Microsoft Teams Security Best Practices for UK Businesses

Microsoft Teams is the primary communication and collaboration platform for most UK businesses using Microsoft 365. It handles sensitive conversations, file sharing, meeting recordings, and increasingly, integration with business-critical applications. Securing Teams correctly prevents data leakage, unauthorised access, and the increasingly common phishing attacks delivered via Teams channels and direct messages.

Why Microsoft Teams Security Matters

Teams has become one of the most data-rich systems in any organisation. Conversations include commercially sensitive negotiations, HR matters, financial information, and strategic plans. Files shared in Teams channels live in SharePoint document libraries. Meeting recordings are stored in OneDrive or SharePoint. And Teams is increasingly used to connect with external clients, suppliers, and partners — expanding the potential attack surface.

The NCSC has identified Teams as a high-value target for social engineering attacks. Business Email Compromise (BEC) fraud has evolved — attackers who compromise a Microsoft 365 account can now conduct fraud via Teams chat, impersonating colleagues to approve financial transactions or request credential changes.

Additionally, Teams' guest access and external sharing features, if left at default settings, can expose your data to unintended recipients. A misconfigured team can allow external guests to access files, view member lists, and participate in conversations they should never see.

Teams Guest Access: What It Is and How to Control It

Guest access allows people outside your organisation — clients, suppliers, contractors — to join Teams teams and channels using any email address. It is a useful collaboration feature, but it requires careful management.

What Guests Can Do by Default

By default, guests in Microsoft Teams can: view and send messages in channels they have been added to, participate in meetings, access files in channels where they are a member, and use video and audio calling. They cannot create teams, add other guests, or access the Teams admin centre.

The Risks of Misconfigured Guest Access

The main guest access risks for UK businesses are:

Overly broad guest permissions: A guest added to one channel in a team may be able to see all channels in that team unless private channels are used explicitly.

Forgotten guest accounts: Guest accounts accumulate over time. A consultant who worked with the business two years ago may still have an active guest account with access to Teams and the files shared during that engagement.

No expiration policies: Without expiration policies on guest access, accounts remain active indefinitely unless manually removed.

Guest discovery of team members: Guests can see the member list of any team they have been added to, potentially revealing internal organisational structure.

Recommended Guest Access Configuration

• Restrict guest invitations to Global Administrators and specific designated roles — not all users
• Enable guest access reviews in Microsoft Entra ID (available in Entra ID P2), requiring periodic confirmation that guest accounts are still needed
• Require guest accounts to use MFA via Conditional Access — guests using personal email accounts without MFA are a significant risk
• Use private channels for sensitive topics when external guests are present in a team
• Set external access (federation) to specific allowed domains only, rather than allowing all external organisations

Meeting Security: Protecting External Meetings

Teams meetings have become the default for external client and supplier calls. Without appropriate controls, sensitive meetings can be attended by unintended participants.

Enable Meeting Lobby Controls

The meeting lobby holds external participants until a meeting organiser admits them. This prevents uninvited individuals from joining a call simply by clicking a meeting link. AMVIA recommends enabling the lobby for all meetings with external participants.

Recommended lobby settings:

• Who can bypass the lobby: People in your organisation only (or people in your organisation and invited guests)
• Automatically admit: Do not automatically admit people dialling in by phone

Disable Anonymous Join Where Possible

By default, Teams allows people without a Microsoft account to join meetings via a browser. Whilst convenient, this means anyone with the meeting link can potentially join. For internal meetings and for external meetings involving sensitive content, disable anonymous join at the tenant or meeting policy level.

Manage Meeting Recording Permissions

Meeting recordings are stored in the organiser's OneDrive (for channel meetings, in SharePoint). Without restrictions:

• Recordings are shared automatically with all meeting attendees, including external guests
• Recordings can be downloaded and shared externally
• Transcripts (if enabled) may contain sensitive information

Configure recording policies to restrict who can initiate recordings, control automatic sharing with external participants, and set expiration dates on recordings so they do not persist indefinitely.

