Microsoft Teams
Description
Secure Cloud Business Applications Minimum Viable Secure Configuration Baselines
CISA M365 Security Configuration Baseline for Teams
Microsoft 365 (M365) Teams is a cloud-based text and live chat workspace that supports video calls, chat messaging, screen sharing, and file sharing. This secure configuration baseline (SCB) provides specific policies to strengthen Microsoft Teams' security.
The Secure Cloud Business Applications (SCuBA) project run by the Cybersecurity and Infrastructure Security Agency (CISA) provides guidance and capabilities to secure federal civilian executive branch (FCEB) agencies' cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments.
The CISA SCuBA SCBs for M365 help secure federal information assets stored within M365 cloud business application environments through consistent, effective, and manageable security configurations. CISA created baselines tailored to the federal government’s threats and risk tolerance with the knowledge that every organization has different threat models and risk tolerance. While use of these baselines will be mandatory for civilian Federal Government agencies, organizations outside of the Federal Government may also find these baselines to be useful references to help reduce risks.
For non-Federal users, the information in this document is being provided “as is” for INFORMATIONAL PURPOSES ONLY. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA. Without limiting the generality of the foregoing, some controls and settings are not available in all products; CISA has no control over vendor changes to products offerings or features. Accordingly, these SCuBA SCBs for M365 may not be applicable to the products available to you. This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person
License Compliance and Copyright
Portions of this document are adapted from documents in Microsoft's M365 and Azure GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Source documents are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.
Assumptions
The License Requirements sections of this document assume the organization is using an M365 E3 or G3 license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
Key Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
Access to Teams can be controlled by the user type. In this baseline, the types of users are defined as follows:
- Internal users: Members of the agency's M365 tenant.
- External users: Members of a different M365 tenant.
- Business to Business (B2B) guest users: External users who are formally invited to collaborate with the team and added to the agency's Microsoft Entra ID as guest users. These users authenticate with their home organization/tenant and are granted access to the team by virtue of being listed as guest users on the tenant's Microsoft Entra ID.
- Unmanaged users: Users who are not members of any M365 tenant or organization (e.g., personal Microsoft accounts).
- Anonymous users: Teams users joining calls who are not authenticated through the agency's tenant; these users include unmanaged users, external users (except for B2B guests), and true anonymous users (i.e., users who are not logged in to any Microsoft or organization account, such as dial-in users1).
This section helps reduce security risks posed by the external participants during meetings. In this instance, the term "external participants" includes external users, B2B guest users, unmanaged users, and anonymous users.
This section helps reduce security risks related to the user permissions for recording Teams meetings and events. These policies and user permissions apply to meetings hosted by a user, as well as during one-on-one calls and group calls started by a user. Agencies should comply with any other applicable policies or legislation in addition to this guidance.
Policies
- MS.TEAMS.1.1v1
-
External meeting participants SHOULD NOT be enabled to request control of shared desktops or windows.
- Rationale: An external participant with control of a shared screen could potentially perform unauthorized actions on the shared screen. This policy reduces that risk by removing an external participant’s ability to request control. However, if an agency has a legitimate use case to grant this control, it may be done on a case-by-case basis.
- Last modified: August 2024
- Note: This policy applies to the Global (Org-wide default) meeting policy, as well as custom meeting policies.
- MITRE ATT&CK TTP Mapping:
- None
- MS.TEAMS.1.2v1
-
Anonymous users SHALL NOT be enabled to start meetings.
- Rationale: For agencies that implemented custom policies providing more flexibility to some users to automatically admit “everyone” to a meeting, this policy provides protection from anonymous users starting meeting to scrape internal contacts.
- Last modified: August 2024
- Note: This policy applies to the Global (Org-wide default) meeting policy, and custom meeting policies if they exist.
- MITRE ATT&CK TTP Mapping:
- MS.TEAMS.1.3v1
-
Anonymous users and dial-in callers SHOULD NOT be admitted automatically.
