Policies for securing Teams chats, groups, and files

Securing Microsoft Teams

Getting started with Teams before other dependent services

You don’t need to enable dependent services to get started with Microsoft Teams. These services will all “just work.” However, you do need to be prepared to manage the following service-related elements:

Updating common policies to include Teams

To protect chat, groups and content in Teams, the following diagram illustrates which policies to update from the common identity and device access policies. For each policy to update, make sure that Teams and dependent services are included in the assignment of cloud apps.

These services are the dependent services to include in the assignment of cloud apps for Teams:

This table lists the policies that need to be revisited and links to each policy in the common identity and device access policies, which has the wider policy set for all Office applications.

Protection level Policies Further information for Teams implementation
Starting point Require MFA when sign-in risk is medium or high Be sure Teams and dependent services are included in the list of apps. Teams has Guest Access and External Access rules to consider as well, you’ll learn more about these rules later in this article.
Block clients that don’t support modern authentication Include Teams and dependent services in the assignment of cloud apps.
High risk users must change password Forces Teams users to change their password when signing in if high-risk activity is detected for their account. Be sure Teams and dependent services are included in the list of apps.
Apply APP data protection policies Be sure Teams and dependent services are included in the list of apps. Update the policy for each platform (iOS, Android, Windows).
Enterprise Require MFA when sign-in risk is lowmedium or high Teams has Guest Access and External Access rules to consider as well, you’ll learn more about these rules later in this article. Include Teams and dependent services in this policy.
Define device compliance policies Include Teams and dependent services in this policy.
Require compliant PCs and mobile devices Include Teams and dependent services in this policy.
Specialized security Always require MFA Regardless of user identity, MFA will be used by your organization. Include Teams and dependent services in this policy.
Exit mobile version