Policy recommendations for securing Teams chats, groups, and files

Article
10/24/2023

This article describes how to implement the recommended Zero Trust identity and device access policies to protect Microsoft Teams chats, groups, and content such as files and calendars. This guidance builds on the common identity and device access policies, with additional information that's Teams-specific. Because Teams integrates with our other products, also see Policy recommendations for securing SharePoint sites and files and Policy recommendations for securing email.

These recommendations are based on three different tiers of security and protection for Teams that can be applied based on the granularity of your needs: starting point, enterprise, and specialized security. You can learn more about these security tiers and the recommended policies referenced by these recommendations in the Identity and device access configurations.

More recommendations specific to Teams deployment are included in this article to cover specific authentication circumstances, including for users outside your organization. You'll need to follow this guidance for a complete security experience.

Getting started with Teams before other dependent services

You don't need to enable dependent services to get started with Microsoft Teams. These services will all "just work." However, you do need to be prepared to manage the following service-related elements:

Microsoft 365 groups
SharePoint team sites
OneDrive for Business
Exchange mailboxes
Stream videos and Planner plans (if these services are enabled)

Updating common policies to include Teams

To protect chat, groups and content in Teams, the following diagram illustrates which policies to update from the common identity and device access policies. For each policy to update, make sure that Teams and dependent services are included in the assignment of cloud apps.

These services are the dependent services to include in the assignment of cloud apps for Teams:

Microsoft Teams
SharePoint and OneDrive for Business
Exchange Online
Skype for Business Online
Microsoft Stream (meeting recordings)
Microsoft Planner (Planner tasks and plan data)

This table lists the policies that need to be revisited and links to each policy in the common identity and device access policies, which has the wider policy set for all Office applications.

Protection level	Policies	Further information for Teams implementation
Starting point	Require MFA when sign-in risk is medium or high	Be sure Teams and dependent services are included in the list of apps. Teams has Guest Access and External Access rules to consider as well, you'll learn more about these rules later in this article.
	Block clients that don't support modern authentication	Include Teams and dependent services in the assignment of cloud apps.
	High risk users must change password	Forces Teams users to change their password when signing in if high-risk activity is detected for their account. Be sure Teams and dependent services are included in the list of apps.
	Apply APP data protection policies	Be sure Teams and dependent services are included in the list of apps. Update the policy for each platform (iOS, Android, Windows).
Enterprise	Require MFA when sign-in risk is low, medium or high	Teams has Guest Access and External Access rules to consider as well, you'll learn more about these rules later in this article. Include Teams and dependent services in this policy.
	Define device compliance policies	Include Teams and dependent services in this policy.
	Require compliant PCs and mobile devices	Include Teams and dependent services in this policy.
Specialized security	Always require MFA	Regardless of user identity, MFA will be used by your organization. Include Teams and dependent services in this policy.

Teams dependent services architecture

For reference, the following diagram illustrates the services Teams relies on. For more information and illustrations, see Microsoft Teams and related productivity services in Microsoft 365 for IT architects.

Guest and external access for Teams

Microsoft Teams defines the following access types:

Guest access uses a Microsoft Entra B2B account for a guest or external user that can be added as a member of a team and have all permissioned access to the communication and resources of the team.
External access is for an external user that doesn't have a Microsoft Entra B2B account. External access can include invitations and participation in calls, chats, and meetings, but doesn't include team membership and access to the resources of the team.

Conditional Access policies only apply to guest access in Teams because there's a corresponding Microsoft Entra B2B account.

For recommended policies to allow access for guest and external users with a Microsoft Entra B2B account, see Policies for allowing guest and external B2B account access.

Guest access in Teams

In addition to the policies for users who are internal to your business or organization, administrators may enable guest access to allow, on a user-by-user basis, people who are external to your business or organization to access Teams resources and interact with internal people for things like group conversations, chat, and meetings.

For more information about guest access and how to implement it, see Teams guest access.

External access in Teams

External access is sometimes confused with guest access, so it's important to be clear that these two non-internal access mechanisms are different types of access.

External access is a way for Teams users from an entire external domain to find, call, chat, and set up meetings with your users in Teams. Teams administrators configure external access at the organization level. For more information, see Manage external access in Microsoft Teams.

External access users have less access and functionality than an individual who's been added via guest access. For example, external access users can chat with your internal users with Teams but can't access team channels, files, or other resources.

External access doesn't use Microsoft Entra B2B user accounts and therefore doesn't use Conditional Access policies.

Teams policies

Outside of the common policies listed above, there are Teams-specific policies that can and should be configured to manage various Teams functionalities.

Teams and channels policies

Teams and channels are two commonly used elements in Microsoft Teams, and there are policies you can put in place to control what users can and can't do when using teams and channels. While you can create a global team, if your organization has 5000 users or less, you're likely to find it helpful to have smaller teams and channels for specific purposes, in-line with your organizational needs.

Changing the default policy or creating custom policies would be recommended, and you can learn more about managing your policies at this link: Manage teams policies in Microsoft Teams.

Messaging policies

Messaging, or chat, can also be managed through the default global policy, or through custom policies, and this can help your users communicate with one another in a way that's appropriate for your organization. This information can be reviewed at Managing messaging policies in Teams.

Meeting policies

No discussion of Teams would be complete without planning and implementing policies around Teams meetings. Meetings are an essential component of Teams, allowing people to formally meet and present to many users at once, and to share content relevant to the meeting. Setting the right policies for your organization around meetings is essential.

For more information, review Manage meeting policies in Teams.

App permission policies

Teams also allows you to use apps in various places, such as channels or personal chats. Having policies around what apps can be added and used, and where, is essential to maintaining a content-rich environment that is also secure.

For more reading about App Permission Policies, check out Manage app permission policies in Microsoft Teams.

Next steps

Configure Conditional Access policies for: