Is Your Microsoft Teams Site Secure? Revisit Your Teams Configuration to Find Out

In April 2020, Microsoft Teams saw a surge in usage as the number of daily active users jumped nearly 70 percent to 75 million. During a call with investors, the organization’s CEO, Satya Nadella noted that at least two-thirds of Teams users were also collaborating with files inside the app.[1]

Microsoft Teams is a unified communication and collaboration platform that enables users to chat with coworkers, launch video meetings, store files and integrate with other Office 365 apps like SharePoint. It’s a powerful tool that, when used to its full potential, can enable organizations to collaborate easier and more effectively.

Potential Security Risks

Microsoft Teams comes with built-in security features. However, many organizations who launched Teams quickly in response to a sudden surge in remote work may have done so without configuring the security settings to align with their organization’s third-party sharing or information governance policies. With out-of-the-box or “baseline” security settings in place, employees may be able to share internal files and information with external users through Teams, posing a potential security risk to organizations who wish to prevent sensitive information from being shared within different areas of the business or outside the company.

Microsoft Teams Security Tiers

To enable a balance between security and ease of use, Teams offers a tiered security setting that can be adjusted to meet the needs of your organizations.

These tiers include:

Baseline (Public) – This configuration grants access to everyone in your organization, with flexibility for site owners or members to create private channels, add new or existing guests, share files and folders, and access the app from desktop, mobile or web. The baseline tier does not enable sensitivity labels for documents (more on this below).  

Baseline (Private) – This tier is essentially the same as the above, but the team is private rather than public, meaning it is not visible from the Teams gallery and users can only join if the team owner adds them or approves a request to be added.

Sensitive – In this tier, only members of the team have access (others cannot request to join) and only owners can create private channels. When you configure Teams with this tier, you can choose to allow site-level guest access to the channel, or for tighter security set it so that only people in your organization have access. Devices that are not managed by your organization are allowed access but are limited to web sign in and cannot use the mobile or desktop apps. Sensitivity labels may be used to classify the team and control guest sharing and unmanaged device access.

Highly Sensitive – This tier is similar to the above. The main differences are that only site owners can share files, folders and the site, users can only login from devices managed by your organization, and sensitivity labels can be used to encrypt files.

See a full table of configuration settings here.

Sensitivity Labels

Sensitivity labels are used in Microsoft Teams, Office 365 groups and SharePoint sites to help control the security settings of different types of information. For example, a team or channel labeled with a “General” sensitivity label may be classified as low sensitivity. For highly sensitive information, you might use a label titled “Confidential.”

Once you’ve created labels, you can define the settings of each. For example, documents labelled as Confidential in SharePoint may have encryption applied and restrict sharing by anyone aside from the owner. In contrast, a “General” labelled document might be free to share externally by anyone in your organization.

Read more on sensitivity labels from Microsoft here.

Revisiting Your Teams Security Settings

If you’re just getting started with your Teams site, or if you’re using out-of-the-box security settings, it’s recommended that you start by revisiting your organization’s information governance policy. If your organization doesn’t have a formal policy for sharing information or you’re not sure where to start, work with an IT professional who can get familiar with your business and recommend best practices for configuring Teams and other Office 365 apps.

IX Solutions specializes in Office 365 deployment and we’re here to support you. Send us a message to get started today.


< Back to all posts