Office 365 & Microsoft Teams - Convenience of Collaboration and Impact on Security



In this article, we would like to show how working with Microsoft Teams looks from the point of view of users, IT administrators, and IS employees.

First of all, let's clarify the difference between Teams and most other Microsoft products in their Office 365 offer (hereinafter, for brevity - O365).

Teams is only a client that does not have its own cloud application. And it places the data it manages in various O365 applications.

We will show what happens “under the hood” when users work in Teams, SharePoint Online (hereinafter SPO) and OneDrive.

If you would like now to move on to the practical part on providing security using Microsoft tools (1 hour out of the total course time), we highly recommend listening to our Office 365 Sharing Audit course, available here. This course covers, among other things, the sharing settings in O365, which are only editable through PowerShell.

Meet Acme Co.'s Internal Project Team




This is how this Team looks in Teams, after its creation and the provision of appropriate access to its members by the owner of this Team - Amelia:



Team starts work


Linda implies that only the James and William with whom they discussed this will contact the file with the bonus payment plan placed in her Channel.



James, in turn, directs a link to access this file to an employee of the human resources department, Emma, ​​who is not part of the Team.



William sends a contract with a third party’s personal data to another Team member via MS Teams chat:



We climb under the hood


Zoey, with the light hand of Amelia, can now add anyone to the Team at any time, or remove from it:



Linda, laying out a document with critical data intended for use by only two of her colleagues, was mistaken with the Channel type when creating it, and the file became accessible to all Team members:



Fortunately, there is a Microsoft application for O365, in which you can (using it completely for other purposes) quickly see what critical data all users have access to , using for testing a user who is included only in the most common security group .

Even if the files are located inside the Private Channels (Private Channels) - this may not be a guarantee that only a certain circle of people will have access to them.

In the example with James, he provided a link to the Emma file, which is not even included in the Command, not to mention access to the Private Channel (if it was one).

In this situation, the worst thing is that we will not see information about this anywhere in the security groups in Azure AD, since access rights are granted to it directly.

The PDN file sent by William will be available to Margaret anytime, not just while working online chat.

We climb up to the waist


We understand further. First, let's see what exactly happens when a user creates a new Team in MS Teams:



  • A new Office 365 security group is being created in Azure AD, including Team owners and members
  • The site of the new Team is created in SharePoint Online (hereinafter - SPO)
  • Three new local (active only in this service) groups are created in SPO: Owners, Members, Visitors
  • Changes are made in Exchange Online

MS Teams data and where they live


Teams is not a data warehouse or platform. It is integrated with all Office 365 solutions.



  • O365 offers many applications and products, but the data is always stored in the following places: SharePoint Online (SPO), OneDrive (hereinafter - OD), Exchange Online, Azure AD
  • The data that you share or receive through MS Teams is stored on these platforms, and not inside Teams itself
  • In this case, the risk is a growing trend for collaboration. Anyone who has access to data on the SPO and OD platforms can make it available to anyone, both inside and outside the organization.
  • ( ) SPO,
  • Documents SPO:
    • Documents SPO ( , )
    • Email-, , “Email Messages”

  • , SPO, , ( — SPO)
  • , , OneDrive ( “Microsoft Teams Chat Files”),
  • Chat and chat content are stored in the user and Team mailboxes, respectively, in hidden folders. Now there is no way to get additional access to them.

Water in the carburetor, flow in the hold


The main points that are important to remember in terms of information security :

  • Access control, and an understanding of who can be granted rights to important data, is transferred to the end-user level. There is no full centralized control or monitoring .
  • When someone shares company data, your “blind spots” are visible to others, but not to you.



In the list of persons who are members of the Team (through the security group in Azure AD), we do not see Emma, ​​but she has access to a specific file, a link to which James sent her.



In the same way, we will not find out about its ability to access files from the Teams interface:



Can we somehow get information about which object Emma has access to? Yes, we can, but only by studying access rights to everything or to a specific object in the SPO, for which we have suspicions.

Having studied such rights, we will see that Emma and Chris have rights to the object at the SPO level.



Chris? We do not know any Chris. Where did he come from?

And he "came" to us from the "local" security group SPO, which already, in turn, includes the Azure AD security group, with members of the Compensations Team.



Maybe Microsoft Cloud App Security (MCAS) can shed light on issues of interest to us by providing the right level of understanding?

Alas, no ... Despite the fact that we can see Chris and Emma, ​​we can not see the specific users who are granted access.

O365 Access Levels and Techniques - IT Challenges


The simplest process of providing access to data on file storages within the perimeter of organizations is not particularly complicated and practically does not provide opportunities to bypass the granted access rights.



O365 has many opportunities for collaboration and data access.

  • , , , , , ,
  • ,

Microsoft at O365 has probably provided too many ways to modify access control lists. Such settings are at the level of tenant, sites, folders, files, the objects themselves and links to them. Configuring accessibility settings is important and should not be neglected.

We provide the opportunity to take a free, about an hour and a half video course on the configuration of these parameters, a link to which is given at the beginning of this article.

Without thinking twice, you can block all external file sharing, but then:

  • Some of the features of the O365 platform will remain unused, especially if some users are used to using them at home or at a previous job
  • “Advanced users” will “help” other employees to violate your rules by other means

Configuring sharing capabilities includes:

  • Different configurations for each application: OD, SPO, AAD and MS Teams (part of the configuration can be done only by the administrator, part - only by the users themselves)
  • Configuration configurations at the tenant level and at the level of each specific site

What does this mean for IB


As we saw above, full reliable access rights to data cannot be seen in a single interface:



Thus, in order to understand who has access to EVERY specific file or folder, you will need to independently create an access matrix, collecting data for it, taking into account the following:

  • Team Members Visible in Azure AD and Teams, but Not in SPO
  • Team Owners can designate Co-Owners who can expand the Team list on their own
  • TEAMs may also include EXTERNAL users - “Guests”
  • Links provided for sharing or downloading are not visible in Teams or in Azure AD - only in SPO, and only after tedious transitions in the mass of links
  • Access only to the SPO site is not visible in Teams

The lack of centralized control means that you cannot:

  • See who has access to which resources
  • See where critical data is
  • Meet the requirements of regulations requiring an approach to planning services with a focus on confidentiality of access at their core
  • Detect abnormal behavior regarding critical data
  • Limit attack area
  • Choose an effective way to reduce the level of risk, based on their assessment

Summary


As a conclusion, we can say that

  • , O365, , , , - O365
  • , , , - O365 , O365

All Articles