Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
KEY TAKEAWAYS
- Microsoft Teams ships with permissive defaults: external federation, guest creation, and meeting lobbies all favour collaboration over containment on day one.
- Six attack vectors dominate Teams incidents in Canadian SMB tenants, and external chat phishing plus device-code meeting invites lead the list.
- The 8-control hardening checklist below closes the most common gaps in roughly four to six administrator hours per tenant.
- PIPEDA, Quebec Law 25, and Bill C-8 each pull Teams chat, recordings, and shared files into the reasonable-safeguards perimeter.
- Microsoft 365 Business Premium covers most controls; Defender for Office 365, Entra Conditional Access, and Purview do the heavy lifting.
Get a Free Microsoft Teams Security Consultation
Why Microsoft Teams security matters for Canadian businesses in 2026
Microsoft Teams ships with collaboration-first defaults: external federation, guest invitations, and anonymous meeting join are all enabled out of the box. Microsoft’s external access documentation (2026) confirms it is on by default, so admins must explicitly restrict outside reach and guest permissions. The 8-control hardening checklist below closes those gaps in four to six administrator hours.
Teams + Copilot: Copilot reads private Teams channels with stale memberships the same way it reads SharePoint. The Pre-Copilot SharePoint Audit covers the Teams-channel review pattern.
Microsoft Teams is the deepest-integrated app inside Microsoft 365. A single Teams identity touches SharePoint Online, OneDrive, Exchange, Entra ID, and any connected Power Platform flow. Locking down Exchange does not lock down Teams.
The Teams Admin Center, Entra ID external collaboration settings, and Microsoft Purview policies are three separate planes that must be configured together. Across 41 Canadian SMB tenants Fusion Computing audited through Q1 2026, the Teams hardening gap was the most common first-audit finding, even on tenants with MFA enforced.
The Canadian Centre for Cyber Security flags collaboration platforms as a rising initial-access surface in its 2025 small-business guidance. Treating Teams as a separate hardening pass, distinct from email and SharePoint, is the correction I push hardest.
The 6 Microsoft Teams attack vectors
According to the Canadian Anti-Fraud Centre (2025), reported business losses run into the hundreds of millions of dollars annually, led by business email compromise and ransomware, and most fraud goes unreported. Because Teams sits inside the same Microsoft 365 identity as email, one compromised credential can expose Teams chats, channels, and shared files, which is why conditional access and external-sharing limits matter.
The Teams attack surface is narrower than email but higher trust. Staff treat a Teams message from a recognized name the way they treat a hallway conversation: low scrutiny, fast action. Six vectors recur in the incidents Fusion Computing triages.
| Vector | How it works | Primary control |
|---|---|---|
| External chat phishing | Lookalike tenant DMs staff and ships a malicious link in chat | Federation allow-list |
| Teams vishing | Attacker joins as guest, calls posing as IT, walks staff through a remote-tool install | Guest restrictions |
| Device-code meeting invites | External invite contains device-code phishing or token-harvesting link | Defender for Office 365 Safe Links |
| Malicious file share | Macro or HTML-smuggled payload posted in chat or channel | Safe Attachments for Teams |
| Token theft and session replay | Compromised endpoint exfiltrates Teams refresh tokens | Conditional Access, compliant device |
| Stale guest accounts | Dormant external identity reactivated and used to read channels | 90-day Entra access reviews |
The Microsoft Digital Defense Report 2024 documents Teams-targeted activity from state-aligned groups including Storm-2372, with device-code phishing inside meeting invites as the recurring technique. OWASP collaboration-platform guidance echoes the same six categories.
CITATION
Microsoft Digital Defense Report 2024 records continued targeting of Microsoft Teams by state-aligned actors using device-code phishing inside meeting invites and open tenant-to-tenant channels. Source: Microsoft Security Insider.
External access and federation: who can DM your staff?
According to the Canadian Centre for Cyber Security, the Baseline Cyber Security Controls for small and medium organizations define a starting set of safeguards spanning multi-factor authentication, patching, backups, and incident response. The baseline aligns with CIS Controls v8.1. For Microsoft Teams, the practical translation is to restrict external access and federation so only trusted domains can direct-message staff, closing one of the easiest paths an outside attacker has to reach an employee.
External access is the federation channel that lets users in other Microsoft 365 tenants chat, call, and meet with staff. It is enabled by default for every domain on the planet. For most Canadian SMBs I work with, the right posture is allow-list, not block-list.
