Behind the scenes, Microsoft are working hard to uphold security.
Every day, 78 trillion security signals are collected to inform insights over security threats. It’s a sprawling ecosystem filled with numerous apps, devices and organisations. A technological marvel, but the fact is that such an ecosystem introduces greater threats to cyber security.
Right at the heart of this is Microsoft Teams. With over 320 million active users, it has become a mainstay in many an organisation. But there’s more to Teams and cyber security than you realise…
We bucked the usual Gammabox trend by having Jack Carr (Team Leader – Solutions Consultants) and Hisham El Sherbini (Microsoft Security Specialist) tackle such a topic. In their conversation, Jack and Hisham discuss:
- Why Teams acts like a distributed attack surface.
- The hidden risk around policy misalignment across Microsoft 365.
- The importance of enforcing zero trust and identity controls.
- Why compliance, audit and insider risk require proactive governance.
It’s a fascinating subject to explore and is a must-watch for any organisation conscious of what needs to be done to secure that Microsoft suite.
“Tentacles all over the Microsoft 365 suite”
Teams is not a standalone application. Rather, when a new “team” is created, Microsoft automatically spins up a new SharePoint site, assigns a mailbox, and links it all up to OneDrive. It “gets involved with the whole picture”, especially when you introduce the phone system component.
It’s very convenient, but as Hisham rightly notes, it makes the attack surface a bit wider. Each component introduces a unique entry point for these cyber criminals, and one breach put the whole environment at risk.
Of course, Entra ID is running in the cloud as the “starting point of interacting with Teams.” Various methods of verification, including multi-factor authentication (MFA) and single sign-on, helps secure that critical data. That underlying service, for Hisham, is an important starting point, but also “an important source of risk as well.”
He’s right – as Jack points out, “when was the last time you signed into Teams?” If you don’t get it right, then problems will follow.
Pondering policies
There are two types of policies – those within Teams, and those within Microsoft 365 that affect Teams. Internal Teams policies include ones around meetings, messaging, and app permissions when integrating new services. Those wider policies are found within Microsoft Defender for Office 365 (MDO), which covers cloud apps, identity, and the content being shared by users.
Jack mentions how, during formal procurement exercises, data compliance and regulations are frequently mentioned. Right now, it’s “never really been more important… that you are on top of your [data] compliance and regulations.”
Microsoft have invested a lot lately in their Purview platform, which oversees data compliance and security. Retention policies can be applied to Teams, covering conversations, files, and other content that appears on the platform.
Considering Teams is almost like a “windowpane into the wider Microsoft estate”, there doesn’t need to be a radical change in approach. Teams handles data one way, and the rest of the suite handles it another.
The real risk, however, lies in misalignment.
Allowing third-party apps into Teams without proper vetting, or blocking them inconsistently across departments, can introduce malware. If Safe Links isn’t uniformly applied, users in some departments may be protected from phishing while others aren’t. That conditional access applied in Entra ID, but not widely reflected in Teams usage, can lead to unauthorised access.
Misalignment creates gaps and inconsistencies that are difficult to spot. Those blind spots can be easily exploited by attackers or lead to unintentional compliance breaches. Either way, it’s integral for organisations to align their regulations that covers all components of their Microsoft estate.
Zero trust and identity controls
Microsoft Teams authentication depends on Entra ID. Every sign-in goes through this identity layer, and that secure sign-on is the first line of defence for Teams. The principle that Hisham advocates for in that Teams environment is around zero trust.
That “assume breach” mindset is crucial, as “we don’t have alarm bells all over the place.” Bad actors could have already infiltrated the Microsoft environment, gathering information and silently biding their time. In practice, that zero trust model would:
- Verify explicitly through MFA and conditional access that means only the right people access Teams.
- Implement least privilege access, meaning users can only do what their role requires.
- Maintain that assume breach mindset and always act as if attackers may have already struck.
Microsoft’s own Defender for Identity helps to sure up that always-on security. What organisations need to remember is that identity and access management isn’t optional. It’s the backbone of Teams security, especially when managing a hybrid or guest-heavy environment.
Proactive governance is a must
In the last year alone, 612,000 UK organisations have been a victim of a cyber-attack. Organisations need to be proactive, rather than reactive, when a cyber security incident arises. It lessens damage caused to reputation, minimises potential losses to productivity, and keeps the cost of repairing the situation down.
See it like this. You’d rather swerve to avoid a pothole than drive straight through it, right? Why risk damaging your car when you can just avoid that damage in the first place?
As Hisham previously mentioned, Purview has received a lot of attention from Microsoft. Organisations can use such a tool to manage compliance, data loss prevention and policies around retention and sensitivity labelling. Those capabilities also extend to auditing.
What’s key to remember is that, due to regional privacy laws, the auditing function isn’t enabled by default. Once that’s switched on, as Hisham notes, organisations can start “capturing a weird number of activities” users are performing. Those audit logs, once compiled, feed into the other parts of Purview.
Besides data loss prevention, there’s Insider Risk Management. For Hisham, those insider risks are something that customers “are not looking at… much yet”. Right now, organisations must take greater care around these insider risks and be more vigilant around the activities of both employees and any guests in that environment.
Proactivity goes a long way to maintaining a good cyber security posture. Being aware of potential risks before they escalate limits any damaging consequences. Governance should never be reactive, or else organisations will be left chasing shadows.
Securing your environment
The security capabilities behind Microsoft Teams and the wider 365 suite “meet [the] requirements for what we actually need a security platform to do.” What’s key to remember, as Hisham says, is to “involve your users” and help them understand what’s being done behind the scenes. When users have that understanding, organisations start to implement that always-on security mindset.
For Jack, forcing a change on somebody without explaining why “it’s always going to be more difficult” to gain that support.
Hisham and Jack did an amazing job outlining what kind of cyber security policies Microsoft Teams deploys. That final point on getting user buy-in is crucial, as it fits into Gamma Secure’s own purpose of strengthening that human firewall. Whether it’s MDR, Managed SOC, or even just cyber security awareness, Gamma has a range of cyber security services built to keep organisations safe.
There’s a lot that needs to be done when securing Teams, or just an organisation in general. But trust us when we say it’s worth it.