Microsoft Teams
This page will list security settings and configurations that is advisable to implement in your environment.
Each environment is different where I believe the below settings are easy to setup and provides a way to get to a more mature security level.
Disable external and guest access in Microsoft Teams
This setting depends on your organization where it is advisable to first disable external and guest users. A guest user can be granted access to Teams and they are able to view the documents related to that team. An external user can’t be added to a Team, but internal users can chat and share their desktop with them. It is also possible to add a white or blocklist for external users where you limit the domains your users can chat with. Guest users are currently disabled by default and external users are allowed.
How will this impact my users?
Users are unable to chat with external users or share content using Teams.
Using the user interface
This setting needs to be changed at the Teams admin center. The direct link is https://admin.teams.microsoft.com/
For external users go to Org-wide settings -> external access
For guest users go to Org-wide settings -> Guest access
Using PowerShell
You can use PowerShell to automatically change the settings in Microsoft Teams. It still uses the old SkypeOnlineConnector
Import-Module SkypeOnlineConnector
$CSSession = New-CsOnlineSession
Import-PSSession -Session $CSSession
Set-CsTeamsClientConfiguration -AllowGuestUser $False -Identity Global
Note that this PowerShell command is only for guest access as there is currently not PowerShell command for external access.
Disable external cloud service storages
This setting depends on your organization and the external cloud services you use or allow. SharePoint Online is the default storage service in Microsoft Teams where you can add Dropbox, Box, GoogleDrive and ShareFile as external storage. These are enabled by default where we advise to disable them if not allowed.
How will this impact my users?
Users are unable to add Dropbox, Box, GoogleDrive or ShareFile as tab in Microsoft Teams.
Using the user interface
This setting needs to be changed at the Teams admin center. The direct link is https://admin.teams.microsoft.com/ and go to Org-wide settings -> Team settings
Disable all services and make sure to save the changes
Using PowerShell
You can use PowerShell to automatically change the settings in Microsoft Teams. It still uses the old SkypeOnlineConnector
Import-Module SkypeOnlineConnector
$CSSession = New-CsOnlineSession
Import-PSSession -Session $CSSession
Set-CsTeamsClientConfiguration -AllowDropbox $False -AllowBox $False -AllowGoogleDrive $False -AllowShareFile $False
Enable modern authentication
Modern authentication makes it able to logon using multi-factor authentication, smartcard or using certificates. It is advisable to enforce modern authentication if possible. Multi-factor authentication can be circumvented if basic authentication is still allowed. Should the need arise to allow basic authentication you can also use conditional access to further protect the environment to only allow some users from some locations using basic authentication.
How will this impact my users?
Users will no longer be able to use older or third party applications that only work with basic authentication like Office 2010.
Using PowerShell
You can only use PowerShell to change the settings in Microsoft Teams. It still uses the old SkypeOnlineConnector
Import-Module SkypeOnlineConnector
$CSSession = New-CsOnlineSession
Import-PSSession -Session $CSSession
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed