Skip to main content

Eight Teams Settings That Decide Whether Your Collaboration Data Stays Private

Nick Ross4 min read

TL;DR

  • Private channels and shared channels let Teams follow least privilege, while public channels expose content to anyone in the organization.
  • Blocking or domain-scoping external access stops outside users from using Teams chat as a reconnaissance or phishing channel.
  • Restricting Teams to approved apps limits data exfiltration paths, since sideloaded and third-party apps can carry vulnerabilities into the tenant.
  • DLP policies scoped to Teams prevent sharing of credit cards, SSNs, and bank details, and require the right Microsoft 365 licensing to enforce.
  • Anonymous and dial-in participants should wait in the meeting lobby rather than being admitted automatically.

Teams is where the whole company talks: chat, meetings, and file sharing in one place. That convenience means a single app potentially holds most, if not all, of an organization's sensitive information, which makes its configuration worth real scrutiny. The eight settings below are each mapped to the CIS Controls (opens in new tab), the widely used set of cybersecurity best practices that helps teams decide what to prioritize first.

A more extensive set of recommendations exists beyond these eight, including configuration steps, end-user impact, and enablement content for each one. A sample is available here: Security Baselines, CIS Controls sample (PDF) (opens in new tab).

Security baselines guide mapped to the CIS Controls

Who can get in: membership and external access

1. Use private teams and shared channels, not public ones

Creating a private channel in Microsoft Teams

Access controls are fundamental to every compliance regulation, and channels where users collaborate on sensitive topics or share critical documents should follow least privilege. Private channels handle this inside the organization: users request access from the owners, and everyone else is blocked from seeing the content.

Shared channels go a step further by letting you explicitly grant channel access to users both inside and outside your organization, which makes them the safer pattern for external collaboration.

Both differ from a public channel, where anyone in the org can gain access. Put a formal process in place for the creation of new teams and channels.

CIS Controls mapping for this recommendation
Channel privacy options when creating a Teams channel

2. Restrict external user access

External access settings in the Teams admin center

External access lets outside users look up internal users by email address and start chats and calls entirely within Teams. Blocking it removes Teams as an avenue for reconnaissance and phishing. Note that even with external access disabled, external users can still join Teams calls as long as anonymous join is enabled. If an organization needs both external access and anonymous join blocked, which this baseline neither requires nor recommends, external collaborators could only attend meetings as B2B guest users. External access can also be granted per domain, which fits cases like agency-to-agency collaboration.

CIS Controls mapping for this recommendation
Configuring per-domain external access in Teams

3. Restrict who can create new teams

Any user in a tenant can create a public or private team by default. Behind the scenes, each new team also creates a Microsoft 365 or Office 365 Group plus a SharePoint site with a document library storing every document shared in its channels. Left unmanaged, the tenant fills with teams nobody remembers creating, and that sprawl leads to data loss, insecure document sharing, and organization-wide confusion. We recommend limiting team creation to designated members and putting a formal request process behind new channels. The configuration itself restricts who can create a group, since groups are the backend of a team.

CIS Controls mapping for this recommendation
Restricting Microsoft 365 group creation to a security group

4. Keep anonymous users in the meeting lobby

Teams meeting lobby settings

This setting controls which participants wait in the lobby before being admitted. Anonymous users, including dial-in users, should not be admitted automatically.

CIS Controls mapping for this recommendation
Configuring who can bypass the lobby in Teams meeting policies

What can run: apps and storage providers

5. Allow only approved apps

Teams app permission policies

Teams integrates with three classes of apps:

  • Microsoft apps, published by Microsoft
  • Third-party apps, not authored by Microsoft, published to the Teams store
  • Custom apps, not published to the Teams store, such as apps under development that users sideload into Teams

Only authorized and approved applications should be available to end users, both to manage exfiltration of corporate data and because unmanaged applications may carry vulnerabilities that exploit users, devices, or data.

CIS Controls mapping for this recommendation
Configuring allowed and blocked apps in the Teams admin center

6. Block third-party file storage

Third-party file storage options in Teams

By default, users can wire external storage providers like Google Drive and Dropbox into their Teams channels. For data loss prevention, only managed, trusted providers should be allowed.

CIS Controls mapping for this recommendation
Disabling third-party cloud storage providers in Teams settings

What the content itself gets: DLP and threat protection

7. Create DLP policies scoped to Teams

Creating a DLP policy for Teams in Microsoft Purview

Data loss prevention catches both the accidental leak and the intentional exfiltration, and it is integral to securing Teams. DLP policies scoped to Teams block the sharing of sensitive information and PII such as credit cards, Social Security numbers, and bank account details before it leaves the conversation.

CIS Controls mapping for this recommendation
DLP policy conditions for sensitive info types in Teams messages
Defender for Office 365 Safe Attachments policy settings

Safe Attachments policies from Defender for Office 365 should be enabled and configured for Teams, so attachments get detonated in a sandbox and scanned for malware on open or download.

For links, Defender protects users from malicious URLs in Teams messages by prepending https://*.safelinks.protection.outlook.com/?url= to URLs in the message. That prefix routes the original URL through Microsoft's scanning proxy, which:

  • Compares the URL with a block list
  • Compares the URL with a list of known malicious sites
  • Applies real-time file scanning if the URL points to a downloadable file

Only when every check passes is the user redirected to the original URL.

CIS Controls mapping for this recommendation
Safe Links policy configuration for Teams
Safe Links protection settings detail

Treat this list as a starting line

These eight settings close the most common Teams gaps, but securing collaboration is a continuous process rather than a one-time configuration pass. Threats change, Microsoft ships new defaults, and settings drift between reviews. Schedule a recurring check of these controls the same way you would patch cycles, and Teams stays a tool you can trust with the company's most sensitive conversations.

Frequently asked questions

Why restrict who can create new teams?

Every new team silently creates a Microsoft 365 Group and a SharePoint site with a document library. Unmanaged, that sprawl leads to data loss, insecure sharing, and confusion, so creation should be limited to designated members with a formal request process.

Do external users still get into meetings if external access is blocked?

Yes, as long as anonymous join is enabled they can still join Teams calls. If both external access and anonymous join are blocked, which this baseline neither requires nor recommends, external collaborators can only attend by being added as B2B guest users.

What do Safe Links actually check in Teams messages?

Defender prepends a safelinks.protection.outlook.com proxy to URLs, then compares each URL against a block list and a list of known malicious sites, and applies real-time file scanning when the URL points to a download. Only after all checks pass is the user redirected to the original URL.

Verify these Teams controls on every tenant you manage

Settings drift, and the Teams policy that passed last quarter can quietly fail this one. CloudCapsule checks 250+ controls, including collaboration settings like these, across all your tenants in about 60 seconds each.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading