Overview of Microsoft Teams
Microsoft Teams is an online collaboration platform that empowers team members to work together seamlessly and productively. A part of the Office 365 suite, Microsoft Teams runs on Windows, Mac, Linux, iOS and Android, enabling remote communication across virtually every desktop and mobile device.
Teams offers the following main features and services:
- Chat — This function allows users to send private messages to each other and attach files to messaging threads. OneDrive for Business serves as the underlying mechanism for file sharing in chats.
- Teams — This tab lets users create teams or join existing teams to start group collaboration and conversations in team channels. When a user creates a team, they essentially create an Office 365 Group on the backend.
- Calendar — This service syncs with users’ Outlook calendars so they can schedule meetings and plan out projects.
- Calls — This tab lets users initiate and receive peer-to-peer voice and video communications. Calls is built on the Skype framework, and in fact, many companies are replacing Skype for Business with Microsoft Teams as their enterprise communications platform.
Concerns About Microsoft Teams Security
Microsoft Teams is a powerful tool for supporting cross-functional and even cross-organizational collaboration, but its openness introduces concerns about unfettered file and data sharing between an unlimited number of users. In particular, the following features and concerns present security challenges for IT professionals.
- Guest access — The guest access feature enables team owners to invite parties from outside the organization to participate in team activities. Guests have full access to team channels, chats, shared files and meetings. Beyond the requirement that guests have a business or consumer email account, there are no restrictions or vetting procedures to govern who can or cannot receive guest access privileges. This raises obvious concerns about how easily sensitive or proprietary data can be exposed to entities outside the organization.
- Permissions model — To promote agile, self-organizing collaboration between individuals from different functional groups, Microsoft intentionally designed Teams with an open permissions model:
- Any user can become a team owner by creating a team and inviting other users to join it.
- Every team member has full access to all the data on the team’s public channels, including chat messages, meeting content and shared files. They can share files and create new channels.
- Any guest from outside the organization can share files and even create new channels within the team.
It’s easy to see how quickly this permissions model can lead to a data-sharing environment that’s great for collaboration but a headache for IT to track and control.
- App management — Users can extend the capabilities of team channels by adding apps, which can take the form of custom tabs, bots or connectors. An app lets users in a channel get content and updates directly from their favorite third-party services, such as Trello and GitHub. However, these apps often request (or even require) users to allow them to access their data, which opens the door to improper transfer of company information to external third parties. With so many partners eager to publish their productivity apps in the Teams store, IT now has an additional security concern to monitor and manage.
- Data lifecycle management — The Teams ethos of open communications and file sharing runs counter to the practices of secure data governance, which has strict protocols for the collection, usage, retention and removal of sensitive information. In addition, security and compliance standards like HIPAA and PCI DSS mandate data governance measures such as enterprise-wide labeling, oversight and tracking of content, as well as appropriate handling of data that has expired or changed classification. It’s challenging to impose this level of control on the dispersed ecosystem of chat messages and data files circulating through Teams.
- Data leakage — Without adequate security enforcement, a Teams user can deliberately or accidentally share confidential information with unauthorized recipients, which can put the company’s intellectual property, compliance status and reputation at risk. In addition, because Teams is a SaaS platform that sends and receives packets through the cloud, there is a risk that malware or bad actors will intercept files in transit and use them for malicious ends.
Security Basics of Microsoft Teams
Fortunately, Teams benefits from its integration with key elements of the Microsoft security framework:
- The file-sharing experience is powered by SharePoint.
- Team conversations are stored in a dedicated group mailbox in Exchange Online.
- Azure Active Directory (Azure AD) stores and manages team data and membership. It also manages user authentication for the Teams platform as a whole.
Before you make Teams generally available to your organization, be sure to review and configure the following:
- Authentication setup in Azure AD for user logins to Teams
- Global security settings in Office 365 — many settings carry over to Teams or to SharePoint, OneDrive and Exchange, which work in tandem with Teams
MS Teams Chat Privacy
While Microsoft Teams makes it much easier for people to work together over long distances, it doesn’t remove the need for oversight. That’s why it offers built-in monitoring capabilities.
MS Teams Communication Monitoring
Microsoft Teams chat monitoring allows administrators to set up keyword alerts to be notified whenever a particular word is used. In large organizations, this functionality can help administrators respond to problems more quickly. However, outside of keyword alerts, administrators have to manually monitor communications.
