Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
KEY TAKEAWAYS
- Microsoft Teams ships with permissive defaults: external federation, guest creation, and meeting lobbies all favour collaboration over containment on day one.
- Six attack vectors dominate Teams incidents in Canadian SMB tenants, and external chat phishing plus device-code meeting invites lead the list.
- The 8-control hardening checklist below closes the most common gaps in roughly four to six administrator hours per tenant.
- PIPEDA, Quebec Law 25, and Bill C-8 each pull Teams chat, recordings, and shared files into the reasonable-safeguards perimeter.
- Microsoft 365 Business Premium covers most controls; Defender for Office 365, Entra Conditional Access, and Purview do the heavy lifting.
Get a Free Microsoft Teams Security Consultation
Why Microsoft Teams security matters for Canadian businesses in 2026
Microsoft 365 and Teams inherit your tenant permissions, so over-broad sharing and guest access are the common exposure, and conditional access plus external-sharing and data-loss-prevention controls close that gap.
Teams + Copilot: Copilot reads private Teams channels with stale memberships the same way it reads SharePoint. The Pre-Copilot SharePoint Audit covers the Teams-channel review pattern.
Microsoft Teams is the deepest-integrated app inside Microsoft 365. A single Teams identity touches SharePoint Online, OneDrive, Exchange, Entra ID, and any connected Power Platform flow. Locking down Exchange does not lock down Teams.
The Teams Admin Center, Entra ID external collaboration settings, and Microsoft Purview policies are three separate planes that must be configured together. Across 41 Canadian SMB tenants Fusion Computing audited through Q1 2026, the Teams hardening gap was the most common first-audit finding, even on tenants with MFA enforced.
The Canadian Centre for Cyber Security flags collaboration platforms as a rising initial-access surface in its 2025 small-business guidance. Treating Teams as a separate hardening pass, distinct from email and SharePoint, is the correction.
The 6 Microsoft Teams attack vectors
The Canadian Anti-Fraud Centre logs hundreds of millions of dollars in reported business losses each year, led by business email compromise and ransomware, and notes that the majority of fraud goes unreported.
The Teams attack surface is narrower than email but higher trust. Staff treat a Teams message from a recognized name the way they treat a hallway conversation: low scrutiny, fast action. Six vectors recur in the incidents Fusion Computing triages.
| Vector | How it works | Primary control |
|---|---|---|
| External chat phishing | Lookalike tenant DMs staff and ships a malicious link in chat | Federation allow-list |
| Teams vishing | Attacker joins as guest, calls posing as IT, walks staff through a remote-tool install | Guest restrictions |
| Device-code meeting invites | External invite contains device-code phishing or token-harvesting link | Defender for Office 365 Safe Links |
| Malicious file share | Macro or HTML-smuggled payload posted in chat or channel | Safe Attachments for Teams |
| Token theft and session replay | Compromised endpoint exfiltrates Teams refresh tokens | Conditional Access, compliant device |
| Stale guest accounts | Dormant external identity reactivated and used to read channels | 90-day Entra access reviews |
The Microsoft Digital Defense Report 2024 documents Teams-targeted activity from state-aligned groups including Storm-2372, with device-code phishing inside meeting invites as the recurring technique. OWASP collaboration-platform guidance echoes the same six categories.
CITATION
Microsoft Digital Defense Report 2024 records continued targeting of Microsoft Teams by state-aligned actors using device-code phishing inside meeting invites and external federation. Source: Microsoft Security Insider.
External access and federation: who can DM your staff?
The Canadian Centre for Cyber Security publishes Baseline Cyber Security Controls for small and medium organizations, a starting set spanning MFA, patching, backups, and incident response that aligns with CIS Controls v8.1.
External access is the federation channel that lets users in other Microsoft 365 tenants chat, call, and meet with staff. It is enabled by default for every domain on the planet. For most Canadian SMBs, the right posture is allow-list, not block-list.
The single highest-impact change is switching federation from Allow All to a specific domain allow-list of vendors, partners, and clients the business actually uses. Companion settings: turn off communication with unmanaged Teams accounts and disable Skype consumer interop. Fusion Computing’s cybersecurity services include a federation review on every Microsoft 365 onboarding.
A practical starting point is the last 90 days of legitimate Teams activity from the admin audit log. The domains that show up become the allow-list; everything else is blocked at the protocol layer.