- Rationale: Automatically allowing admittance to anonymous and dial-in users diminishes control of meeting participation and invites potential data breach. This policy reduces that risk by requiring all anonymous and dial-in users to wait in a lobby until admitted by an authorized meeting participant. If the agency has a use case to admit members of specific trusted organizations and/or B2B guests automatically, custom policies may be created and assigned to authorized meeting organizers.
- Last modified: August 2024
- Note: This policy applies to the Global (Org-wide default) meeting policy. Custom meeting policies MAY be created to allow specific users more flexibility. For example, B2B guest users and trusted partner members may be admitted automatically into meetings organized by authorized users.
- MITRE ATT&CK TTP Mapping:
- None
- MS.TEAMS.1.4v1
-
Internal users SHOULD be admitted automatically.
- Rationale: Requiring internal users to wait in the lobby for explicit admission can lead to admit fatigue. This policy enables internal users to be automatically admitted to the meeting through global policy.
- Last modified: August 2024
- Note: This policy applies to the Global (Org-wide default) meeting policy. Custom meeting policies MAY be created to allow specific users more flexibility.
- MITRE ATT&CK TTP Mapping:
- None
- MS.TEAMS.1.5v1
-
Dial-in users SHOULD NOT be enabled to bypass the lobby.
- Rationale: Automatically admitting dial-in users reduces control over who can participate in a meeting and increases potential for data breaches. This policy reduces the risk by requiring all dial-in users to wait in a lobby until they are admitted by an authorized meeting participant.
- Last modified: August 2024
- Note: This policy applies to the Global (Org-wide default) meeting policy, as well as custom meeting policies.
- MITRE ATT&CK TTP Mapping:
- None
- MS.TEAMS.1.6v1
-
Meeting recording SHOULD be disabled.
- Rationale: Allowing any user to record a Teams meeting or group call may lead to unauthorized disclosure of shared information, including audio, video, and shared screens. By disabling the meeting recording setting in the Global (Org-wide default) meeting policy, an agency limits information exposure.
- Last modified: August 2024
- Note: This policy applies to the Global (Org-wide default) meeting policy, as well as custom meeting policies. Custom policies MAY be created to allow more flexibility for specific users.
- MITRE ATT&CK TTP Mapping:
- None
- MS.TEAMS.1.7v1
-
Record an event SHOULD be set to Organizer can record.
- Rationale: The security risk of the default settings for Live Events is Live Events can be recorded by all participants by default. Limiting recording permissions to only the organizer minimizes the security risk to the organizer’s discretion for these Live Events.
- Last modified: August 2024
- Note: This policy applies to the Global (Org-wide default) meeting policy, as well as custom meeting policies. Custom policies MAY be created to allow more flexibility for specific users.
- MITRE ATT&CK TTP Mapping:
- None
Resources
- Manage who can present and request control in Microsoft Teams | Microsoft Learn
- Meeting policy settings | Microsoft Learn
- Teams cloud meeting recording | Microsoft Learn
- Assign policies in Teams – getting started | Microsoft Learn
- Live Event Recording Policies | Microsoft Learn
License Requirements
- None
Implementation
- MS.TEAMS.1.1v1 Instructions
-
To help ensure external participants do not have the ability to request control of the shared desktop or window in the meeting:
- Sign in to the Microsoft Teams admin center.
- Select Meetings > Meeting policies.
- Select the Global (Org-wide default) policy.
- Under the Content sharing section, set External participants can give or request control to Off.
- If custom policies were created, repeat these steps for each policy, selecting the appropriate policy in step 3.
- MS.TEAMS.1.2v1 Instructions
-
To configure settings for anonymous users:
- Sign in to the Microsoft Teams admin center.
- Select Meetings > Meeting policies.
- Select the Global (Org-wide default) policy.
- Under the Meeting join & lobby section, set Anonymous users and dial-in callers can start a meeting to Off.