Each organization can design its own Microsoft Teams chat monitoring policy to fit its business and security needs. Administrators can choose to use a Microsoft-provided template, such as one designed for monitoring communications for sensitive information, or create a monitoring policy from scratch. They will need to decide which users and channels will be monitored, what data to collect, and who can check the monitored channels. The policy determines the level of MS Teams chat privacy for the organization.
Monitoring work chats is valuable for several reasons. In particular, it allows you to:
- Enforce corporate policies about work-appropriate conversations.
- Perform risk management by tracking secure, sensitive, and offensive keywords.
- Maintain regulatory compliance by upholding confidentiality and equity.
Microsoft Teams Administrator Roles
There are many administrator roles in MS Teams. Here are a few of the main ones related to communication compliance and the rights they confer:
- Communication compliance admins — Can configure communication compliance policies, including role group assignments, but can’t view message alerts
- Communication compliance investigators — Can read all messages and their metadata, and flag messages for review in investigations
- Communication compliance analysts — Can see message metadata but not the messages themselves
- Communication compliance viewer – Can manage all communication reports
MS Teams Activity Report
Administrators can also check on user activity in Teams through the Teams Activity Report. It allows reviewing activities both for the whole organization and for individual users. The report is available to global admins, product-specific admins (Exchange and SharePoint admins), and users with the “report reader” role.
This report collects information like:
- The number of planned and unplanned meetings a user has organized and attended
- Minutes of screen, audio, and video use while logged into Teams
- Chat communication statistics, such as the number of keys hit per minute
Using Private Channels in MS Teams
For users who want both collaboration and confidentiality, Teams offers private channels. These channels send all messages to the personal inboxes of the participants; guests and team members who are not included cannot read the messages.
Administrators can monitor private channels for keywords by specifically including them in eDiscovery. However, private channels do not yet have full compliance and security support.
Supervised Chats in MS Teams
Supervised chat is a feature that prevents most users from initiating private chats unless designated users are included. It’s designed to be used by educational institutions to prevent students from beginning private chats without a teacher present. However, it can be used in any environment.
Once supervised chat is fully enabled, new private chats can be initiated only when a designated supervising user is involved. The supervisor cannot be removed or leave the conversation. This ensures that all discussions are secure and monitored more heavily than with simple keyword alerts — while still permitting MS Teams chat privacy.
Security Tips for Microsoft Teams
In addition, you can bolster Microsoft Teams security by using a combination of built-in features and third-party tools. Here are five best practices that will help you roll out a secure deployment of Teams to your organization.
1. Set up app management.
Apps in the Teams store fall under one of three categories:
- Built-in apps provided by Microsoft
- Apps built by third parties
- Custom-built internal apps
Consider restricting the use of certain apps based on their source and how they handle data:
- To control which apps to block or make available to your organization, use the settings on the Manage apps page in the Teams admin center.
- You can also use app permission policies to block or make certain apps available to specific sets of users.
2. Establish global Teams management.
By default, any user with a mailbox in Exchange Online can create a team and become a team owner. If you want to limit the number of users with this privilege, consider creating an Office 365 group whose users have exclusive permissions to create new groups and, by extension, new teams.
Also configure the global Teams settings for your organization — you can specify organization-wide preferences such as:
- Whether users can communicate with individuals outside the organization
- Whether to enable file sharing and cloud storage capabilities
- Authentication requirements for accessing meeting content
As part of employee training, educate your users about the capability to create private channels, which are restricted to a selected subset of team members. If some team members want to collaborate on confidential content, they should create a private channel instead of a standard channel that all members and guests can access. However, keep in mind that at the time of this writing, Microsoft does not yet offer full security and compliance support for content in private channels.
3. Set up secure guest access.
You can use the Guest access settings in the Teams admin center to configure the level of access granted to guest users. For maximum security, you can leave guest access disabled by default. Or you can turn on guest access but disable certain privileges like screen sharing or peer-to-peer calls.
4. Build an information protection architecture.
Setting up an information protection architecture is critical not only for preventing data leakage but also for meeting compliance and litigation requirements.
Your Teams data resides in an assigned geographic region of the Azure cloud infrastructure, depending on your organization’s Office 365 tenant. Since different regions may follow different data security standards, it’s a good idea to make sure that the location of your Teams data is appropriate for your business requirements.
