MS Teams security

Mar 01, 2023

Everything you need to know about Microsoft Teams security

by Vytenis

Microsoft Teams is a popular collaboration tool that enables teams to chat, share files, hold meetings, and collaborate on projects in real time. As with any communication tool, security is a top concern for organizations using Teams.

MS Teams security features

 

Two-Factor Authentication

 

Passwords are the most popular way to prove your identity when logging in to a computer or online service, but they are also the easiest to hack. Lots of people use simple passwords and use the same one for different computers and services.

Two-factor authentication is a security feature that requires users to provide two forms of identification to access their accounts. Microsoft Teams supports two-factor authentication, which can help prevent unauthorized access to user accounts. Two-factor authentication can on MS Teams includes:

  • A text message is sent to a phone that requires the user to type a verification code.
  • A phone call.
  • The Microsoft Authenticator smartphone
  • Other methods available with hybrid identity and federated authentication.

End-to-End Encryption

 

In simple terms, MS Teams uses advanced technology like Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP) to secure all communication by default. You can learn more about the security features by checking out the Security and Microsoft Teams information.

If your IT administrator has enabled E2EE for your team, you can make your one-on-one calls even more confidential. However, both individuals on the call must activate E2EE for it to work.  During an E2EE call, Teams secure such features as audio, video, and screen sharing. You will also be able to chat in these calls, but Microsoft 365 secures your chat sessions. Advances features, such as recording, live captions, and transcription, call transfer, or adding a participant will not be available during the E2EE call.

Data Encryption

 

Data encryption is a security feature that protects sensitive data by converting it into a code that can only be deciphered with a decryption key. Microsoft Teams uses encryption to protect data both in transit and at rest. This means that data shared through Teams is encrypted as it travels over the internet and remains encrypted when stored on Microsoft’s servers.

On one-on-one meetings in Microsoft Teams, you can use end-to-end encryption. End-to-end encryption means that the information is coded before it is sent and can only be decoded by the person who is supposed to receive it. This type of encryption only involves the two people who are communicating, and no one else can access the conversation, not even Microsoft. During an end-to-end encrypted call, Teams secures such features as audio, video, and screen sharing.

Team and Channel Permissions

 

Microsoft Teams allows administrators to set team and channel permissions to control who has access to specific channels and files. This feature enables organizations to limit access to sensitive information to only those who need it, reducing the risk of data breaches. These permissions are essential to control what actions a member can take, and who can access or edit certain content.

Team permissions are the highest level of access, and they determine who can create and manage channels, manage members and guests, and modify team settings. Team owners have full control over these permissions, while members can only create channels and edit their own messages.

On the other hand, channel permissions determine who can access the channel and what actions they can take, such as posting messages, adding tabs, and editing or deleting messages. By default, all members of a team can access all channels, but owners can set specific permissions for each channel to restrict access or control actions.

Team and Channel Permissions help teams to collaborate more effectively and securely by giving the right access to the right people, ensuring that confidential information is only available to authorized members, and preventing unauthorized modifications to important content.

Mobile Device Management

 

Many employees use mobile devices to access Microsoft Teams, which can increase the risk of security breaches. Microsoft Teams supports mobile device management (MDM) to help organizations protect their data by managing and securing mobile devices used to access Teams.

To keep track of the devices used with Microsoft Teams in your organization, you can use the Microsoft Teams admin center. From there, you can see all the devices being used and do things like update, restart, and check diagnostics for the devices. You can even make configuration profiles for individual devices or groups of them.

Advanced Threat Protection

 

Microsoft Teams includes advanced threat protection (ATP) to help protect users against malicious attacks. ATP uses machine learning and other advanced techniques to identify and block potential threats before they can do harm.

Microsoft has solutions such as Office 365 Advanced Threat Protection (ATP), Microsoft Defender Advanced Threat Protection, and Advanced Threat Analytics (ATA). These solutions are made to protect businesses’ data from different types of attacks such as malware. Read more about Microsoft risk management here.

Content Search

 

Content search provides a way to query Microsoft Teams information spanning Exchange, SharePoint Online, and OneDrive for Business. Let’s say you want to search your Manufacturing Specs mailbox and SharePoint site. You can use Content search to look through Teams channel conversations, files that were uploaded or changed in SharePoint Online, and even OneNote edits.