- If custom policies were created, repeat these steps for each policy, selecting the appropriate policy in step 3.
- MS.TEAMS.1.3v1 Instructions
-
- Sign in to the Microsoft Teams admin center.
- Select Meetings > Meeting policies.
- Select the Global (Org-wide default) policy.
- Under the Meeting join & lobby section, ensure Who can bypass the lobby is not set to Everyone. Bypassing the lobby should be set to People in my org, though other options may be used if needed.
- In the same section, set People dialing in can bypass the lobby to Off.
- MS.TEAMS.1.4v1 Instructions
-
- Sign in to the Microsoft Teams admin center.
- Select Meetings > Meeting policies.
- Select the Global (Org-wide default) policy.
- Under the Meeting join & lobby section, ensure Who can bypass the lobby is set to People in my org.
- In the same section, set People dialing in can bypass the lobby to Off.
- MS.TEAMS.1.5v1 Instructions
-
- Sign in to the Microsoft Teams admin center.
- Select Meetings > Meeting policies.
- Select the Global (Org-wide default) policy.
- Under the Meeting join & lobby section, set People dialing in can bypass the lobby to Off.
- MS.TEAMS.1.6v1 Instructions
-
- Sign in to the Microsoft Teams admin center.
- Select Meetings > Meeting policies.
- Select the Global (Org-wide default) policy.
- Under the Recording & transcription section, set Meeting recording to Off.
- Select Save.
- MS.TEAMS.1.7v1 Instructions
-
- Sign in to the Microsoft Teams admin center.
- Select Meetings > Live events policies.
- Select Global (Org-wide default) policy.
- Set Record an event to Organizer can record.
- Click Save.
- If custom policies were created, repeat these steps for each policy, selecting the appropriate policy in step 3.
This section helps reduce security risks related to external and unmanaged user access. In this instance, external users refer to members of a different M365 tenant, and unmanaged users refer to users who are not members of any M365 tenant or organization.
External access allows external users to look up internal users by their email address to initiate chats and calls entirely within Teams. Blocking external access prevents external users from using Teams as an avenue for reconnaissance or phishing. Even with external access disabled, external users will still be able to join Teams calls, assuming anonymous join is enabled. Depending on agency need, if both external access and anonymous join are blocked—neither required nor recommended by this baseline—external collaborators would only be able to attend meetings if added as B2B guest users.
External access may be granted on a per-domain basis. This may be desirable in some cases (e.g., for agency-to-agency collaboration). See the Chief Information Officer Council's Interagency Collaboration Program Office of Management and Budget MA site for a list of .gov domains for sharing.
Similar to external users, blocking contact with unmanaged Teams users prevents these users from looking up internal users by their email address and initiating chats and calls within Teams. These users would still be able to join calls, assuming anonymous join is enabled. Additionally, unmanaged users may be added to Teams chats if the internal user initiates the contact.
Policies
- MS.TEAMS.2.1v1
-
External access for users SHALL only be enabled on a per-domain basis.
- Rationale: The default configuration allows members to communicate with all external users with similar access permissions. This unrestricted access can lead to data breaches and other security threats. This policy provides protection against threats posed by unrestricted access by allowing communication with only trusted domains.
- Last modified: August 2024
- MITRE ATT&CK TTP Mapping:
- MS.TEAMS.2.2v1
-
Unmanaged users SHALL NOT be enabled to initiate contact with internal users.
- Rationale: Allowing contact from unmanaged users can expose users to email and contact address harvesting. This policy provides protection against this type of harvesting.
- Last modified: August 2024
- Note: This policy is not applicable to Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) tenants.
- MITRE ATT&CK TTP Mapping:
- MS.TEAMS.2.3v1
-
Internal users SHOULD NOT be enabled to initiate contact with unmanaged users.
- Rationale: Contact with unmanaged users can pose the risk of data leakage and other security threats. This policy provides protection by disabling internal user access to unmanaged users.