The single highest-impact change is switching federation from Allow All to a specific domain allow-list of vendors, partners, and clients the business actually uses. Companion settings: turn off communication with unmanaged Teams accounts and disable Skype consumer interop. Fusion Computing’s cybersecurity services include a federation review on every Microsoft 365 onboarding.
A practical starting point is the last 90 days of legitimate Teams activity from the admin audit log. The domains that show up become the allow-list; everything else is blocked at the protocol layer.
Guest access controls
According to Statistics Canada and its Canadian Survey of Cyber Security and Cybercrime (2024), small and medium businesses absorb a disproportionate share of incident impact while running the leanest security teams. That gap is why guest access controls matter in Microsoft Teams. Limiting what guests can see, restricting which domains can be invited, and reviewing guest membership on a schedule keeps a lean team aware of who can reach internal channels.
Guest access is different from federation. A guest is an Entra ID B2B identity invited into the tenant and added to specific Teams. Unlike a federated user, a guest sits inside private channels and can access SharePoint files. Treat every guest as a low-trust internal user.
Three settings carry most of the risk in my audits. Guest channel-creation rights ship on and should be off. Guest message-deletion rights ship on and should be off so audit trails stay intact. Sensitivity labels on guest-enabled teams should be required, with the External label enforcing site privacy and SharePoint sharing rules at the platform layer.
Pair guest access with a quarterly Entra access review on a 90-day cadence. The review surfaces dormant guests, where most stale-account risk lives.
“The assessment found an admin account with domain-level rights that had been inactive for four years but was still open. One phishing email away from a full breach. We never would have caught that on our own.”
What is the difference between external access and guest access, explained
External access (federation) lets users in another Microsoft 365 tenant chat and call your staff while staying in their own directory. Guest access invites an outside identity into your Entra ID tenant and gives it a seat inside specific teams and their SharePoint files. Microsoft’s guest access documentation (2026) draws the same line: federation is a boundary conversation, guesting is membership.
The distinction matters because my hardening priorities differ for each. Federation gets an allow-list and unmanaged-account blocks in the Teams Admin Center; guests get restricted rights plus sensitivity labels and 90-day Entra ID reviews. When an audit shows both wide open, I close federation first because I can reverse that change in thirty minutes.
Take the free IT business assessment → to see which of the two doors is open in your tenant.
File sharing and SharePoint integration
Every Teams team has a SharePoint site behind it. Files posted in chat live in OneDrive; files posted in channels live in the team SharePoint site. SharePoint external sharing, OneDrive sync, and Teams file permissions all overlap, and a misconfiguration in one plane bleeds across the others.
The recommended posture is sensitivity labels driving SharePoint behaviour. An External label blocks anonymous links, forces a 30-day expiry on guest links, and prevents downloads on unmanaged devices. Microsoft Purview Information Protection applies the labels; Defender for Cloud Apps watches for unusual download volumes.
Phishing and BEC inside Teams chat
Business email compromise has migrated into Teams chat. The attacker registers a lookalike tenant, federates with the target, and DMs a finance staffer posing as a CFO or vendor with a wire-transfer request. Email security tooling never sees the message because it never traverses Exchange.
The defensive stack I deploy has three layers. Microsoft Defender for Office 365 Safe Links rewrites URLs in Teams messages and detonates them at click time. Microsoft Purview DLP for Teams blocks chats that contain SIN, payment card data, or phrases like wire or EFT from external participants. The external-user warning banner inside the Teams client adds a visual cue staff can train on.
Microsoft Sentinel ingests Teams audit logs alongside Entra sign-ins for the SOC layer, so impossible-travel and tenant-foreign session patterns surface in a single view. Pair this with phishing-resistant multi-factor authentication on the identity layer to remove the password-replay path.
Get a Free Microsoft Teams Security Consultation if finance approvals happen in chat at your firm; the DLP rule and warning banner are the fastest wins in this whole guide.
CITATION
IBM 2025 Cost of a Data Breach Report places the global average breach at USD 4.88 million and the Canadian average above CAD 6 million, with collaboration platforms a rising initial-access vector. Source: IBM Security.
Field note
A manufacturing client in Hamilton called me in February after a finance staffer received a Teams chat from a CFO in a different tenant asking for a wire confirmation. The lookalike tenant was created the day before. Federation was wide open, no allow-list, no external-warning banner.