When you send messages in a private channel, everyone in that channel gets a copy of the message in their own mailbox, instead of a group mailbox. The message titles show which private channel they came from. Files in a private channel are managed separately from the rest of the team because each private channel has its own SharePoint site collection.

If you want to search for something in a private channel, you have to search the whole team because MS Teams doesn’t allow searching individual channels. To search a private channel, you need to search the team, the site collection that belongs to the private channel, and the mailboxes of everyone in the private channel.

Retention Policies

 

Microsoft 365 has tools like retention policies and labels that help you keep track of all the information in your organization. You can use them to keep important data that you need for your organization’s rules, industry standards, or legal needs. You can also use them to get rid of data that are not useful, you don’t need to keep, or that’s just not valuable.

MS Teams have retention policies for chats and channel messages. So if you’re an admin, you can choose whether to keep, delete, or save messages for a specific time. The clock starts ticking from the moment a message is created. You can use an MS Teams retention policy for everyone in your organization or just for specific people or teams. But MS Teams doesn’t support retention labels.

eDiscovery

 

eDiscovery (electronic discovery) is the process of identifying, collecting, preserving, reviewing, and producing electronically stored information (ESI) in response to a legal request or investigation.

Whenever you have a chat with someone on MS Teams, it gets saved in your own mailbox. If you’re chatting in a standard channel, the messages get saved in the team’s group mailbox. And if you upload files in a standard channel, they’re included in eDiscovery searches for SharePoint Online and OneDrive for Business. Meeting (and call) metadata includes meeting start and end time, duration, meeting join and leave events for each participant, VOIP joins/calls, anonymous joins, the federated user joins and guest user joins. For more information about eDiscovery, read here.

Who can access information?

 

Also, MS Teams includes shared channels. In simple, shared channels in Microsoft Teams let you make areas where you can work with people who aren’t on your team. Microsoft Purview Information Barriers are rules put in place to limit and stop certain people or groups from talking to each other both inside and outside your organization.

You can decide if people can create shared channels, share them with people outside of your company, and join in on shared channels with other companies by making a channel policy. When you create policies for information barriers, Teams checks if the current members of a shared channel and any new members added go against the policies.

MS Teams will not disclose personal information to third parties except if the customer directs (including as required to complete phone calls); as described in the Online Service Terms (such as the use of authorized subcontractors to provide certain components of services); as required by law. If the government gets in touch with Microsoft asking for personal data, Microsoft will try to tell them to ask the customer instead. But if they have to give the data to the government, they’ll let the customer know as soon as they can and show them the demand, unless they’re not allowed to by law.

What kind of issues you might have?

 

Microsoft Teams, like any online service, has some potential security issues that users and organizations should be aware of. Here are some of the security issues related to Microsoft Teams:

  • Unauthorized access. If someone gains unauthorized access to a user’s account, they can access sensitive information, view confidential messages, and even impersonate the user. To prevent that MS Teams has inbuilt MFA and controls to enforce it on all users.
  • Phishing attacks. Hackers can use phishing emails, chat messages, or calls to trick users into providing login credentials, and personal information, or downloading malicious software. MS Teams has an inbuilt pre-view type for messages coming from unknown contacts. Also, Microsoft Azure Defenders covers most of the information
  • Data leaks. If users share sensitive information on Teams, there is a risk that the information could be inadvertently shared or leaked to unauthorized parties. Group and user-level access policies help to prevent such actions.
  • Compliance issues. Organizations need to ensure that Teams usage complies with industry regulations, such as HIPAA or GDPR, and that data is encrypted and securely stored. MS Teams by default is Tier D-compliant. This includes the following standards: HIPAA, ISO 27001, ISO 27018, SSAE16 SOC 1 and SOC 2, and EU Model Clauses (EUMC). Details can be found in the Compliance Framework for Industry Standards and Regulations. Teams also support Cloud Security Alliance compliance.