- Last modified: August 2024
- Note: This policy is not applicable to Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) tenants.
- MITRE ATT&CK TTP Mapping:
Resources
- IT Admins - Manage external meetings and chat with people and organizations using Microsoft identities | Microsoft Learn
- Teams settings and policies reference | Microsoft Learn
- Use guest access and external access to collaborate with people outside your organization | Microsoft Learn
- Manage chat with external Teams users not managed by an organization | Microsoft Learn
License Requirements
- None
Implementation
Steps for the unmanaged users are outlined in Manage chat with external Teams users not managed by an organization.
- MS.TEAMS.2.1v1 Instructions
-
To enable external access for only specific domains:
- Sign in to the Microsoft Teams admin center.
- Select Users > External access.
- Under Choose which external domains your users have access to, select Allow only specific external domains.
- Click Allow domains to add allowed external domains. All domains not added in this step will be blocked.
- Click Save.
- MS.TEAMS.2.2v1 Instructions
-
- Sign in to the Microsoft Teams admin center.
- Select Users > External access.
- Under Teams accounts not managed by an organization, toggle People in my organization can communicate with Teams users whose accounts aren't managed by an organization to one of the following:
- To completely block contact with unmanaged users, toggle the setting to Off.
- To allow contact with unmanaged users only if the internal user initiates the contact:
- Toggle the setting to On.
- Clear the check next to External users with Teams accounts not managed by an organization can contact users in my organization.
- MS.TEAMS.2.3v1 Instructions
-
- Sign in to the Microsoft Teams admin center.
- Select Users > External access.
- To completely block contact with unmanaged users, under Teams accounts not managed by an organization, set People in my organization can communicate with Teams users whose accounts aren't managed by an organization to Off.
This section helps reduce security risks related to contact with Skype users. Microsoft is officially retiring Skype for Business Online and wants to give customers information and resources to plan and execute a successful upgrade to Teams. Below are the decommissioning dates by product:
- Skype for Business Online: July 31, 2021
- Skype for Business 2015: April 11, 2023
- Skype for Business 2016: Oct. 14, 2025
- Skype for Business 2019: Oct. 14, 2025
- Skype for Business Server 2015: Oct. 14, 2025
- Skype for Business Server 2019: Oct. 14, 2025
- Skype for Business LTSC 2021: Oct. 13, 2026
Policies
- MS.TEAMS.3.1v1
-
Contact with Skype users SHALL be blocked.
- Rationale: Microsoft is officially retiring all forms of Skype as listed above. Allowing contact with Skype users puts agency users at additional security risk. By blocking contact with Skype users, an agency limits access to security threats utilizing the vulnerabilities of the Skype product.
- Last modified: August 2024
- Note: This policy is not applicable to Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) tenants.
- MITRE ATT&CK TTP Mapping:
Resources
- Configure external meetings and chat with Skype for Business Server | Microsoft Learn
- Skype for Business Online to Be Retired in 2021 | Microsoft Teams Blog
License Requirements
- None
Implementation
- MS.TEAMS.3.1v1 Instructions
-
- Sign in to the Microsoft Teams admin center.
- Select Users > External access.
- Under Skype users, set Allow users in my organization to communicate with Skype users to Off.
- Click Save.
This section helps reduce security risks related to Teams email integration. Teams provides an optional feature allowing channels to have an email address and receive email.
Policies
- MS.TEAMS.4.1v1
-
Teams email integration SHALL be disabled.
- Rationale: Microsoft Teams email integration associates a Microsoft, not tenant domain, email address with a Teams channel. Channel emails are addressed using the Microsoft-owned domain teams.ms. By disabling Teams email integration, an agency prevents potentially sensitive Teams messages from being sent through external email gateways.
- Last modified: August 2024
- Note: Teams email integration is not available in GCC, GCC High, or DoD regions.