Guest access controls
Statistics Canada’s survey of cyber security and cybercrime finds that small and medium businesses absorb a disproportionate share of incident impact while running the leanest security teams.
Guest access is different from federation. A guest is an Entra ID B2B identity invited into the tenant and added to specific Teams. Unlike a federated user, a guest sits inside private channels and can access SharePoint files. Treat every guest as a low-trust internal user.
Three settings carry most of the risk. Guest channel-creation rights ship on and should be off. Guest message-deletion rights ship on and should be off so audit trails stay intact. Sensitivity labels on guest-enabled teams should be required, with the External label enforcing site privacy and SharePoint sharing rules at the platform layer.
Pair guest access with a quarterly Entra access review on a 90-day cadence. The review surfaces dormant guests, where most stale-account risk lives.
File sharing and SharePoint integration
Every Teams team has a SharePoint site behind it. Files posted in chat live in OneDrive; files posted in channels live in the team SharePoint site. SharePoint external sharing, OneDrive sync, and Teams file permissions all overlap, and a misconfiguration in one plane bleeds across the others.
The recommended posture is sensitivity labels driving SharePoint behaviour. An External label blocks anonymous links, forces a 30-day expiry on guest links, and prevents downloads on unmanaged devices. Microsoft Purview Information Protection applies the labels; Defender for Cloud Apps watches for unusual download volumes.
Phishing and BEC inside Teams chat
Business email compromise has migrated into Teams chat. The attacker registers a lookalike tenant, federates with the target, and DMs a finance staffer posing as a CFO or vendor with a wire-transfer request. Email security tooling never sees the message because it never traverses Exchange.
The defensive stack has three layers. Microsoft Defender for Office 365 Safe Links rewrites URLs in Teams messages and detonates them at click time. Microsoft Purview DLP for Teams blocks chats that contain SIN, payment card data, or phrases like wire or EFT from external participants. The external-user warning banner inside the Teams client adds a visual cue staff can train on.
Microsoft Sentinel ingests Teams audit logs alongside Entra sign-ins for the SOC layer, so impossible-travel and tenant-foreign session patterns surface in a single view. Pair this with phishing-resistant multi-factor authentication on the identity layer to remove the password-replay path.
CITATION
IBM 2025 Cost of a Data Breach Report places the global average breach at USD 4.88 million and the Canadian average above CAD 6 million, with collaboration platforms a rising initial-access vector. Source: IBM Security.
FIELD NOTE FROM MIKE
A Hamilton manufacturing client called us in February after a finance staffer received a Teams chat from a CFO in a different tenant asking for a wire confirmation. The lookalike tenant was created the day before. Federation was wide open, no allow-list, no external-warning banner.
We rebuilt the federation list around eight known-good domains, turned on the external-user banner, and added a Purview DLP rule blocking any chat from external participants that contained the words wire or EFT. Six weeks in, three more spoof attempts hit the banner and stopped at the chat preview. The fix was a Saturday afternoon of admin work.
The 8-control Teams hardening checklist
Apply these in order. Controls 1 through 4 are tenant-wide and reversible; controls 5 through 8 need staff communication and a short rollout window. This is the same checklist Fusion Computing runs on every Microsoft 365 onboarding.
| Control | Where to set it | Effort |
|---|---|---|
| 1. Federation allow-list (specific domains only) | Teams Admin Center, External access | 30 min |
| 2. Block unmanaged Teams accounts and Skype consumer | Teams Admin Center, External access | 10 min |
| 3. Conditional Access: MFA plus compliant device for Teams | Entra ID, Conditional Access | 60 min plus pilot |
| 4. Meeting lobby on for anonymous and external joiners | Teams Admin Center, Meetings | 20 min |
| 5. Guest channel and message-create rights off | Teams Admin Center, Guest access | 15 min |
| 6. Sensitivity labels required on Teams sites | Microsoft Purview, Information Protection | 90 min |
| 7. Purview DLP for Teams chat (SIN, PCI, PHIPA) | Microsoft Purview, DLP policies | 90 min |
| 8. Quarterly Entra access reviews for guests | Entra ID, Identity Governance | 30 min |
Working through the eight controls takes one administrator four to six hours including the staff communication for the guest-rights and DLP changes. A free IT Business Consultation scopes it for a specific tenant.
