Microsoft Teams Security Best Practices for UK Businesses

Why Teams Security Needs Deliberate Configuration

Microsoft Teams has become the primary communication and collaboration tool for millions of UK businesses. But its default settings — designed for ease of adoption and broad usability — create several security risks that need to be actively managed. External sharing is permissive by default. Guest access can be configured in ways that expose internal conversations and files. Users can create teams and invite external participants without IT oversight. Meeting recordings may be stored in locations that are not adequately access-controlled.

As Teams usage increases, so does its attractiveness as an attack vector. Attackers increasingly use Teams-based phishing — sending messages that appear to come from trusted colleagues or impersonating external partners — to deliver malicious links or files. The familiar, trusted interface of Teams can make these attacks more effective than email phishing.

Guest Access and External Sharing

Teams guest access allows users from outside your organisation — clients, partners, contractors — to join Teams channels and participate in conversations. Guest access is a legitimate and useful feature, but it requires careful configuration to prevent sensitive information being accessible to guests who should not see it.

Key guest access controls to configure include: restricting which channels guests can access (guests should not see all channels by default); preventing guests from discovering channels they have not been explicitly invited to; controlling whether guests can search the directory for other users; and setting a policy for how long guest access persists before requiring renewal. AMVIA recommends a guest access review process where all active guest accounts are reviewed quarterly and removed when no longer needed.

External access (federation) — which allows Teams users from other organisations to find and message your users directly — is separate from guest access. Federation should be configured to allow communication with known partner organisations while blocking unknown external contacts from initiating conversations.

Channel Permissions and Team Governance

By default, any Microsoft 365 user can create a new Team and invite members, including external guests. This creates governance sprawl — proliferating teams, channels, and guest accounts that are not tracked or managed. Left uncontrolled, this creates data security risks: sensitive information spread across hundreds of unmanaged channels, former employees retaining access via guest accounts in teams they created, and no visibility of what has been shared with external parties.

Teams governance policies should control: who can create Teams (typically restricted to IT or approved requestors); whether guests can be added by team owners without IT approval; naming conventions for teams; expiration policies for inactive teams; and the lifecycle management of teams when projects end. Microsoft 365 Business Premium includes Azure AD group expiration and lifecycle policies that support this governance.

Meeting Security

Teams meetings introduce security considerations that are not present in traditional conference calls. Meeting recordings capture everything said and shown — sensitive business discussions, financial data, personal information — and must be stored and retained appropriately. By default, Teams meeting recordings are stored in OneDrive or SharePoint, which is appropriate, but access controls for these recordings should be reviewed.

Meeting lobby settings control who is admitted automatically versus who waits in the lobby for the organiser to admit. For external meetings, lobby settings should be configured to require the organiser to explicitly admit external participants rather than allowing them to join automatically. Watermarking and who-can-record policies can be applied through Teams meeting policies for sensitive meetings.

Teams-Based Phishing

As email security controls improve, attackers are increasingly using Teams as an alternative phishing channel. Common Teams phishing approaches include: compromised accounts sending malicious links or files through Teams to existing contacts; external users (through guest access or federation) impersonating trusted contacts; and social engineering attacks that use Teams to build trust before requesting credential sharing or payment authorisation.

Microsoft Defender for Office 365 (included in Business Premium) extends Safe Links and Safe Attachments protection to Teams — scanning URLs and files shared in Teams channels and messages. This should be enabled and is a significant protection against Teams-based malware delivery. Staff awareness training should include Teams-specific phishing awareness.

Microsoft Purview for Teams Compliance

For businesses with regulatory or legal compliance requirements, Microsoft Purview provides retention policies for Teams conversations, eDiscovery search capabilities covering Teams content, DLP policies that detect sensitive data shared in Teams messages and files, and communication compliance policies for monitoring regulated communications. These features require appropriate Microsoft Purview licensing and should be configured in consultation with compliance requirements.

How AMVIA Hardens Teams Security

AMVIA configures Teams security policies as part of its Microsoft 365 security service — guest access controls, external access federation settings, meeting policies, Safe Links and Safe Attachments for Teams, and team governance policies. For businesses with compliance requirements, AMVIA advises on Purview configuration for Teams retention and DLP. Contact AMVIA on 0333 733 8050 to discuss Teams security for your organisation.