microsoft Teams

Cyclotron helps enterprise clients secure Microsoft Teams using enterprise security, compliance and governance controls. As we refined our framework, it developed into a complex security template we call Security Foundations for Microsoft 365.

The effort of securing Teams overlaps with efforts to secure all of Microsoft 365, given the wide breadth of Teams in the Microsoft 365 ecosystem. Teams uses groups, files, emails, guests, federation, and deep hooks to SharePoint, OneDrive Planner, Stream, and more. Each of these apps and tenant controls must be rationalized. 

A strong foundation for Microsoft Teams (and therefore Microsoft 365) involves the following:

• Security: Threat protection controls including access policies, malware protection, link protection, and anomalous behavior detection.

• Compliance: Data protection and some minor governance controls, mainly consisting of data loss prevention, classification, data retention, insider risk detections and appropriate use policies (including chat and data scanning).

• Governance: Platform controls to prevent team sprawl, expire stale data, remove unwanted productivity features, and control which apps are available in the platform. Cyclotron prefers to automate this governance work using TeamsHub, our product that helps automatically govern Teams workflows to prevent sprawl and provides several unique interfaces to classify teams in bulk, change privacy settings, and leverage workflows for team expiration. 
  

Unlike other security deployments, these Security Foundations projects span several Microsoft 365 products: Entra groups, users, guests, federation, Conditional Access, licenses & applications; Intune device compliance & app protection; SharePoint Admin Center controls; Defender for Security; Purview for compliance; the Teams Admin Center itself; and admin centers of individual Microsoft 365 applications.

Free Assessment

If you want to work with Cyclotron to help secure your Microsoft Teams instance, reach out at nathan.berger@cyclotron.com for a free 60-minute Security Foundations assessment.