Configure teams with baseline protection
In this article, we look at how to deploy teams with a baseline level of protection. This level allows users a wide range of options for collaboration while enhancing permissions management and providing basic protection against oversharing. Recommended protections for this level include identity and device access policies and protection against malware. Additionally, you can apply conditional access policies and data loss protections as needed.
As a first step, we recommend that you configure basic identity and device-access policies. See Policy recommendations for securing Teams chats, groups, and files for details.
We also recommend turning on basic Defender for Office 365 features to guard against malware in documents, attachments, and links. We recommend turning on each of the options in the following table.
|Safe Attachments for SharePoint, OneDrive and Teams
|Safe Attachments in Microsoft Defender for Office 365
|Safe Documents in Microsoft 365 A5 or E5 Security
|Safe Links for Teams
|Safe Links settings for Microsoft Teams
Teams guest sharing
In each of the tiers, we have the option of sharing with people outside your organization. For the sensitive and highly sensitive tiers, we have the option to turn guest sharing off at the team level by using sensitivity labels. But the organization-level guest sharing setting must be turned on for guest sharing to work at all in Teams.
Guest sharing is turned on by default for commercial organizations. However if you have previously changed any of the guest sharing settings for your organization, we recommend that you review Collaborate with guests in a team to ensure that guest sharing is available in Teams.
Site and file sharing
To reduce the risk of accidentally sharing files or folders with people outside your organization, we recommend changing the default sharing link for SharePoint to Only people in your organization. (If users need to share externally, and you have enabled guest sharing, they can still change the link type when they share.)
To change the default sharing link
- Open the SharePoint admin center, under Policies, select Sharing.
- Under File and folder links, select Only people in your organization.
- Select Save.
For the best guest sharing experience, we also recommend that you enable SharePoint and OneDrive integration with Microsoft Entra B2B.
Create a team
Additional configuration for the baseline level of protection is done in the SharePoint site associated with a team. Create a public or private team before proceeding to the next section.
Site sharing settings
By default, members of a SharePoint site can invite others to the site. When a site is part of a team, team members are included as site members. However, people added directly to the site don't have access to the rest of the team. For this reason, we recommend managing permissions exclusively through the team.
To help with permissions management, we recommend configuring the associated site to only allow owners to share the site by itself. This simplifies permissions management and helps prevent access by people without a team owner's knowledge. Do this for each team that requires baseline protection.
To update the site sharing settings
- In the tool bar for the team, select Files.
- Select Open in SharePoint.
- In the tool bar of the SharePoint site, select the settings icon, and then select Site permissions.
- In the Site permissions pane, under Site sharing, select Change how members can share.
- Under Sharing permissions, choose Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site, and then select Save.
Microsoft 365 offers additional methods for securing your content. Consider if the following options would help improve security for your organization.
- Configure a session sign-in frequency policy for guests.
- Create sensitive information types and use data loss prevention to set policies around accessing sensitive information.