Configure teams with baseline protection
In this article, we look at how to deploy teams with a baseline level of protection. This level allows users a wide range of options for collaboration while enhancing permissions management and providing basic protection against oversharing. Recommended protections for this level include identity and device access policies and protection against malware. Additionally, you can apply conditional access policies and data loss protections as needed.
As a first step, we recommend that you configure basic identity and device-access policies. See Policy recommendations for securing Teams chats, groups, and files for details.
We also recommend turning on basic Defender for Office 365 features to guard against malware in documents, attachments, and links. We recommend turning on each of the options in the following table.
|Safe Attachments for SPO, OneDrive and Teams||Safe Attachments|
|Safe Documents||Safe Documents in Microsoft Defender for Office 365|
|Safe Links for Teams||Office 365 Safe Links in Teams|
Teams guest sharing
In each of the tiers, we have the option of sharing with people outside your organization. For the sensitive and highly sensitive tiers, we will have the option to turn guest sharing off at the team level by using sensitivity labels. But the organization-level guest sharing setting must be turned on for guest sharing to work at all in Teams.
To set Teams guest access settings
- Log in to the Microsoft 365 admin center at https://admin.microsoft.com.
- In the left navigation, click Show all.
- Under Admin centers, click Teams.
- In the Teams admin center, in the left navigation, expand Org-wide settings and click Guest access.
- Ensure that Allow guest access in Teams is set to On.
- Make any desired changes to the additional guest settings, and then click Save.
It may take up to twenty-four hours for the Teams guest setting to become active after you turn it on.
Guest sharing is turned on by default for Office 365 groups and SharePoint, however if you have previously changed any of the guest sharing settings for your organization, we recommend that you review Collaborate with guests in a team to ensure that guest sharing will be available in Teams.
Site and file sharing
To reduce the risk of accidentally sharing files or folders with people outside your organization, we recommend changing the default sharing link for SharePoint to Only people in your organization. (If users need to share externally, and you have enabled guest sharing, they can still change the link type when they share.)
To change the default sharing link
- Open the SharePoint admin center.
- Under Policies, click Sharing.
- Under File and folder links, select Only people in your organization.
- Click Save.
For the best guest sharing experience, we also recommend that you enable SharePoint and OneDrive integration with Azure AD B2B.
Create a team
Additional configuration for the baseline level of protection is done in the SharePoint site associated with a team. Create a public or private team before proceeding to the next section.
Site sharing settings
By default, members of a SharePoint site can invite others to the site. When a site is part of a team, team members are included as site members. However, people added directly to the site don't have access to the rest of the team. For this reason, we recommend managing permissions exclusively through the team.
To help with permissions management, we recommend configuring the associated site to only allow owners to share the site by itself. This simplifies permissions management and helps prevent access by people without a team owner's knowledge. Do this for each team that requires baseline protection.
To update the site sharing settings
- In the tool bar for the team, click Files.
- Click Open in SharePoint.
- In the tool bar of the SharePoint site, click the settings icon, and then click Site permissions.
- In the Site permissions pane, under Site sharing, click Change how members can share.
- Under Sharing permissions, choose Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site, and then click Save.
Microsoft 365 offers additional methods for securing your content. Consider if the following options would help improve security for your organization.
- Configure a session timeout policy for guests.
- Create sensitive information types and use data loss protection to set policies around accessing sensitive information.