Teams is not secure by default—especially in hybrid environments full of guests, private channels, and synced libraries. In this episode, we walk through two real-world style incidents where “set and forget” Teams defaults quietly exposed data, then build a five-layer hardening plan: Conditional Access that actually bites, Purview DLP on chat and channels, Entra ID guest governance, audit & forensics you can prove in court, and retention that survives scrutiny. You’ll leave with exact policy patterns you can copy, test, and measure in your own tenant.Opening – The Hook & Value Promise The night’s loud with static. Teams channels hum like open vents. Guests linger. Files sync to places no one watches. One careless paste away from a bleed you can’t stop. This episode gives you a concrete Teams security blueprint:Enforce MFA for everyone, including guestsKill legacy authenticationRequire compliant or protected devices for Teams / SharePoint / ExchangeWire Purview DLP into chat and channelsGovern guests with expirations, reviews, and access packagesProve it all in logs, holds, and auditsYou’ll see two incidents that show how defaults burn tenants—and then we’ll build the five layers that would have stopped them. Segment 1 – Incident Proof: How Defaults Burned Two Tenants We open with two Teams failure stories: Incident 1 – The Guest That Never LeftA project ends. Champagne’s gone. One guest remains in the team.Private channel = separate SharePoint site; the guest’s sync client still points to that library.Weeks later, guest opens their laptop → the private channel library syncs fresh sensitive files down automatically.What failed:No guest expirationNo Entra ID access reviews for the teamExternal sharing too loose for private-channel SharePoint sitesOwners assumed “project over” = “access over.” It wasn’t.Blast radius:Sensitive docs in the private channel siteMeeting recordings, Loop components, and thread-linked filesAll delivered via SharePoint sync—no need to open Teams at allIncident 2 – PII Paste and the Data ForkA tired internal user pastes SSNs and bank details into a Teams channel.Someone copies it to email for a vendor. Another exports the thread.PII now lives in Teams, Exchange, local drives, and third-party systems. Cleanup becomes a scavenger hunt.What failed:No Purview DLP for Teams chat & channelsNo policy tips, no block-with-override, no compliance alertTeams treated like a front-end; core controls (Purview, Entra, SharePoint) were never tunedKey takeaway: Teams isn’t the vault. It’s the lobby.The vault lives in Conditional Access, Purview DLP, Entra ID Governance, and SharePoint sharing policies. From here, we build the five layers that would have shut both incidents down. Layer 1 – Conditional Access Baseline That Actually Bites Goal: Identity is the lock. Make it hurt to be misconfigured. You’ll hear a complete Conditional Access baseline:MFA for Everyone (Including Guests)Entra policy: All users (including Guests and external) → All cloud apps.Grant: Require MFA.Exclude only two break-glass accounts with long random passwords, monitored and stored offline.Kill Legacy AuthenticationNew policy targeting Exchange ActiveSync and Other clients.Grant: Block access.Starves phish and breaks old clients that can’t do MFA.Require Device Compliance for Crown AppsScope: internal users (and guests where feasible).Apps: Teams, SharePoint Online, Exchange Online.Grant: Require compliant device (Intune)For BYOD/mobile: cloned policy using “approved client app” + app protection instead.Session Controls & Risk-Based PoliciesShort sign-in frequency (e.g., 8 hours) and weekly reauth for sensitive apps.Enable Continuous Access Evaluation (CAE) so password changes and account disables kill live sessions.Extra policies for high-risk sign-ins/users → block or force password change and investigation.Guest & Service Account Edge CasesEnsure guests hit MFA at first sign-in.Disable interactive sign-in for service accounts; move to workload or managed identities.Regularly test break-glass accounts and CAE behavior.The point: MFA enforced, legacy auth dead, only trusted devices, short sessions, and real risk-based gates. Layer 2 – Purview DLP for Teams Chat & Channels Goal: Sensitive data should trip a wire the second it hits chat. Configuration you’ll walk through:Purview DLP Policy targeted specifically to:Teams chat and Teams channel messagesSensitive Info Types:SSNs, credit cards, bank accounts, health data, and custom IDs (employee/customer IDs, etc.).Rules:High-confidence block with overrideMatch = 1 for crown jewels (SSN, PAN with Luhn, etc.).Block message; allow override with typed justification.Real-time policy tip to user + high-severity alert to compliance.Medium-confidence educate & alertAllow message but warn user and notify compliance for tuning and behavior change.Extras:Mirror policies to SharePoint/OneDrive so files + links are both covered.Tune confidence and match counts to kill noise.Use policy tips that explain in plain language, not legalese.Pilot, tune, then roll out by department → finally org-wide.Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support.Follow us on:LInkedInSubstack

Ver todos los episodios