Securing Microsoft Teams correctly | Pentest7

Collaboration tools such as Microsoft Increasing popularity of teams in companies. However, the boom in the home office in the wake of the pandemic means another boom in these solutions. With the growing number of users, however, IT teams are increasingly faced with the question of how to secure these coworking environments. Particular attention is paid to the collaboration solution from Microsoft, as this software is used in the majority of organizations.

Unlike in the past, when companies were able to operate their application, file, Exchange and SharePoint servers and, under certain circumstances, their Skype for Business server within their perimeter protected by a firewall or within the internal network For teams, it is a cloud solution based on Microsoft 365. The focus of the IT administrators must therefore be on protecting the users, not on the network. Above all, the protection of the login data should be given priority – strong passwords and the use of multi-factor authentication, however, only constitute the minimum level of security.

In addition, security officers should use the option of fully exploiting the security functions of Microsoft’s cloud service to ensure that users via teams only have access to company resources from certain (known) locations and only with approved end devices. But the actual safeguarding of MS teams still requires more extensive steps. In this first part of my post, I will address fundamental questions about the security of Microsoft Teams and then go into the role of Microsoft 365 groups and external access. The second part is devoted to the role of policies, the backup of files and the different administrator roles and their rights.

Is Teams Safe?

Is Teams Safe? All IT managers who are about to introduce the Microsoft collaboration solution ask themselves this question. A clear yes or no answer would be too short-sighted. More aptly, this should be “yes, but”. Because it depends largely on the administrators to what extent employees and company data are protected when using MS Teams.

The main functions of Teams consist of the possibility to chat, plan and hold meetings, make calls and work on files together. The solution bundles various activities that were previously implemented on the basis of individual tools. Teams ensures that communication and file sharing takes place only among known, authorized users who have the appropriate access rights. But as with the doors and windows of a house, it is important for the administration of teams that the security measures – analogous to the locks on the house – are well thought out in order to find an optimal balance between security and user-friendliness.

The most important parameter for administrators for security is the identity of the user – or, to stay in the picture, the entrance door. An advantage of all Microsoft 365 applications, including teams, is that the user identity is in Azure Active Directory (Azure AD) and can be managed there by the IT team. The recent advancements in Azure AD’s identity security capabilities are a huge leap forward for any application that uses it.

Features like configurable MFA account options, account lockout settings, and support for single sign-on across applications are fundamental features that have become very effective pillars of identity security. Premium Azure AD management features like Identity Protection use account activity information in AD to identify, detect, and investigate risky threats across all Microsoft cloud applications. In addition, advanced functions for Azure AD Privileged Identity Management such as Conditional Access can also use this information to better secure privileged identities, as they provide access to the heart of the company’s IT.

Protection based on Microsoft 365 groups and protection of the Teams application

Another important pillar of the Microsoft Teams security architecture is the Microsoft 365 group. Each team is connected to a Microsoft 365 group. Membership in this group defines “who” is allowed to access “what” in a team (see Figure 1). Access to the data and the rights of a team are regulated by the owners and members of this team, which is determined by their membership in the associated Microsoft 365 group.

Once the identities of the users have been protected by those responsible for security, various areas of the Teams application and the service should be checked and configured. An important aspect here is the life cycle of individual teams – for example, the creation, use and their dissolution. Here are some best practices that administrators should consider:

  • Enforce rules – IT teams must ensure that all teams have more than one owner. If this is not the case and the owner leaves the company, there is no one responsible for the data and security settings for the team in question.
  • Apply process guidelines – The longer a team is in use, the more data accumulates. All sensitive information stored by the team poses a potential security risk. This is even more so if the team has already served its purpose and the stored data is no longer in use. All guest and external access is retained unless the administrator changes the team’s status. Expiration guidelines allow the team owner to renew a group if it is still needed.

External access and guest access

The security architecture of Microsoft Teams is designed in such a way that the collaboration of its own employees with users of other organizations – for example partners – is possible in two ways: external access and guest access. External access, also known as “federation”, allows employees whose identity is linked to the domain of their own company to work with users from other domains. External access is enabled by default in Teams to ensure that employees can interact with users from other organizations. However, this access can be completely deactivated by the administrators or, if desired, regulated. The latter is possible based on the following scenarios:

  • Open Federation – The default setting allows your own employees to find users from a different domain, call them, chat with them and schedule meetings.
  • Allow specific domains – This setting restricts external access to the domains previously defined by the administrator and blocks access for users from all others. This can be useful if you only want to work with trustworthy partners, suppliers and customers.
  • Block specific domains – This setting allows external access to / from all external domains except those blocked by the IT team. Administrators can choose this option if they want to prevent communication with known competitors and certain parties, as this could pose a risk to their own company.

In addition to external access, there is also the option of granting guest access. This can be implemented by the IT team using an invitation process for Azure AD, in which a guest account is set up in your own Azure AD tenant. Access based on guest access can be configured accordingly in order to define the associated rights. There are two important setting options for this at tenant level that determine whether guests have access to the teams in your Teams tenant. One of them is a Microsoft Teams tenant setting that can be found in the Teams admin center.

The other option can be found in the Microsoft 365 portal and regulates guest access to the underlying Microsoft 365 groups that are used by individual teams. If both settings are activated, guest access to certain teams can be deactivated by an administrator using PowerShell in order to deactivate access to the associated Microsoft 365 group.

If guest access is activated at the tenant level of Teams, administrators can also regulate which rights guests have in the Teams Admin Center. As soon as guest access is activated in a team, granular control takes place at the team level through settings that the team owner activates or deactivates. For example, this can determine whether guests can edit or delete messages in channel posts. This setting is of great importance if the communication is to be documented permanently.

The second part explains in detail the importance of guidelines, the backup of files and various administrative roles in the protection of Microsoft Teams.

Leave a Reply

Your email address will not be published. Required fields are marked *