Social distancing and home office have shifted various activities of companies, administrations and private individuals to the Internet. As a result, users are quickly adopting new applications and platforms for online communication and collaboration. Because of the current situation, some of the more popular applications have reached millions of users in a very short time. Interactions that previously took place in the physical world are now carried out on digital platforms whose security is not always known, some of them even have known vulnerabilities. If the security aspects are not adequately considered, adverse effects can easily occur, especially since attacks on these platforms have become increasingly interesting for attackers due to their large number of users.

Microsoft Teams is a solution that combines video conferencing, online meetings, notes and file sharing. Teams is integrated in Microsoft 365 (M365, formerly known as Office 365) and is part of most M365 subscriptions. Teams is one of the most popular applications for virtual meetings, mainly due to the widespread use of M365.

The following sections provide an overview of the most important terms and the possibilities for users and administrators to securely use Teams.

Participant Roles and Types

The meaning of the terms used in connection with teams is unfortunately not always easy to understand intuitively and is sometimes not used consistently in the Microsoft documentation. A summary of the most important terms is therefore helpful.

Participant Roles

For users who organize or participate in Teams meetings, mainly the participant roles are interesting:

• Organizer: The user who creates a meeting is the meeting organizer. Only users with a M365 account (possessing a Teams license) can be organizers and can control all attendee permissions.
• Presenter: A user who is authorized to present information at a meeting. A meeting organizer is by definition also a presenter and determines who else can be a presenter. An organizer can make this determination when a meeting is scheduled or while the meeting is under way.
• Attendee: A user who has been invited to attend a meeting but who is not authorized to act as a presenter.

Participant Types

A distinction is made between the following participant types:

• Users that belong to the tenant: These users have a credential in Azure Active Directory of the tenant of the meeting organizer. This includes invited guest accounts.
• Users that do not belong to the tenant: These users do not have credentials in Azure AD of the organizer tenant and can be divided into the following categories:
  • Federated Users: Federated users have valid credentials with federated partners. Federated users can join meetings and be promoted to presenters after they have joined the meeting, but they can’t create meetings in enterprises with which they are federated.
  • Anonymous Users: Anonymous users do not have an Active Directory identity and are not federated with the tenant of the meeting organizer. Anonymous users may be made moderator once they joined a meeting.

Options for End Users

Many security relevant settings for teams are set centrally by the Teams administrator or the M365 administrator. As a user, you can still take a few precautions to make it difficult for unwanted people to attend the meeting.

Using the Lobby

The creator of a meeting (organizer) can control who can attend Teams meetings directly and who has to wait for admission in the lobby first. After a meeting has been created, the organizer can make settings for the lobby using the meeting options:

If a participant is in the lobby, another participant with the necessary rights must allow the participant to join the meeting. The table below summarizes what the available lobby settings do:

Settings for the Presenter

In addition, it can be defined who in the meeting is allowed to act as presenter. The possibilities of presenters and attendees are the following:

Settings Available to Teams Administrators

Because Teams is closely linked to SharePoint, OneNote, Exchange and other services, the general security of M365 is of particular importance. For example, it is recommended to activate two-factor authentication for all users and to limit the rights of the users to the minimum required. In addition, Teams offers various specific settings for administrators through the Teams Admin Center and in part also in the Teams app. An overview of the security features built into Teams can be found at Microsoft. The most important central settings for Teams administrators are described in the following sections.

Teams Settings

For each defined team, settings for the permissions and for the channels can be made, which should be restricted as much as possible.

Teams Policies

Using Teams policies, various aspects can be centrally defined for meeting users. As with all settings, it is advisable to deactivate features that are not required.

Meeting Settings

The meeting settings allow to define whether anonymous participants are allowed to Teams meetings. If possible, this should be deactivated.

App Permission Policies

Apps can be used within Teams. The app permission policies control which apps are available to Teams users in the organization. Here, too, it is advisable to allow as little as necessary.

Cloud Storage

An administrator can define in the Teams settings which third-party cloud storage services are available to Teams users. These options are made available to the user directly inside the Teams app. It is recommended to disable these options.

Conclusion

Securing teams may seem easy at first, but it can become complex at least for the team administrators, since various settings of M365 and teams overlap and the terms used by Microsoft are not always intuitively understandable. It is therefore essential for administrators to take a close look at the security aspects of M365 and as a consequence also at those of the Azure Active Directory. For users, once again this saying applies: Trust is good, control is better – especially with regard to unexpected meeting participants and the content they share.

About the Author

Tomaso Vasella has a Master in Organic Chemistry at ETH Zürich. He is working in the cybersecurity field since 1999 and worked as a consultant, engineer, auditor and business developer. (ORCID 0000-0002-0216-1268)

Links

• https://docs.microsoft.com/en-us/microsoftteams/enable-features-office-365
• https://docs.microsoft.com/en-us/microsoftteams/teams-policies
• https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide
• https://docs.microsoft.com/office365/securitycompliance/tenant-wide-setup-for-increased-security
• https://teams.microsoft.com
• https://www.microsoft.com/en-us/microsoft-365