Teams: Understanding & controlling security

Microsoft Teams can provide a very secure means to share files and collaborate within a team or group of people, but care should be taken to fully understand how the security works before sharing sensitive information. This article will provide an overview of Microsoft Teams security along with explanations of how to alter it as needed to meet special needs.

Types of Teams

When a team site is created within Microsoft Teams, the creator has the option to make the team "private" or "public". A private team is one where people need permission to join while a public team anyone can join. This choice is the first opportunity to make decisions on the security of a team's content. Sensitive data should never be placed in a public team. For the purposes of this article, we will assume you are working with a private team site.

Team membership and roles

After a team site is created, one of the first tasks to perform is to add members to the team. These will be the people who will have access to the team and the associated communications and content within the site. Choosing who belongs to the team provides the next opportunity for securing the team. For a private team, especially one where sensitive information will exist, you should be selective regarding who has membership to the team.

Every member of a team has a role, and each one has different permissions. A role must be selected as a person is added to a team but can be changed at a later time as needed. The three roles are:

Owners
Team owners manage certain settings for the team. They add and remove members, add guests, change team settings, and handle administrative tasks. There can be multiple owners in a team though it is highly recommended in most situations to assign no more than 2 owners.
Members
Members are the people in the team. They talk with other team members in conversations. They can view and usually upload and change files. They also do the usual sorts of collaboration that the team owners have permitted.
Guests
Guests are people from outside of Oklahoma City University that a team owner invites, such as partners or consultants to join the team. Guests have fewer capabilities than team members or team owners, but there's still a lot they can do.

The following table shows default capabilities for each role.

Capability Owner Member Guest Create a channel X X X Participate in a private channel X X X Participate in a channel conversation X X X Share a channel file X X X Share a chat file X X
Delete or edit posted messages X X X Add or remove members and guests X

Edit or delete a team X

Perform other team configurations and permissions X

Types of channels

Content is organized within a team site by the use of channels. By default, this content includes Posts and Files, though many other types of content can be added to channels. There are three types of channels which help determine permissions within the channel:

Standard
A standard channel is open for all team members and anything posted is searchable by others. By default, all members of a team can create standard channels. Every team has one default standard channel titled General.
Private
A private channel is for discussions and content that shouldn't be open to all team members. Only those invited to a private channel can access its content. By default, any team owner or team member can create a private channel and add members.
Shared
A shared channel is for collaborating with people inside and outside of the team. Only team owners can create shared channels, and only shared channel owners can add members or share the channel with a team. Only people who are owners or members of a shared channel can access it, so you must be invited to join one.

By default, anyone with access to a channel can post a message to that channel. If desired, a channel owner can configure their channel to be moderated so that only assigned moderators can start a new post. Moderated channels can be configured to allow members to reply to posts if needed, but the default behavior for a moderated channel is to only allow moderators to post. Note that channel moderation only applies to posts within the Posts tab of the channel. Controlling access to content within the Files tab is described later in this article.

To manage a channel's settings (and membership for private channels), right-click on the channel and select Manage channel. Alternatively, hover the mouse over the channel and click the ellipses button to reveal the same menu.

File security

As mentioned above, each channel is provided a Files tab where files and folders can be shared with those who have access to the channel. By default, anyone with access to the channel can add, delete, or update files within that channel. These capabilities make sense for most collaborative situations, however, there are times where it would be important to control the level of access to certain files or folders. For example, you might want team owners to be able to edit files while everyone else within that channel can only view the files. Managing access to files or folders is a simple process but can only be done by a team owner.

Navigate to the file or folder you want to restrict access to.
Right-click the item and choose Manage access from the menu. Alternatively, hover the mouse over the item and click the ellipses button to reveal the same menu.
Under the Groups tab, click the group you want to restrict access.
You will be presented a summary of the current access and can alter the access to either Can edit (make any changes to the file), Can view (cannot make changes but can view the file), or Remove direct access (removes any type of access to the file).
Click the Apply button once finished.

Note that if you set access restrictions on a folder, these restrictions will be placed on all items (files and folders) contained within the folder.

If you wish to change permissions for all files and folders within a channel, there is a trick to get to the root folder for a channel.

Open the General channel and click the Files tab.
Click Documents in the folder breadcrumbs list.
Under the In site library section, right-click the folder associated to the channel you are wishing to set permissions and choose Manage access. Alternatively, hover over the folder and click the ellipses button to reveal the same menu.
Under the Groups tab, click the group you want to restrict access.
You will be presented a summary of the current access and can alter the access to either Can edit (make any changes), Can view (cannot make changes but can view), or Remove direct access (removes any type of access).
Click the Apply button once finished.

Conclusion

These are just a few of the ways security can be established and controlled within Microsoft Teams. More complex security can be applied if required. Consult with Campus Technology Services when this is needed.

Additional resources

Securing Office 365 files and emails using Sensitivity Labels

Safeguarding Sensitive Personally Identifiable Information