This blog is part of a series on Teams. For more articles, check back often

Written: 22/08/2021 | Updated: N/A

Last week I was in a bit of a funk. I just couldn’t think of something to write about Teams. I mean, sure, at this point I’ve pretty much been writing about Teams weekly for over two years so it’s probably not a surprise that the well runs dry occasionally. But there’s also times where subject matter for blogs simply spring out of thin air. This was one. I was doing something like making my son’s sandwich in the kitchen for lunch last Monday and there it was. You see the thing about me is I don’t plan blogs. I don’t have a list or an excel on my machine indexing what I am going to write about over the course of next few months. I’m much more clandestine and transactional. Basically I sit down and make something up on the spot, or if my memory is working as it should be take something I have thought about during the week and go with that. Sometimes it’s easy. Sometimes I absolutely stitch myself up if the subject matter ends up being long. Overall? It kind of works out. So this week the thought was on Teams items in Secure Score. Secure Score is concerned with the measurement of an organization’s security posture; a higher number indicating more improvement actions taken. In other words, the higher score you get, the more secure you should be through actions you have taken in your Microsoft 365 tenant such as enabling MFA or disabling legacy auth. Some people love it and see it as a great assessment tool which provides quantifiable measurements which can be used for continuous improvement and managed services. The more skeptical amongst us have viewed it as a way to work up the SKU’s especially in the early days when you couldn’t reach high scores without purchasing things like E5 or Azure AD P2 licences. Throughout 2021 (I had to look this up to confirm the dates), Teams was added as a new category in Secure Score and 6 items fell into this category. 1 in January, and 5 recently in July. All are to do with securing meetings. Let’s go take a look at these six and how to implement each of them. Let’s go get you 100% on Teams items in Secure Score. The completionist in me is looking forward to this one

This blog will cover

  • Accessing Secure Score
  • Teams Secure Score Items
  • Item 1 | Restrict anonymous users from joining meetings
  • Item 2 | Restrict dial-in users from bypassing a meeting lobby
  • Item 3 | Limit external participants from having control in a Teams meeting
  • Item 4 | Restrict anonymous users from starting Teams meetings
  • Item 5 | Only invited users should be automatically admitted to Teams meetings
  • Item 6 | Configure which users are allowed to be present in Teams meetings
  • Secure Score Result
  • FAQ

Note this blog will have abridged steps which will assume some experience with Teams, Azure AD and navigating the Microsoft 365 environment. Note that actions make take up to 24 hours to show on Secure Score and that some secure score items may already be marked as complete due to previous actions in the Teams Admin Centre or by the setting being set correctly by default

Pre-requisites

  • Teams Administrator Permissions (TAC) Security Administrator Permissions (Security Admin Centre) or Global Administrator permissions covering both
  • Recommended Teams Licence (within an Office 365/Microsoft 365 Licence) to test

ACCESSING SECURE SCORE

Let’s first get to secure score

1.) Login with admin credentials to https://login.microsoftonline.com

2.) Select Admin from the app launcher on the left

3.) From the left navigation select Security

4.) If you get redirected to the older Security and Compliance Centre select the hyperlinked Microsoft 365 Security Centre which will take you to https://security.microsoft.com/homepage

5.) In the left navigation select Secure Score

6.) You are now on Secure Score

TEAMS SECURE SCORE ITEMS

Now we have found Secure Score, let’s find the Teams items

1.) In Secure Score select Improvement Actions

2.) In the Improvement Actions, Filter and select Microsoft Teams

3.) The 6 Microsoft Teams items are filtered. You can click on each item and see how it is scored, implemented, or mark it as manually implemented. However, it should automatically update as we apply them in our environment.

The 6 Teams items currently are

  • Restrict anonymous users from joining meetings
  • Restrict dial-in users from bypassing a meeting lobby
  • Limit external participants from having control in a Teams meeting
  • Restrict anonymous users from starting Teams meetings
  • Only invited users should be automatically admitted to Teams meetings
  • Configure which users are allowed to be present in Teams meetings

Together, they constitute for around 5.84% of the score in my environment. Whilst that doesn’t sound like much it’s really important to drive to implement these where we can for an improvement in our security posture

ITEM 1 | RESTRICT ANONYMOUS USERS FROM JOINING MEETINGS

Let’s start with the first item that was brought in back in January 2021. This accounts for 0.73% of the Secure Score. By restricting anonymous users from joining Microsoft Teams meetings, you have full control over meeting access. Anonymous users may not be from your organization and could have joined for malicious purposes, such as gaining information about your organization through conversations

1.) Go back to the Microsoft 365 Admin Centre and from the left navigation select Teams

2.) In the Teams Admin Centre select Meetings and then Meeting Settings

3.) Toggle off Anonymous users can join a meeting as well as Anonymous users can interact with apps in meetings and then select Save

4.) This control has now been implemented and should be fed back into Secure Score as completed.

One down, 5 to go.

