Don't let your Teams settings to be the weak link in your Microsoft 365 (M365) environment.

Starting from February 8th, 2021, Microsoft are turning on Guest access in Microsoft Teams by default for any customers who have not configured this setting. This will bring the Teams Guest capability into alignment with the rest of the suite, where the setting is already on by default. Up to this date the setting was off by default, so if you were not aware of the Guest access, it did not really matter as it was off anyway.

Now this may be another attempt at a ‘helpful’ change by Microsoft, but this feature can also bring with it potential security risks; and at the very least, you (your organisation) should be aware of it, and decide on the business needs before it is automatically updated behind the scenes without your knowledge.

What does this mean or how will this affect your business?

If you have not already configured Guest access in Microsoft Teams, then this capability will be automatically enabled for you in your tenant come February time. With guest access enabled, your staff can provide access to your corporate data, Teams channels, chats etc to other external Teams users who originate outside your organisation.

Now Microsoft add the words ‘while maintaining control over your corporate data’, but this only applies if you know this change is occurring and have locked down the other relevant settings, which by default would not have been changed (or locked down).

This may not seem like a big deal, however, if like me, you look at everything in the context of worst-case scenario and what could go wrong? (a cynical skill I have picked up over the last 15 years dealing with digital forensics and security breach investigations) you will see that this is potentially another route for ‘user error’ leading to corporate data exfiltration and/or a potential route for a phishing attack leading to the same result.

Do you really want to allow all your users to be able to invite any other external user to (as Microsoft call it) ‘collaborate’ and access your corporate M365 environment without your knowledge? Or potentially circumvent your hardware device security controls by inviting their personal Teams account into your corporate system to exfiltrate data out that way? (I did mention my worst-case scenario mindset, earlier right?).

What about the potential that if a compromise of your system does occur, hackers often want to ensure they maintain some form of access, this could be a backup admin account or in this case potentially guest access to a pot of corporate data.

You do not necessarily need to panic and think the worst all the time, but at least have it as a risk to consider and act upon it if you deem it high enough, and re-assess the ongoing risks periodically.

With the many incident response engagements I have dealt with over the years, the responses to those sort of points I usually hear is ‘I didn’t even think about that being a risk, or I didn’t even know I could have been hacked that way!’.

It is a business decision on how far to go on locking those sorts of features down, it is a balance between usability and security, but the main point is to know enough to assess the risk in the first place!

So, what can you do to prevent the automatic changes?

Log in to the Microsoft 365 admin portal at Microsoft 365 admin center 

Select Teams under Admin centers on the left pane. (or go direct Microsoft Teams admin center)

Select Org-wide settings then Guest access on the left pane in the Teams admin center.

Ensure that Allow guest access in Teams is set to Off.

(Service default, from Feb will be On).

However, you may have a business requirement to use Guest access, of course that is fine, but I recommend you consider and review the additional security options to lock the access down as appropriate to your business needs. An example of the additional options are below.

About the author. 

Benn has spent many years in digital forensics, investigating breaches of sensitive data. As Office/Microsoft 365 gained popularity it started to become another common focus for attacks and data loss, Benn has focussed on investigating and proactively securing/locking down the Microsoft 365 environment. If you need any additional help or advice on M365 reach out on IR@3BDataSecurity.com.

There are many other M365 configurations that can be locked down and secured on the similar topics, and Benn will cover these in future 3B Data Security Insight blogs in the future.