Data Sharing and Information Protection in Teams

Teams integrates directly with SharePoint (for channel files) and OneDrive (for chat file sharing). Sensitive files shared in Teams are subject to the same access control risks as SharePoint and OneDrive.

Prevent Oversharing with Sensitivity Labels

Microsoft Purview sensitivity labels, available in Microsoft 365 Business Premium, can be applied to Teams, automatically configuring the privacy settings, guest access rules, and external sharing permissions appropriate for the team's content. A team labelled "Confidential" can be configured to prevent external sharing, restrict guest access, and require MFA for all access.

Control External Sharing from Teams Files

Files shared in Teams channels are stored in SharePoint. External sharing settings in SharePoint govern whether those files can be shared externally. Review and restrict SharePoint external sharing settings to align with your data protection obligations under UK GDPR.

Recommended setting: Allow sharing with authenticated external users only (not anonymous link sharing).

Disable Unmanaged Device Access

Microsoft Intune compliance policies, integrated with Conditional Access, can restrict Teams access on personal devices that are not managed or do not meet compliance requirements. For devices that cannot be fully managed, a browser-only access mode can be enforced — allowing Teams access via browser but preventing file downloads.

Third-Party App Permissions in Teams

Teams supports thousands of third-party apps — from Salesforce and Jira integrations to productivity tools. Each app that is added to Teams requests permissions to access data: reading messages, accessing files, or acting on behalf of users.

Risks of unmanaged app permissions include:

• Apps with excessive permissions accessing sensitive conversations or files
• Apps from unknown developers that may exfiltrate data
• OAuth consent phishing — attackers create malicious Teams apps that request permissions to read email or access OneDrive

Recommended app governance approach:

• Configure the Teams admin centre to allow only apps published by Microsoft, or apps you have specifically approved
• Review the global app permission policies — by default, any user can add third-party apps
• Use Entra ID's App Governance feature (available in higher licence tiers) to monitor app permissions and flag apps with unusual access patterns

Teams Phishing and Social Engineering

Teams has become a vector for phishing attacks, particularly in organisations that have improved email security and made email phishing harder. Attacker tactics include:

Impersonation via external accounts: Attackers create Microsoft accounts using names similar to known contacts and send Teams messages requesting urgent action (approve a payment, share credentials).

Compromised supplier accounts: If a supplier's Microsoft 365 tenant is breached, their Teams accounts can be used to send malicious messages directly to your staff via established external access relationships.

Malicious links in Teams messages: Safe Links in Microsoft Defender for Office 365 does not cover Teams by default in all configurations — check that Safe Links protection extends to Teams URLs.

Staff awareness training should explicitly cover Teams-based social engineering. The same scepticism applied to email — verifying unexpected requests via a known phone number, not clicking unfamiliar links — applies equally to Teams messages. See our phishing protection guide for broader phishing awareness guidance.

Teams Security and the PSTN Switch-Off

Many UK businesses are migrating to Microsoft Teams Direct Routing or Teams Calling Plans as part of the 2025 PSTN switch-off. Voice calls routed through Teams introduce additional security considerations:

• Call recordings stored in Teams/SharePoint must be protected under the same information governance policies as other sensitive data
• SIP trunk security for Direct Routing implementations must be configured correctly to prevent toll fraud
• Emergency calling configuration must be verified — Teams voice requires specific emergency call routing that is distinct from traditional PSTN

See our VoIP security guide for detailed guidance on securing Teams-based telephony.

How AMVIA Secures Microsoft Teams

Configuring Teams security across guest access, meeting policies, app permissions, and data governance requires a systematic approach and regular review as Microsoft releases new features and policy options.

AMVIA's managed Microsoft 365 service includes Teams security configuration as a standard component, with:

• Audit of current Teams admin settings against NCSC guidance
• Guest access policy review and cleanup of stale guest accounts
• Meeting policy configuration for external meeting security
• App permission policy governance
• Integration of Teams security with Defender for Office 365 Safe Links
• Sensitivity label configuration for Teams information protection
• Quarterly review of guest accounts and app permissions