Post the ignite sessions last month on Microsoft Teams, we have enhancements on security perspective that can be enabled which adds extra protection in any organization.
Inviting the external guest users to the teams channel have been a welcoming option for all of us which increases the communication between them and surges the productivity. However, there are few security guidelines that needs to be followed to ensure that our data is always secure even when they are shared outside the boundary. For instance, a guest account getting compromised where he is a member of a finance team will become a major security incident in any organization.
This article outlines the steps that can be carried over to enhance the security on Microsoft Teams guest accounts by enforcing the multi factor authentication.
Below are the steps to enforce the MFA on guest accounts:
First create a dynamic distribution group and target the guest account
Login to Azure AD Tenant with Admin privilege’s- Go to Groups – Create new group – make them security – membership type make them dynamic.
Now we need to add a dynamic query where the property is usertype and the value is guest.
Once done populate the rule syntax and save them.
After some time now, we could see that the populated guest users in our Azure AD tenant will become the members of this group. Since it’s a dynamic query all the new upcoming accounts will be getting occupied automatically.
Create conditional access policy for guest accounts:
Now we need to create a conditional access policy for the Microsoft Teams guest accounts.
Navigate to enterprise applications – click on conditional access.
Now we need to target the dynamic group on this conditional access policy.
In cloud apps select Microsoft Teams , also better to select Sharepoint online which will enforce MFA for these Sharepoint guest users as well.
In conditions we are selecting only the locations. Further it can be manipulated based on the business prerequisite.
In the access control we are selecting only require MFA and the IT policy.
Now we have the MFA enforced on the guest accounts and we will see the action of this configuration from the invited user.
Experience of the guest users enforced with MFA:
In order to simulate this behavior , we are just adding one guest user a teams channel
Post after that the invited user receives a welcome email and this is usual behavior for any invited Azure AD guest user accounts.
When clicking to login the user will be prompted to register and enroll in MFA.
User will be prompted to enter the mobile number in the invited tenant for MFA and needs to complete the initial authentication process.
If we have enabled the IT policy user will be prompted to read and accept the IT policy.
Finally the user is logged in with the guest account and able to participate on the invited team through a secured way of authentication.
With very nominal steps through the conditional access it creates a overall better security for Microsoft Teams.