- MITRE ATT&CK TTP Mapping:
Resources
License Requirements
- None
Implementation
- MS.TEAMS.4.1v1 Instructions
-
- Sign in to the Microsoft Teams admin center.
- Select Teams > Teams Settings.
- Under the Email integration section, set Users can send emails to a channel email address to Off.
5. App Management
This section helps reduce security risks related to app integration with Microsoft Teams. Teams can integrate with the following classes of apps:
- Microsoft apps: apps published by Microsoft.
- Third-party apps: apps not authored by Microsoft, published to the Teams store.
- Custom apps: apps not published to the Teams store, such as apps under development, that users sideload into Teams.
Policies
- MS.TEAMS.5.1v1
-
Agencies SHOULD only allow installation of Microsoft apps approved by the agency.
- Rationale: Allowing Teams integration with all Microsoft apps can expose the agency to potential vulnerabilities present in those apps. By only allowing specific apps and blocking all others, the agency will better manage its app integration and potential exposure points.
- Last modified: August 2024
- Note: This policy applies to the Global (Org-wide default) policy, all custom policies, and the org-wide app settings. Custom policies MAY be created to allow more flexibility for specific users.
- MITRE ATT&CK TTP Mapping:
- MS.TEAMS.5.2v1
-
Agencies SHOULD only allow installation of third-party apps approved by the agency.
- Rationale: Allowing Teams integration with third-party apps can expose the agency to potential vulnerabilities present in an app not managed by the agency. By allowing only specific apps approved by the agency and blocking all others, the agency can limit its exposure to third-party app vulnerabilities.
- Last modified: August 2024
- Note: This policy applies to the Global (Org-wide default) policy, all custom policies if they exist, and the org-wide settings. Custom policies MAY be created to allow more flexibility for specific users. Third-party apps are not available in GCC, GCC High, or DoD regions.
- MITRE ATT&CK TTP Mapping:
- MS.TEAMS.5.3v1
-
Agencies SHOULD only allow installation of custom apps approved by the agency.
- Rationale: Allowing custom apps integration can expose the agency to potential vulnerabilities present in an app not managed by the agency. By allowing only specific apps approved by the agency and blocking all others, the agency can limit its exposure to custom app vulnerabilities.
- Last modified: August 2024
- Note: This policy applies to the Global (Org-wide default) policy, all custom policies if they exist, and the org-wide settings. Custom policies MAY be created to allow more flexibility for specific users. Custom apps are not available in GCC, GCC High, or DoD regions.
- MITRE ATT&CK TTP Mapping:
Resources
- Use app permission policies to control user access to apps | Microsoft Learn
- Upload your app in Microsoft Teams | Microsoft Learn
License Requirements
- None
Implementation
- MS.TEAMS.5.1v1 Instructions
-
- Sign in to the Microsoft Teams admin center.
- Select Teams apps > Permission policies.
- Select Global (Org-wide default).
- Under Microsoft apps, select Allow specific apps and block all others or Block all apps.
- Click Allow apps.
- Search and Click Add to all appropriate Microsoft Apps.
- Click Allow.
- Click Save.
- If custom policies have been created, repeat these steps for each policy, selecting the appropriate policy in step 3.
- MS.TEAMS.5.2v1 Instructions
-
- Sign in to the Microsoft Teams admin center.
- Select Teams apps > Manage apps.
- Select Org-wide app settings button to access pop-up options.
- Under Third-party apps turn off Third-party apps.
- Click Save.
- Select Teams apps > Permission policies.
- Select Global (Org-wide default).
- Set Third-party apps to Block all apps, unless specific apps have been approved by the agency, in which case select Allow specific apps and block all others.
- Click Save.
- If custom policies have been created, repeat steps 4 to 7 for each policy, selecting the appropriate policy in step 5.
- MS.TEAMS.5.3v1 Instructions
-
- Sign in to the Microsoft Teams admin center.
