Teams Real Simple with Pictures: Governing Guest Access via Azure AD Roles and PIM

Last week, after I wrote the previous article on B2B Management Policy I had a nagging feeling that I wanted to write something more. It was in the back of my brain I just couldn't articulate it. Then during this week when I was teaching SC-900 and doing labs with Azure AD I remembered. Then, me being me I forgot it again. It's been that kind of week. But sitting in the restaurant today at Wagamama whilst eating a load of teriyaki soba it all came flooding back: it was a complimentary piece to B2B management on how we can restrict adding guests based upon external identities and leveraging Azure AD roles. Last week, we saw how you could out and out block specific domains, which meant that guests from those specific domains cannot be added. This week, we are going to see how you can stop Teams owners from adding guests unless they have a specific Azure AD role assigned called Guest Inviter. This has two real benefits. The first is that it stops Teams owners backdooring guests when you have implemented Entitlement Management because setting up EM doesn't suddenly strip Team owners of adding guests directly in the team itself via manage users. Secondly, because Team owners no longer have standing access to invite guests and you are basing that functionality upon assignment of an Azure AD role, you can now run it through PIM and this would go well with an access review. Now it would certainly be what you could call an EM light approach. The upside would be you no longer have to deal with catalogues or packages which removes a layer of complexity. The downside is that with EM you can package multiple Teams/Microsoft 365 groups/SharePoint site at a time: what follows wouldn't be able to do that. Still, it gives us another tool in the kitbag should we want. It also works from the perspective of not having to purely rely on having to use sensitivity labels to block guest access to specific teams, since Team owners won't be able to do that unless they have the assigned role - and then they could be used anyway. So in short, this facilitates EM through to its full conclusion or an alternative approach which isn't so rigid as EM, but still puts controls on users adding guests carte blanche.

Teams Real Simple with Pictures: Using B2B Management Policy in Azure AD to block Guest invitations to specific domains

called a B2B Management Policy. Now, why would we use this and how does it fit in with how we already manage guests? In terms of how we would use this, think of it as follows. When we enable guests in the TAC, we allow Teams owners to invite B2B users from any organisation. That's cool and frictionless - except thinking about zero trust, it means that we could be leaving ourselves open to insider risk and competitors being added to our Teams. Now, we could go down the route of using sensitivity labels - but we really want to simply block the competitors whole org and any of their users being added to ours as guests. We could go down the route of entitlement management - but this can be heavy and would involve actions on the part of users: besides; it could be bypassed anyway as EM doesn't lock the ability to add guests via Teams. No, we want something quick and frictionless and automatic: an all out block across the tenant. Well, we can do this in Azure AD. Now, to set expectation two things. Number one: this is simply another useful tool in the kit bag regarding management of guests: you would still use sensitivity labels and EM and this would simply layer over the top of that. Secondly, this isn't something that will all out block all sharing and communication with other domains: other things need to be added which will be referred to below. All good?

12 features I would like to see land in Microsoft Teams in 2022

I was writing up an answer in the Microsoft Tech Community today when it struck me that Teams is nearly 5 years old. That's right - 5 years! Nearly as old as my son. Yet apart from feeling like time has gone by inexplicably fast - as you so often do as a parent, I also felt two things really brought home the fact that I am still incredibly invested in it. One - I still feel the best is yet to come: that even after five years of maturation we all know it can still be so much more than it is. And two, the longer I work with Teams the less I find myself concerned with the flash and more about the fundamentals; those little vital things which make it better to use on a day to day basis

Teams Real Simple with Pictures: Terms of Use with Conditional Access

Happy Christmas! I hope you have enjoyed the last few days - and whether it has been with family, friends, going shopping, eating out, going to church, taking exams or feet up binge watching movies and taking a real break from everything I really hope you have managed to spend it how you have wanted to after a full on 2021. You deserve it. Me? I'm spending most my with my family, but during the holidays I'm also taking some a bit of time to clear the decks for 2022 and refocus on several things which I've missed doing this year. One of those things is the Microsoft Tech Community. Tech was where I first started out doing community work back in late 2018. I did it compulsively right up until the beginning of 2021 and it's been a big part of my life the past few years. It's a place where I met a lot of my community friends: people like Adam Deltinger, Chris Webb, Juan Carlos Gonzalez Martin, Vasil Michev and Linus Cansby. Its a place where I got the opportunity to help people directly. It's also the place which led to many more opportunities including Teams Nation. Yet with everything else going on this year - work, events, exams, speaking on the circuit, you name it - it's been tough to allocate the time in order to really get back into it like I used to. So I needed to change things up in order to get back to the start, and having re-engaged the last few weeks I feel much happier and sharper. Now one of the questions I was asked was regarding Terms of Use. This is fortunate considering I am teaching Microsoft SCI Fundamentals next month and it's a component of that. Terms of Use is an Azure AD functionality but applies to many services including Microsoft Teams. Do you require employees or guests to accept your terms of use policy before getting access? Do you require employees or guests to accept your terms of use policy on a recurring schedule per your compliance policies? Do you require employees or guests to accept your terms of use policy as part of a conditional access policy? Once you use it, it seems strange that you wouldn't want this in place to ensure anyone who is accessing your environment is accepting your terms - especially as it's an Azure AD P1 functionality and available to small businesses as well as large

Teams Real Simple with Pictures: Setting up Safe Links for Teams

It's nearly here. The big day. My 5 year old is still building his Christmas list and wanting half of the things he sees on TV. It's fingers crossed that the turkey will still be there when we go to pick it up at Mark's and Spencer's on Thursday. And of course we all hope that we'll get to see our loved ones over the festive season given what's happening with Omicron here in the UK. But for now, let's put all the worries aside and focus on something we can control and do something about pretty quickly: which is implementing Safe Links for Microsoft Teams. It's something easy to do, and the security benefits are 101. It's all about protecting users from clicking on malicious URL's directing them to sites aiming to instigate a data breach, or triggering the download of a payload onto their device. Given that Teams has open federation by default its pretty much a no brainer. I tend to think of it this way: what if someone who you regularly chat with in private from another organisation sends a link which you don't recognise? How do you know that person hasn't been breached? So how do you respond to someone you don't know? What if someone who has been breached within your organisation sends you a document link within Teams with a malicious URL inside of it which to all extents looks like a legitimate business document? Now, I would love to say that everyone I know - myself included - exercises good judgement in these matters one hundred percent of the time. However, let's be honest this just isn't true. This is why zero trust is so important to everything we do moving forward. Chances are, someone will click the link. And it's not because they are stupid. It's often because they are busy, or under pressure, or the attackers are very good at making the URL look legit. How many of us ask somebody to ratify a URL before clicking on it? It could be a combination of those things and it could happen to any of us. Safe Links is included in Defender for Office 365 Plan 1. It's in E5 but also a standalone SKU which could be added, for example to Microsoft 365 Business Premium. It's important to note that everyone who you intend to protect with this needs to be licensed. If the licence isn't on, it won't work even if you add the user to the policy.