How to use Microsoft Teams securely

This article was originally published in German at Computerwoche.

Microsoft Teams continues to gain ground as a business collaboration tool, in part because Microsoft has tied the meeting and messaging app ever more tightly to the rest of its Microsoft 365 (formerly Office) productivity suite over the years. Teams makes it easy for users to share documents and access information, but this increases the risk of data leaks.

This risk can be managed with tools built into Teams and Microsoft 365 — coupled with knowledge and personal responsibility on the part of Teams owners and users — without losing the benefits of the platform for efficient collaboration in distributed teams. This article explains the most important settings and procedures.

Secure Teams, secure collaboration

The Teams app centers around the concept of “teams,” or groups of employees. In Teams, a team can encompass a small group of employees working on a specific project, members of a department, or even the entire company.

The first step toward secure collaboration in Teams is to identify the “real” teams in your organization. Who works together on which topic? Who is the leader of the team? And who provides organizational support? These questions are easy to answer, but they need to be asked. The answers reveal which working groups a company has, which it needs, and who has which role in them.

Teams can be created for departments and groups within these departments, for example. You can create them for projects, but also for individual customers or for topics in which employees work together across departments. Within a department, different teams can also be formed for different topics, which makes particular sense if the composition of the members varies.

From an IT security perspective, smaller, homogeneous teams are always the better option, because small teams ensure that only the people who should have access to the information shared there actually do have that access. Experience from using Microsoft Teams for quite a long time now also shows that small teams are more manageable, and it’s possible to be a member of many teams without sacrificing efficiency. With Microsoft Teams, more is usually more.

Microsoft automatically moves teams that are rarely used to the “Hidden teams” area. However, you can show these teams again at any time and display them permanently in the “Your teams” area as required, a technique that also works well for managing many small teams. And if you set the channel notifications for the channels in your teams accordingly, you can always see in the Activity area which team has made important changes.

The head of a team must make the members aware of collaboration best practices, in particular the careful handling of data. There should always be at least two “owners” — no more than three — who manage the team. Personal responsibility is essential for safe and efficient use of Teams: the owners of a team must ensure that the security settings are set appropriately and that the information in team rooms is handled sensibly.

Microsoft Teams: essential security settings

The first important task for team owners is managing members. There are three roles here:

Owners have administrative authorizations for this team. They can manage the settings for the Teams room and add members.

Members can use the Teams room and also add channels and make other settings within the defined authorizations. Members come from the same organization as the owners.

Guests are members of Teams rooms who come from other companies.

Owners and members should generally be able to see and use all information in a Teams room. This can be different for guests, as in many cases they should only be able to see certain data, but not all internal discussions. A tried and tested solution here is to use two Teams rooms — for example, “Customer A – internal” and “Customer A – external.” Only internal employees have access to the first room, while customers can access the second room as guests.

Two document libraries can then be used in the internal room. One is used only for internal documents, the other for documents that guests should also see. The second document library is the standard Files area from the external Teams room, which is linked to the internal Teams room. This makes it easy to create a clean separation.

The next step is to make the settings for the individual Teams rooms. The context menu can be opened by clicking on the three dots behind a Teams room. Among other things, the “Manage team” command can be found there. As the owner, you will then see several tabs. There you can manage members, process pending requests for team membership, manage channels, set preferences, analyze the use of the team, and restrict the apps that can be used in the team.

One useful feature here is the “Channels” area, where you can display the various channels in a Teams room and control whether channels are displayed for members in any case (Fig. 1). It is important to understand here that you cannot block channels. However, in the channel settings, which can be found via the three dots next to a channel, the owner can control which channels are always displayed for employees.

Fig. 1: Team owners can control whether all members are allowed to see each channel.

Much more important, however, is the “Settings” tab (Fig. 2). This is where the permissions of members and guests in Microsoft Teams can be set. By default, members are allowed a lot. They can create and customize channels, create private channels, add apps, and so on.

The extent to which you want to restrict this depends primarily on the team’s area of responsibility and structure. For teams that work together for longer, it makes sense to restrict administration to the owners in order to create and maintain structured team spaces. Only the two options — “Give members the ability to delete their messages” and “Give members the ability to edit their messages” — can be left activated with a clear conscience. The settings for guests should always remain as restrictive as they are defined by default.

Fig. 2: The permissions of members in Teams rooms should be restricted by the owners.
Photo: Martin Kuppinger / Microsoft

Microsoft 365: built-in tools for more security

What is striking about these settings is that there are no options for restricting access to individual channels or “apps,” such as SharePoint libraries. Microsoft Teams assumes equal collaboration within Teams.

In addition to the options already mentioned, such as the separation of internal and external teams and the creation of small teams, there is another very useful Microsoft 365 function that is easy to use in Teams: Microsoft Information Protection. The basic functions of Information Protection are available as standard with Microsoft 365; only advanced functions require additional licensing. But even with the basic functions, a higher level of IT security can be achieved.

To do this, go to the “File” menu in an Office document and then to “Information” (Fig. 3). Here you will find the “Protect document” option. Documents can be assigned a password and encrypted here. Even more elegant, however, is the selection “Restrict access/restricted access.”

Fig. 3: Microsoft 365 offers comprehensive options for protecting sensitive documents.
Photo: Martin Kuppinger / Microsoft

Access can then be restricted in the following dialog box (Fig. 4). To do this, select the relevant option and then select the users or user groups from the organization’s address book who are to be granted access. The document is also automatically encrypted.

Fig. 4: Read and write access can be controlled per user or user group for each document in Microsoft 65.
Photo: Martin Kuppinger / Microsoft

The price to be paid for using Microsoft Information Protection is restrictions on the sharing of documents and the deactivation of automatic storage. But for really sensitive information, you can easily increase the level of protection.

With good structuring of team rooms, the use of a few authorization settings in Teams, and the use of Microsoft Information Protection where really necessary, efficient team collaboration can be implemented quickly, easily, and with a sufficient level of data security for most use cases. This is all the more true if everyone in the team ensures that information remains within the team and is handled with care.Microsoft boosts Apple and Linux with Windows 11 upgrade tax – ComputerworldRead More