- Select Teams apps > Manage apps.
- Select Org-wide app settings button to access pop-up options.
- Under Custom apps turn off Interaction with custom apps.
- Click Save.
- Select Teams apps > Permission policies.
- Select Global (Org-wide default).
- Set Custom apps to Block all apps, unless specific apps have been approved by the agency, in which case select Allow specific apps and block all others.
- Click Save.
- If custom policies have been created, repeat steps 4 to 7 for each policy, selecting the appropriate policy in step 5.
6. Data Loss Prevention
Data loss prevention (DLP) helps prevent both accidental leakage of sensitive information as well as intentional exfiltration of data. DLP forms an integral part of securing Microsoft Teams. There are several commercial DLP solutions available documenting support for M365. Microsoft itself offers DLP services, controlled within the Microsoft Purview compliance portal. Agencies may select any service that fits their needs and meets the requirements outlined in this baseline setting. The DLP solution selected by an agency should offer services comparable to those offered by Microsoft.
Though using Microsoft's DLP solution is not strictly required, guidance for configuring Microsoft's DLP solution can be found in following section of the CISA M365 Security Configuration Baseline for Defender for Office 365.
Policies
- MS.TEAMS.6.1v1
-
A DLP solution SHALL be enabled. The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.
- Rationale: Teams users may inadvertently disclose sensitive information to unauthorized individuals. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized disclosures.
- Last modified: August 2024
- MITRE ATT&CK TTP Mapping:
- MS.TEAMS.6.2v1
-
The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency. At a minimum, sharing of credit card numbers, Taxpayer Identification Numbers (TINs), and Social Security numbers (SSNs) via email SHALL be restricted.
- Rationale: Teams users may inadvertently share sensitive information with others who should not have access to it. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized sharing of sensitive information.
- Last modified: August 2024
- MITRE ATT&CK TTP Mapping:
Resources
- Plan for data loss prevention (DLP) | Microsoft Learn
- Personally identifiable information (PII) | NIST
- Sensitive information | NIST
License Requirements
- DLP for Teams requires an E5 or G5 license. See Microsoft Purview Data Loss Prevention: Data Loss Prevention for Teams | Microsoft Learn for more information. However, this requirement can also be met through a third-party solution. If a third-party solution is used, then a E5 or G5 license is not required for the respective policies.
- DLP for Endpoint requires an E5 or G5 license. See Get started with Endpoint data loss prevention - Microsoft Purview (compliance) | Microsoft Learn for more information. However, this requirement can also be met through a third-party solution. If a third-party solution is used, then a E5 or G5 license is not required for the respective policies.
Implementation
- MS.TEAMS.6.1v1 Instructions
-
Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for DLP for additional guidance.
- MS.TEAMS.6.2v1 Instructions
-
Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for DLP for additional guidance.
7. Malware Scanning
Malware scanning protects M365 Teams assets from malicious software. Several commercial anti-malware solutions detect and prevent computer viruses, malware, and other malicious software from being introduced into M365 Teams. Agencies may select any product that meets the requirements outlined in this baseline policy group. If the agency is using Microsoft Defender to implement malware scanning, see the following policies of the CISA M365 Security Configuration Baseline for Defender for Office 365 for additional guidance.
- MS.DEFENDER.3.1v1 | CISA M365 Security Configuration Baseline for Defender for Office 365
- Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams.
Policies
- MS.TEAMS.7.1v1
-
Attachments included with Teams messages SHOULD be scanned for malware.
- Rationale: Teams can be used as a mechanism for delivering malware. In many cases, malware can be detected through scanning, reducing the risk for end users.
- Last modified: August 2024
- MITRE ATT&CK TTP Mapping:
- MS.TEAMS.7.2v1
-
Users SHOULD be prevented from opening or downloading files detected as malware.
- Rationale: Teams can be used as a mechanism for delivering malware. In many cases, malware can be detected through scanning, reducing the risk for end users.