PIPEDA, Quebec Law 25, Bill C-8 implications for Teams data
Canadian privacy law treats Teams content the same way it treats email and shared drives. Chat messages, channel posts, meeting recordings, transcripts, and shared files are personal information when they reference an identifiable individual, so the reasonable-safeguards test applies in full.
| Regulation | Teams-specific impact | Mapped controls |
|---|---|---|
| PIPEDA (federal) | Reasonable safeguards on chat, recordings, and shared files; consent for recording | Controls 3, 6, 7 |
| Quebec Law 25 | Privacy impact assessment for Teams deployments touching Quebec residents | Controls 6, 7, 8 |
| Bill C-8 (federal cybersecurity) | Designated-operator obligations on incident reporting and baseline controls | Controls 1, 3, 7 |
Mapping Teams controls to PIPEDA, Quebec Law 25, and Bill C-8 gives the same security investment a defensible audit narrative on top of the security outcome.
Common Microsoft Teams security mistakes
Five mistakes recur across the Canadian SMB tenants Fusion Computing audits. Federation left at Allow All is the most common; it ships open and rarely gets a second pass. Guest accounts with no expiry and no review cadence is second. Meeting lobby bypass for external joiners is third.
The fourth is treating SharePoint external sharing as the only file-sharing surface, ignoring chat-level OneDrive shares. The fifth is skipping Conditional Access for Teams because email already enforces it, missing that Teams has its own session lifetimes. Each maps to a control above, and none requires E5.
Book a Free IT Business Consultation
Frequently asked questions
Is Microsoft 365 Business Premium enough to harden Teams properly?
For most Canadian SMBs under 300 seats, yes. Business Premium covers Conditional Access, Intune device compliance, sensitivity labels, and baseline Microsoft Purview DLP for Teams. Information barriers, customer key, and advanced eDiscovery require E5 or a Purview add-on, but those are second-stage controls.
Should a business block Teams external access entirely?
Rarely. A full block breaks legitimate vendor collaboration and pushes staff to personal email. The pragmatic posture is allow-list specific domains, disable communication with unmanaged Teams accounts, and disable Skype consumer interop.
What is the difference between external access and guest access?
External access is federation: another tenant’s users keep their identity and chat across the boundary. Guest access invites an external identity into the Entra ID directory and adds them to specific Teams. Guests sit deeper inside the tenant and need stricter controls, including sensitivity labels and quarterly access reviews.
How do sensitivity labels protect Teams?
A sensitivity label applied to a team enforces three things at the platform layer: site privacy, guest access, and external sharing on the underlying SharePoint site. Labels also drive DLP rule scope, so a single label change cascades through chat, files, and email.
Does Microsoft Purview DLP for Teams scan voice and video calls?
No. DLP scans chat messages, channel messages, and shared files. Voice, video, and meeting transcripts are covered by separate communication compliance and meeting recording policies in Microsoft Purview, not the standard DLP engine.
How often should a tenant review Teams external access settings?
Quarterly at minimum, monthly during periods of vendor turnover. The federation allow-list, guest-rights toggle, and meeting-lobby defaults belong on a recurring change-control review so settings do not drift back toward defaults after an admin-tool update.
What logs should be forwarded to a SIEM for Teams?
At minimum: Entra ID sign-in logs, Teams admin audit logs, Microsoft Purview DLP incidents, and meeting join events for external participants. Microsoft Defender for Cloud Apps adds anomaly detection on top, and Microsoft Sentinel correlates them with email and endpoint signals.
Do these settings change if staff use Teams on personal devices?
Yes. Conditional Access plus Intune App Protection policies should require either a managed device or app-protected access. Without that, Teams on a personal device exposes chat, files, and recordings to whatever the device is also running. The PIPEDA reasonable-safeguards test applies regardless of device ownership.
Where should a business start if Teams is already in production with no hardening?
Controls 1, 2, and 4 in the checklist are reversible and can ship the same day with no staff impact. Control 3 (Conditional Access) needs a pilot group. Controls 5 through 8 need a short staff communication. Most tenants complete the full eight controls inside one work week.
How does Bill C-8 change Teams obligations for Canadian SMBs?
Bill C-8, the federal cybersecurity bill replacing the lapsed C-26, introduces incident-reporting and baseline-control obligations for designated operators. SMBs in supply chains feel it through contract clauses. Teams controls 1, 3, and 7 map to the baseline expectations.
