Policy recommendations for securing Teams chats, groups, and files

This article describes how to implement the recommended identity and device-access policies to protect Teams chats, groups, and content such as files and calendars. This guidance builds on the Common identity and device access policies, with additional information that's Teams-specific. Because Teams integrates with our other products, also see Policy recommendations for securing SharePoint sites and files and Policy recommendations for securing email.

These recommendations are based on three different tiers of security and protection for Teams that can be applied based on the granularity of your needs: baseline, sensitive, and highly regulated. You can learn more about these security tiers and the recommended policies referenced by these recommendations in the Identity and device access configurations.

Additional recommendations specific to Teams deployment are included in this article to cover specific authentication circumstances, including for users outside your organization. You will need to follow this guidance for a complete security experience.

Getting started with Teams before other dependent services

You don't need to enable dependent services to get started with Microsoft Teams. These will all 'just work.' However, you do need to be prepared to manage the following:

  • Office 365 groups
  • SharePoint team sites
  • OneDrive for Business
  • Mailboxes
  • Stream videos and Planner plans (if these services are enabled)

Updating common policies to include Teams

The following diagram illustrates the set of recommended policies for protecting chat, groups and content in Teams. The pencil icon indicates which policies need to be revisited to be sure that Teams and dependent services are included in the assignment of cloud apps.

A diagram showing how to use Microsoft Teams on various devices.

These are the dependent services to include in the assignment of cloud apps for Teams:

  • Microsoft Teams
  • SharePoint Online and OneDrive for Business
  • Exchange Online
  • Skype for Business Online
  • Microsoft Stream (meeting recordings)
  • Microsoft Planner (Planner tasks and plan data)

This table lists the policies that need to be revisited and links to each policy in Common identity and device access policies, which has the wider rule-set for all Office applications.

Protection level Policies Further information for Teams implementation
Baseline Require MFA when sign-in risk is medium or high Be sure Teams and dependent services are included in the list of apps. Teams has Guest Access and External Access rules to consider as well, you'll learn more about these later in this article.
Block clients that don't support modern authentication Include Teams and dependent services in the assignment of cloud apps.
High risk users must change password Forces Teams users to change their password when signing in if high-risk activity is detected for their account. Be sure Teams and dependent services are included in the list of apps.
Apply APP data protection policies Be sure Teams and dependent services are included in the list of apps. Update the policy for each platform (iOS, Android, Windows).
Require approved apps and APP protection Include Teams and dependent services in this policy.
Define device compliance policies Include Teams and dependent services in this policy.
Require compliant PCs Include Teams and dependent services in this policy.
Sensitive Require MFA when sign-in risk is low, medium or high Teams has Guest Access and External Access rules to consider as well, you'll learn more about these later in this article. Include Teams and dependent services in this policy.
Require compliant PCs and mobile devices Include Teams and dependent services in this policy.
Highly regulated Always require MFA Regardless of user identity, MFA will be used by your organization. Include Teams and dependent services in this policy.

Teams dependent services architecture

For reference, the following diagram illustrates the services Teams relies on. For more information and additional illustrations, see Microsoft Teams and related productivity services in Microsoft 365 for IT architects.

Diagram showing Teams dependencies on SharePoint Online, OneDrive for Business, and Exchange.

Enabling guest and external access for Teams

In Azure AD, guest and external users are the same. The user type for both of these is Guest. Guest users are B2B users. Microsoft Teams differentiates between guest users and external users in the app. While it's important to understand how each of these are treated in Teams, both types of users are B2B users in Azure AD and the recommended policies for B2B users apply to both. For recommended policies to allow guest access, see Policies for allowing guest and external B2B access.

Guest Access in Teams

In addition to the policies for users who are internal to your business or organization, administrators may enable guest access to allow, on a user-by-user basis, people who are external to your business or organization to access Teams resources and interact with internal people for things like group conversations, chat, and meetings. You can learn more about Guest Access at the following link: Teams guest access

External Access in Teams

External access is sometimes confused with guest access, so it's important to be clear that these two non-internal access mechanisms are actually quite different. While guest access occurs on a per-user basis (you add one user at a time), when an administrator enables external access it allows you to add all the users of an external domain at the same time to Teams. However those external users have less access and functionality than an individual who's been added via guest access would have. External access users can chat with your internal users via Teams.

For more reading about external access, and how to implement it if you need to, please review Manage external access in Microsoft Teams

Teams Policies

Outside of the common policies listed above, there are Teams-specific policies that can and should be configured to manage various Teams functionalities.

Teams and Channels Policies

Teams and channels are two commonly used elements in Microsoft Teams, and there are policies you can put in place to control what users can and cannot do when using teams and channels. While you can create a global team, if your organization has 5000 users or less, you are likely to find it helpful to have smaller teams and channels for specific purposes, in-line with your organizational needs.

Changing the default policy or creating custom policies would be recommended, and you can learn more about managing your policies at this link: Manage teams policies in Microsoft Teams.

Messaging Policies

Messaging, or chat, can also be managed through the default global policy, or through custom policies, and this can help your users communicate with one another in a way that's appropriate for your organization. This information can be reviewed at Managing messaging policies in Teams.

Meeting Policies

No discussion of Teams would be complete without planning and implementing policies around Teams meetings. Meetings are an essential component of Teams, allowing people to formally meet and present to many users at once, as well as share content relevant to the meeting. Setting the right policies for your organization around meetings is essential.

Please review Manage meeting policies in Teams for more information.

App Permission Policies

Teams also allows you to use apps in various places, such as channels or personal chats. Having policies around what apps can be added and used, and where, is essential to maintaining a content-rich environment that is also secure.

For more reading about App Permission Policies, check out Manage app permission policies in Microsoft Teams.

Next steps

Learn how to enable conditional access for Exchange Online