Secure Teams by controlling external and guest access, implementing DLP for sensitive data, configuring retention policies, managing third-party apps, and ensuring meeting security. Default settings are too permissive for most organisations.
Quick answer: Secure Teams by controlling external and guest access, implementing DLP for sensitive data, configuring retention policies, managing third-party apps, and ensuring meeting security. Default settings are too permissive for most organisations.
Why Teams Security Matters
Teams is where your work happens:
- Confidential conversations
- Sensitive file sharing
- Customer information
- Strategic discussions
- External collaboration
Key Security Controls
1. External access
What it is: Whether users can chat/call with people outside your organisation.
Default: Enabled (can communicate with anyone on Teams/Skype).
Options:
- Open: Anyone (risky)
- Allowed domains: Specific partner organisations only
- Blocked domains: Everyone except specified
- Disabled: No external chat/calling
2. Guest access
What it is: Allowing external users to join your Teams as guests (access to channels, files, conversations).
Default: Enabled.
Controls to configure:
- Who can invite guests (everyone vs. specific roles)
- What guests can access
- Guest meeting capabilities
- Calling and messaging permissions
3. Meeting security
External attendees:
- Can anonymous users join meetings?
- Can they bypass the lobby?
- Can they present?
- Can they record?
- Lobby requirements
- Who can present
- Recording permissions
- Chat permissions
- Reactions and Q&A
Recommendation: Require lobby for external attendees. Restrict anonymous join for sensitive meetings.
4. App permissions
Third-party apps:
- Who can install apps?
- Which apps are allowed?
- What permissions can apps request?
- Malicious apps extracting data
- Overly permissive apps
- Shadow IT through app installation
5. Data protection
DLP policies:
- Detect sensitive data in Teams chats and files
- Warn users or block sharing
- Apply across channels and direct messages
- Label Teams and channels
- Control external sharing based on label
- Require encryption for sensitive content
- How long to keep Teams data
- When to delete
- Compliance requirements
6. Conditional Access
Control access to Teams based on:
- User risk level
- Device compliance
- Location
- Application sensitivity
- Block Teams from unmanaged devices
- Require compliant device for desktop app
- Allow web access from managed devices only
7. Information barriers
For regulated industries:
- Prevent communication between specific groups
- Chinese walls for financial services
- Insider trading prevention
Quick Wins
This week:
- Review external and guest access settings
- Check who can invite guests
- Review lobby policies for meetings
- Implement DLP for Teams
- Configure app permissions
- Enable Conditional Access for Teams
- Sensitivity labels for Teams
- Retention policies
- Regular access review process
Common Mistakes
Everyone can invite guests: No oversight of who's being invited.
Anonymous join enabled: Anyone with a link can join meetings.
No DLP in Teams: Sensitive data shared freely.
Apps uncontrolled: Any app can be installed.
No retention policy: Data kept forever or deleted randomly.
Teams Security Checklist
- [ ] External access restricted to necessary domains
- [ ] Guest access controlled (who can invite, what guests can do)
- [ ] Meeting lobby enabled for external attendees
- [ ] Anonymous meeting join disabled or controlled
- [ ] DLP policies applied to Teams
- [ ] App permissions managed centrally
- [ ] Conditional Access applied
- [ ] Retention policies configured
- [ ] Sensitivity labels implemented
- [ ] Regular access reviews scheduled
What We Configure
For managed clients:
- Secure baseline for Teams configuration
- External and guest policies aligned with your requirements
- DLP integration with Teams
- Conditional Access for collaboration apps
- Ongoing review as Teams evolves
---
about Microsoft 365 security.
---