Microsoft Power Apps, SharePoint, & M365 Copilot Consulting Company
833-957-3062 Request Consultation

How to Setup Microsoft Teams Security: Everything You Need to Know

Wednesday, September 18th, 2019 / by Microsoft Expert

How to Setup Microsoft Teams Security: Everything You Need to Know

Microsoft Teams has been around since early 2017.  Since then, Microsoft has been heavily adding services, features and functionality to the Office 365 suite including Office 365 Groups, PowerApps, Flow and much more.  Even the Microsoft Azure services is constantly adding new security features including how to manage GCC High and other highly regulated government entities.  When it comes to Microsoft Teams security, there can be a lot of questions on how exactly to manage it.  Let’s dive into how to setup Microsoft Teams security.

One Size Does Not Fit All

What works for one company may not work for another company.  Most articles on Teams security must be read carefully to make sure the advice given matches your scenario.  This article takes a more agnostic approach to give you the right questions to ask when setting up security the right way.

Microsoft Teams Data Transmission and Authentication

Microsoft Teams is built within Office 365.  As such, it benefits from the security protections and layers offered within the overall platform.  Microsoft Teams follows the standards of ISO 27001, ISO 27018, SSAE16 SOC 1 and SOC 2, HIPAA, and EU Model Clauses (EUMC).  It can also leverage single sign on, two factor authentication and data encryption amongst many other goodies.  In short, Microsoft Teams is as safe as you need it to be.  If you need more specifics on Office 365 or need to configure even stronger security parameters, see here.

Microsoft Teams Security Checklist

Whether you are starting new with Microsoft Teams or looking to revisit security for your existing platform, here are the right security topics that need to be asked.

Global Teams Management

The very first question to ask is who or whom is going to manage Microsoft Teams for your organization?  This role is crucial is settings up all the features and functionality that come with Teams as well as managing the overall Teams environment.  To globally manage Microsoft Teams, you must be either a Teams Service Administrator or a Global Administrator.

Admin Roles to Manage Microsoft Teams

One of the most frustrating things about being a Microsoft Teams Service Administrator is you cannot see or manage all the Teams from within Teams.  You must go to https://admin.teams.microsoft.com/ to manage everything, including security.  This may be a partial bias from being able to manage and see sites within SharePoint as a SharePoint site collection administrator, but in a similar fashion a SharePoint site collection admin can only see their site collection and cannot see everything; only a Microsoft SharePoint Service Administrator can from within SharePoint admin console.

External Guest Access

Will your company be allowing external access in the short or long term?  External access means that people with email addresses that are not mapped at the domain level (meaning not mike@yourcompany.com ) can access Microsoft Teams as a guest.

Guests have some limitations compared to Team members.  Those primary limitations are:

  • Use OneDrive for Business
  • Search for people not in Teams
  • Use a calendar to schedule meetings
  • View the organizational chart
  • Create or configure a Team
  • Search for Teams
  • Upload files directly in a Chat
  • Add Apps
  • Manage Security

By default, guest access is not enabled within Microsoft Teams.  If you do you to enable guest access, you must be either a Teams Service Administrator or a Global Administrator.

To enable Microsoft Teams Guest Access:

  1. Go here: https://admin.teams.microsoft.com/
  2. On the left-hand menu, click Org-wide settings, then Guest Access
  3. Once you enable guest access in Teams, the following features can be configured on or off for guests:
    1. Making private calls
    2. Using IP video
    3. The default screen sharing mode
    4. Ability to start an instant meeting using Meet Now
    5. Edit or delete sent messages
    6. Ability to use Chat
    7. Using GIFs in conversations as well as how safe/mature you want GIFs to be
    8. Using memes or stickers in conversations
    9. Allowing immersive reader

Full Microsoft Teams Guest Boundaries: Click Here

Microsoft Teams Guest Access Details: Click to Read More

External Access, Technically Speaking

While you might be thinking external access is people outside your company, this type of external access is called guest access in Microsoft Teams.  External Access within Microsoft Teams has a different technical meaning.

External Access is allowing an entire domain to use your chat and calls within your Teams.  For instance if you are mary@contoso.com and you want all user with an email of @acme.com to be able to chat and call within your Teams, then this is External Access.

By default, all external domains can chat within Microsoft Teams.  You can however allow and restrict specific domains on a case by case basis if you do not want to allow chatting with specific users.

External Access Users are currently much more restricted than Guest Users within Teams.  It is strictly for calls and chat.  Meetings, messages, file sharing and more cannot be done if you only have external access enables.  External Access is for chat or calling only.

See Microsoft Teams Guest Users vs External Users: Click Here

If you do you to configure external access domains, you must be either a Teams Service Administrator or a Global Administrator.  To Allow or Block Domains within Microsoft Teams External Access:

  1. Go here: https://admin.teams.microsoft.com/
  2. On the left-hand menu, click Org-wide settings, then External Access
  3. Enable ‘Users can communicate with Skype for Business and Teams users’
  4. Click ‘Add a domain’ and add the external domain you wish to allow or block. For example, acme.com

Members or Admins

When adding internal users to Teams, you may want to make certain people Members or Admins, depending on their role within the Team.  The biggest differences are admins can create, edit or delete Teams as well as manage security.  For some companies it is beneficial to allow free-flowing Team management as well as security management to not bottleneck those processes.  For other companies, particularly ones that are more regulated, it may be worthwhile to have a very limited number of Teams Owners.

Full Comparison Microsoft Teams Admin vs Member: Click Here

Private Channels in Microsoft Teams

Private Microsoft Teams Channels, or Teams with different permissions between channels, is the #1 most requested feature since Teams has been introduced with 20,000 votes and constantly growing.  So why hasn’t this been added yet?  This comes down to how security is managed within Office 365.  Read on to learn more about how security is currently managed.  That said, the feature is now in preview mode (testing) and hopefully will be available soon!

How Microsoft Teams Security Works

When you create a new Microsoft Teams, it also creates an Office 365 Group.  If you go here: https://admin.microsoft.com/AdminPortal/Home#/groups and search for your Microsoft Team name, you will see the members within that Office 365 Group match the users within your Microsoft Team.  That Office 365 Group controls security across all features and functionality with the Microsoft Team.  This means in order to create private channels within Microsoft Teams, Microsoft must figure out how to redo the underlying security of Microsoft Teams without… well… breaking Microsoft Teams.  Yikes.