Use the following out-of-the-box and third-party tools to establish information management in Teams so that your data stays trackable, protected, and compliant.
- Electronic Discovery and legal hold — Electronic Discovery (eDiscovery) is an Office 365 tool that lets you create and manage eDiscovery cases to comply with legal You can assign members with specialized permissions to an eDiscovery case and define the parameters of a search query for content relevant to an investigation.
To preserve crucial evidence, you can place the contents of a user mailbox or team mailbox on a legal hold. The hold ensures that immutable copies of the content will remain available through eDiscovery search even if the original content is altered in Teams.
- Content search — Office 365 provides content search capabilities with rich filters to search through all your Teams data for target content. For example, you can use the search tool to find content associated with a compliance standard. Or you can perform a content search as part of an eDiscovery workflow to gather legal evidence.
- Data retention policies— You can create retention policies that specify when to keep Teams data to stay compliant with business, regulatory or litigation requirements. You can also use retention policies to direct the removal of data that no longer needs to be retained.
- Advanced Threat Protection (ATP) — This feature that detects and blocks user access to malicious content in Teams. ATP also wards off malicious files in SharePoint and OneDrive for Business, the platforms that power the file-storage and file-sharing services in Teams. Make sure that you turn on ATP for SharePoint, OneDrive and Teams.
- Data loss prevention (DLP) — You can set up DLP policies that automatically block unauthorized users from sharing sensitive data in a Teams channel or private chat. Use DLP policies to enforce secure user behavior in Teams and prevent data breaches.
- Backups — Configure automatic backups of all your Office 365 data to OneDrive or an on-premises storage drive.
- Automated information labeling — To ensure that your DLP policy actions are applied correctly, you need to accurately classify and label the data shared in Teams, which requires an automated data discovery and classification solution that ensures high precision in classification.
Netwrix Data Classification offers robust data classification technology to ensure that sensitive information in Teams is accurately and systematically tagged. Netwrix Data Classification let you control the use of tags so that sensitive files receive the correct classification. You can also apply workflows to remove tags from files whose sensitivity level has expired so that Teams users can access the files again without business disruption.
5. Audit user activity.
You can use Microsoft’s Supervision policies to monitor chats and team channels. You can also monitor usage through various built-in reports and functionality:
- Go to Analytics & reports in the Microsoft Teams admin center.
- Go to Reports > Usage in the Microsoft 365 admin center.
- Use Microsoft 365 usage analytics in Power BI.
To get even more insight into activity in Teams, use a solution like Netwrix Auditor. Netwrix Auditor provides comprehensive and detailed monitoring of events and activities, including:
- User logins to Teams
- Membership and changes to teams
- All data manipulations around the data exchanged in both regular and private conversations in Teams
- Permissions to data and changes to those permissions
- Installation of applications in Teams
FAQ
Is Microsoft Teams secure?
Teams is a Tier D service, meaning that it is compliant with the EU Model Clauses (EUMC), HIPAA, ISO 27001, ISO 27018, and SSAE 16 SOC 1 and SOC 2 standards.
In addition, Teams is backed by Azure AD, which offers security controls such as single sign-on and two-factor authentication.
Is data in Microsoft Teams encrypted?
Microsoft Teams does not yet support end-to-end encryption. Data is encrypted in transit, at every stage of the data journey, and at rest. Intermediate services can decrypt content when needed, for example, to store data in retention records.
At-rest files are stored in SharePoint using SharePoint encryption. Notes are stored in OneNote using OneNote encryption. Chat content is encrypted in transit and at rest.
If you’re concerned about data security at mobile endpoints, the Microsoft Teams mobile client supports App Protection Policies from Microsoft Intune.
What protocols does Microsoft Teams use?
Microsoft Teams uses the following protocols:
- 264 for video
- ICE to establish media
- MNP24 for signaling
- OPUS for meetings
- SILK for peer-to-peer and voice calls
- VBSS for desktop sharing
Can activity in Microsoft Teams be monitored?
Yes. You can use the following out-of-the-box features to monitor activity and usage in Teams:
- Supervision policies
- Analytics & reports in the Microsoft Teams admin center
- Reports > Usage in the Microsoft 365 admin center
- Microsoft 365 usage analytics in Power BI
You can also use Netwrix Auditor to monitor logins, membership, permissions and data access in Teams.