ITEM 2 | RESTRICT DIAL IN USERS FROM BYPASSING THE MEETING LOBBY

Ok number 2 restricting dial in users (PSTN users) from bypassing the meeting lobby. This accounts for 0.73% of the Secure Score. Dial-in users aren’t authenticated though the Teams app. Increase the security of your meetings by preventing these unknown users from bypassing the lobby and immediately joining the meeting

1.) In the Teams Admin Centre select Meetings and then Meeting Policies

2.) Select a policy, for example the Global Org Wide Default Policy

3.) Under the section Participants and Guests toggle off Allow dial-in Users to Bypass the Lobby and select Save

4.) Ensure that it has applied as marked by a green notification at the top of the page

5.) Rinse and repeat for all meeting policies

Two down, 4 to go

ITEM 3 | LIMIT EXTERNAL PARTICIPANTS FROM HAVING CONTROL IN A TEAMS MEETING

Ok number 3 and pretty straightforward using meeting policies. This accounts for 0.73% of the Secure Score. External participants are users that are outside your organization. Limiting their permission to share content, add new users, and more protects your organization’s information from data leaks, inappropriate content being shared, or malicious actors joining the meeting. Think no Zoombombing.

1.) In the Teams Admin Centre select Meetings and then Meeting Policies

2.) Select a policy, for example the Global Org Wide Default Policy

3.) Under the section Content Sharing toggle off Allow an External Participant to Give or Request Control and select Save

4.) Ensure that it has applied as marked by a green notification at the top of the page

5.) Rinse and repeat for all meeting policies

Three down, 3 to go

ITEM 4 | RESTRICT ANONYMOUS USERS FROM STARTING TEAMS MEETINGS

Number 4 and back onto anonymous users. We stopped them joining Teams meetings but now we need to stop them starting Teams meetings. This accounts for 0.73% of the Secure Score. If anonymous users are allowed to start meetings, they can admit any users from the lobbies, authenticated or otherwise. Anonymous users haven’t been authenticated, which can increase the risk of data leakage.

1.) In the Teams Admin Centre select Meetings and then Meeting Policies

2.) Select a policy, for example the Global Org Wide Default Policy

3.) Under the section Participants and Guests toggle off Let Anonymous people start a meeting and select Save

4.) Ensure that it has applied as marked by a green notification at the top of the page

5.) Rinse and repeat for all meeting policies

Four down, 2 to go

ITEM 5 | ONLY INVITED USERS SHOULD BE AUTOMATICALLY ADMITTED TO TEAMS MEETINGS

Almost there with Number 5. This is a more important one and accounts for 1.46% of the Secure Score. Users who aren’t invited to a meeting shouldn’t be let in automatically, because it increases the risk of data leaks, inappropriate content being shared, or malicious actors joining. If only invited users are automatically admitted, then users who weren’t invited will be sent to a meeting lobby. The host can then decide whether or not to let them in. This item was originally released as Require lobbies to be set up for Teams meetings – but has moved to a harder posture in the last month

1.) In the Teams Admin Centre select Meetings and then Meeting Policies

2.) Select a policy, for example the Global Org Wide Default Policy

3.) Under the section Participants and Guests set Automatically Admit People to Invited Users Only and select Save

4.) Ensure that it has applied as marked by a green notification at the top of the page

5.) Rinse and repeat for all meeting policies

Five down, 1 more to go

ITEM 5 | ONLY INVITED USERS SHOULD BE AUTOMATICALLY ADMITTED TO TEAMS MEETINGS

Last one. This is a more important one and accounts for 1.46% of the Secure Score. Only allow users with presenter rights to share content during meetings. Restricting who can present limits meeting disruptions and reduces the risk of unwanted or inappropriate content being shared

1.) In the Teams Admin Centre select Meetings and then Meeting Policies

2.) Select a policy, for example the Global Org Wide Default Policy

3.) Under the section Participants and Guests set Roles that have presenter rights in meetings to Organisers, but users can override and select Save

4.) Ensure that it has applied as marked by a green notification at the top of the page

5.) Rinse and repeat for all meeting policies

All done!

RESULT

Our job here is done. We have implemented all 6 items which will all reflect as complete within 24 hours within Secure Score. Consequently, Secure Score will rise by 5.86% in this environment with 100% completion of Teams items and the Teams Category reflecting a harder security posture than before. In terms of how long it took to complete: all 6 were done within Teams meetings settings and policies within about 10 minutes- but then again I have very few meeting policies within the environment.

Q&A

Q.) Can I implement this in PowerShell?

A.) Yes, you would use Set-CsTeamsMeetingConfiguration and Set-CsTeamsMeetingPolicy to set the meeting settings and respective policies

Q.) Does it propagate any sooner than 24 hours?

A.) It may do. The documentation says within 24 hours. If it hasn’t updated within 24 hours you can decide to wait longer or open a ticket. Secure Score items do have a column which is called last synced which may give you an indication of when the secure score items update. This test tenant looks like from items that it updates at 1am in the morning GMT.

Q.) Will there be more items for Teams in the future?

A.) There is nothing currently on the What’s Planned page for Secure Score or the Microsoft 365 roadmap. There has been 2 adds so far in 2021. Given the focus of Teams within Microsoft it is likely more items will be added in the future since there are obvious adds in the category such as control of apps, the use of sensitivity labels and end to end encryption (EE2E). However, without written confirmation it’s up in the air regarding if anything more will be added

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.