Configure teams with baseline protection

Article
12/14/2023

In this article, we look at how to deploy teams with a baseline level of protection. This level allows users a wide range of options for collaboration while enhancing permissions management and providing basic protection against oversharing. Recommended protections for this level include identity and device access policies and protection against malware. Additionally, you can apply conditional access policies and data loss protections as needed.

Initial protections

As a first step, we recommend that you configure basic identity and device-access policies. See Policy recommendations for securing Teams chats, groups, and files for details.

We also recommend turning on basic Defender for Office 365 features to guard against malware in documents, attachments, and links. We recommend turning on each of the options in the following table.

Option	Information
Safe Attachments for SharePoint, OneDrive and Teams	Safe Attachments in Microsoft Defender for Office 365 Defender for Office 365 - SharePoint, OneDrive, and Microsoft Teams
Safe Documents	Safe Documents in Microsoft 365 A5 or E5 Security
Safe Links for Teams	Safe Links settings for Microsoft Teams

In each of the tiers, we have the option of sharing with people outside your organization. For the sensitive and highly sensitive tiers, we have the option to turn guest sharing off at the team level by using sensitivity labels. But the organization-level guest sharing setting must be turned on for guest sharing to work at all in Teams.

Guest sharing is turned on by default for commercial organizations. However if you have previously changed any of the guest sharing settings for your organization, we recommend that you review Collaborate with guests in a team to ensure that guest sharing is available in Teams.

To reduce the risk of accidentally sharing files or folders with people outside your organization, we recommend changing the default sharing link for SharePoint to Only people in your organization. (If users need to share externally, and you have enabled guest sharing, they can still change the link type when they share.)

To change the default sharing link

Open the SharePoint admin center, under Policies, select Sharing.
Under File and folder links, select Only people in your organization.
Select Save.

For the best guest sharing experience, we also recommend that you enable SharePoint and OneDrive integration with Microsoft Entra B2B.

Create a team

Additional configuration for the baseline level of protection is done in the SharePoint site associated with a team. Create a public or private team before proceeding to the next section.

By default, members of a SharePoint site can invite others to the site. When a site is part of a team, team members are included as site members. However, people added directly to the site don't have access to the rest of the team. For this reason, we recommend managing permissions exclusively through the team.

To help with permissions management, we recommend configuring the associated site to only allow owners to share the site by itself. This simplifies permissions management and helps prevent access by people without a team owner's knowledge. Do this for each team that requires baseline protection.

To update the site sharing settings

In the tool bar for the team, select Files.
Select Open in SharePoint.
In the tool bar of the SharePoint site, select the settings icon, and then select Site permissions.
In the Site permissions pane, under Site sharing, select Change how members can share.
Under Sharing permissions, choose Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site, and then select Save.

Additional protections

Microsoft 365 offers additional methods for securing your content. Consider if the following options would help improve security for your organization.