To mitigate these risks, organizations can implement security best practices, such as enforcing strong passwords and two-factor authentication, educating users on how to recognize phishing attempts and avoiding sharing sensitive information, and implementing security policies and controls to protect data privacy and compliance. Microsoft also provides various security features, such as end-to-end encryption, data loss prevention, and compliance standards, to help organizations secure their Teams usage.

MS Teams apps security

 

The Microsoft 365 App Compliance Program has two steps to ensure app security and compliance. It involves Publisher Verification and Microsoft 365 Certification, which work together in a layered program to give users confidence when using apps in the Microsoft 365 ecosystem.

Publisher Verification helps both admins and users to know if an app developer is genuine and has integrated with the Microsoft identity platform. If an app is marked as publisher verified, it means that the publisher has verified their identity by using a Microsoft Partner Network account that has completed the verification process and associated it with their application registration.

The Microsoft 365 Certification has two phases: Attestation and Certification. Attestation is like filling out a survey about how an app handles security, data, and following rules that are important to customers. All the information is then put in one easy-to-read place, so it’s easier and faster to use apps that meet organizational standards.

Certification is a more detailed check of an app that looks at controls from leading industry frameworks. App developers need to provide proof that they’re meeting these controls before they can be awarded a certification. The goal is to make sure customers can trust apps that have been awarded a Microsoft 365 Certification because they follow strong security and compliance practices to protect their data security and privacy.

All of the Microsoft Teams apps are attested and some of them are certified. You can check if the app is certified on the MS Teams app certification page.

isLucid security on Microsoft Teams

 

isLucid is a certified Microsoft Teams software. Before starting to use isLucid on Teams it is a must to gain approval from Teams admins. This is because there is security requirements from Microsoft to have a confirmation that the person has read all the info that the admin has given the right to run the transcription. Teams admin’s approval needs to be checked so that the recording policy would run correctly and the app integrations would run safely. All of the information from the meeting is available only to those who use isLucid in their company and have attended the meeting.

After the isLucid bot’s registration, the audio stream is sent to the transcription service. Transcription service is enabled only when a user enables the service within the call (clicks Start transcription). After data processing, we are not storing any information associated with our clients and/or identified as private. Data processing consists only of doing the transcription, assigning transcription to a specific user, sending it back to isLucid Teams application for demonstration, and storing (transcript) within the dedicated for client container.

You own your data. Audio data, once transcribed, is destroyed. We do not store any recordings. This limitation is not negotiable, even if you would insist on us making this. It is due to the facts of privacy and Microsoft regulations. Transcription result – text information is again transmitted over the secure (TLS) bridge and is stored in your tenant environment. We do not store transcription results at our side, leaving you having only a copy of a full transcript. MS Teams by default stores attachments for apps (as isLucid is treated) based on the storage and access policy of your organization. These policies generally should be created by your organizational admins. Policies define if call/chat information stored is accessible only to the participants or to other people within your organization. The same as data, options are owned by you. Read more about data security on isLucid here.

isLucid for a better meeting management

 

isLucid bridges verbal information with task management software, allowing team members to focus on the discussion and have organized written information. This helps to make a better decision-making process and keep teams aligned. Information from conversations are being organized in seconds and stored in any chosen task management platform, CRM or ATS. All the meetings become searchable, sharable, and actionable. By using integrated OpenAI models, notes and tasks are paraphrased and ready to go.

Communication between team members can become clear because of actionable items such as tasks, bookmarks, or meeting minutes. You can also save important meeting information with isLucid and share it with anyone you like – new employee or the one who did not attend the meeting. This helps to save time on keeping in touch with all decisions made during the meeting. With isLucid, organize and access all of your meetings at any time – they are stored for an unlimited amount of time. You can go back to a meeting that happened a long time ago and organize it the they you like or share it with your colleagues.

If you are interested in isLucid digital meeting assistant, get it for MS Teams.

You can also book a demo and get a walkthrough: Book a Demo.

Get the latest updates mailed to you

    By clicking subscribe, you are consenting to allow Lucid to store and process your personal information to provide you the service requested

    Sing up to increase your productivity!

     

    You have successfully subscribed to the newsletter

    There was an error while trying to send your request. Please try again.

    isLucid will use the information you provide on this form to be in touch with you and to provide useful content.