- Last modified: August 2024
- MITRE ATT&CK TTP Mapping:
Resources
- Safe Attachments in Microsoft Defender for Office 365 | Microsoft Learn
- Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams | Microsoft Learn
License Requirements
- If using Microsoft Defender, require Defender for Office 365 Plan 1 or 2. These are included with E5 and G5 and are available as add-ons for E3 and G3.
Implementation
- MS.TEAMS.7.1v1 Instructions
-
Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for Safe Attachments for additional guidance.
- MS.TEAMS.7.2v1 Instructions
-
Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for Safe Attachments for additional guidance.
8. Link Protection
Several technologies exist for protecting users from malicious links included in emails. For example, Microsoft Defender accomplishes this by prepending
https://*.safelinks.protection.outlook.com/?url=
to any URLs included in emails. By prepending the safe links URL, Microsoft can proxy the initial URL through their scanning service. Their proxy can perform the following actions:
- Compare the URL with a block list.
- Compare the URL with a list of know malicious sites.
- If the URL points to a downloadable file, apply real-time file scanning.
If all checks pass, the user is redirected to the original URL.
Microsoft Defender includes link-scanning capabilities. Using Microsoft Defender is not strictly required for this purpose; any product fulfilling the requirements outlined in this baseline policy group may be used. If the agency uses Microsoft Defender to meet this baseline policy group, see the following policy of the CISA M365 Security Configuration Baseline for Defender for Office 365 for additional guidance.
- MS.DEFENDER.1.3v1 | CISA M365 Security Configuration Baseline for Defender for Office 365.
- All users SHALL be added to Defender for Office 365 Protection in either the standard or strict preset security policy.
Policies
- MS.TEAMS.8.1.v1
-
URL comparison with a blocklist SHOULD be enabled.
- Rationale: Users may be directed to malicious websites via links in Teams. Blocking access to known malicious URLs can help prevent users from accessing known malicious websites.
- Last modified: August 2024
- MITRE ATT&CK TTP Mapping:
- MS.TEAMS.8.2v1
-
User click tracking SHOULD be enabled.
- Rationale: Users may click on malicious links in Teams, leading to compromise or authorized data disclosure. Enabling user click tracking lets agencies know after the fact if a malicious link may have been visited and helps them tailor a response to a potential incident.
- Last modified: August 2024
- MITRE ATT&CK TTP Mapping:
Resources
- Recommended settings for EOP and Microsoft Defender for Office 365 security | Microsoft Learn
- Set up Safe Links policies in Microsoft Defender for Office 365 | Microsoft Learn
License Requirements
- None
Implementation
- MS.TEAMS.8.1v1 Instructions
-
Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for standard or strict preset security policy for additional guidance.
- MS.TEAMS.8.2v1 Instructions
-
Any product meeting the requirements outlined in this baseline policy may be used. If the agency uses Microsoft Defender, see the following implementation steps for standard or strict preset security policy for additional guidance.
Appendix A - Custom Meeting Policies
If there is a legitimate business need, custom meeting policies can be defined with specific users assigned to them. For example, custom meeting policies can be configured with specific users having permission to record meetings. To allow specific users the ability to record meetings:
- Sign in to the Microsoft Teams admin center.
- Select Meetings > Meeting policies.
- Create a new policy by selecting Add. Give this new policy a name and appropriate description.
- Under the Recording & transcription section, set Cloud recording to On.
- Select Save.
- After selecting Save, a table displays the set of policies. Select the row containing the new policy, then select Manage users.
- Assign the users who need the ability to record to this policy.
- Select Apply.
TLP:CLEAR
Footnotes
- Note that B2B guest users and all anonymous users except for external users appear in Teams calls as John Doe (Guest). To avoid potential confusion, true guest users are always referred to as B2B guest users in this document. ↩
Subscribe to SCuBA Email Updates
Stay up-to-date with the latest SCuBA updates.