I rebuilt the federation list around eight known-good domains, turned on the external-user banner, and added a Purview DLP rule blocking any chat from external participants that contained the words wire or EFT. Six weeks in, three more spoof attempts hit the banner and stopped at the chat preview. The fix took one Saturday afternoon of admin work.
The 8-control Teams hardening checklist
Apply these in order. Controls 1 through 4 are tenant-wide and reversible; controls 5 through 8 need staff communication and a short rollout window. This is the same checklist Fusion Computing runs on every Microsoft 365 onboarding. An FC internal benchmark from Q2 2026, drawn from anonymized client data across our 41 tenant audits, puts the full pass at four to six administrator hours.
| Control | Where to set it | Effort |
|---|---|---|
| 1. Federation allow-list (specific domains only) | Teams Admin Center, External access | 30 min |
| 2. Block unmanaged Teams accounts and Skype consumer | Teams Admin Center, External access | 10 min |
| 3. Conditional Access: MFA plus compliant device for Teams | Entra ID, Conditional Access | 60 min plus pilot |
| 4. Meeting lobby on for anonymous and external joiners | Teams Admin Center, Meetings | 20 min |
| 5. Guest channel and message-create rights off | Teams Admin Center, Guest access | 15 min |
| 6. Sensitivity labels required on Teams sites | Microsoft Purview, Information Protection | 90 min |
| 7. Purview DLP for Teams chat (SIN, PCI, PHIPA) | Microsoft Purview, DLP policies | 90 min |
| 8. Quarterly Entra access reviews for guests | Entra ID, Identity Governance | 30 min |
Most tenants complete the rollout inside one work week, and controls 1, 2, and 4 can ship the same day. Take the free IT business assessment → to scope the work for your tenant, with results reviewed by the CISSP-led team at a Microsoft Solutions Partner.
PIPEDA, Quebec Law 25, Bill C-8 implications for Teams data
Canadian privacy law treats Teams content the same way it treats email and shared drives. Chat messages, channel posts, meeting recordings, transcripts, and shared files are personal information when they reference an identifiable individual, so the reasonable-safeguards test under PIPEDA Principle 7 applies in full.
| Regulation | Teams-specific impact | Mapped controls |
|---|---|---|
| PIPEDA (federal) | Reasonable safeguards on chat, recordings, and shared files; consent for recording | Controls 3, 6, 7 |
| Quebec Law 25 | Privacy impact assessment for Teams deployments touching Quebec residents | Controls 6, 7, 8 |
| Bill C-8 (federal cybersecurity) | Designated-operator obligations on incident reporting and baseline controls | Controls 1, 3, 7 |
Mapping Teams controls to PIPEDA, Quebec Law 25, and Bill C-8 gives the same security investment a defensible audit narrative on top of the security outcome.
Common Microsoft Teams security mistakes
Five mistakes recur across the Canadian SMB tenants Fusion Computing audits. Federation left at Allow All is the most common; it ships open and rarely gets a second pass. Guest accounts with no expiry and no review cadence is second. Meeting lobby bypass for external joiners is third.
The fourth is treating SharePoint external sharing as the only file-sharing surface, ignoring chat-level OneDrive shares. The fifth is skipping Conditional Access for Teams because email already enforces it, missing that Teams has its own session lifetimes. Each maps to a control above, and none requires E5 licensing in my deployments.
Get a Free Microsoft Teams Security Consultation
Frequently asked questions
Is Microsoft 365 Business Premium enough to harden Teams properly?
For most Canadian SMBs under 300 seats, yes. Business Premium covers Conditional Access, Intune device compliance, sensitivity labels, and baseline Microsoft Purview DLP for Teams. Information barriers, customer key, and advanced eDiscovery require E5 or a Purview add-on, but those are second-stage controls.
Should a business block Teams external access entirely?
Rarely. A full block breaks legitimate vendor collaboration and pushes staff to personal email. The pragmatic posture is allow-list specific domains, disable communication with unmanaged Teams accounts, and disable Skype consumer interop.
How do sensitivity labels protect Teams?
A sensitivity label applied to a team enforces three things at the platform layer: site privacy, guest access, and external sharing on the underlying SharePoint site. Labels also drive DLP rule scope, so a single label change cascades through chat, files, and email.
Does Microsoft Purview DLP for Teams scan voice and video calls?
No. DLP scans chat messages, channel messages, and shared files. Voice, video, and meeting transcripts are covered by separate communication compliance and meeting recording policies in Microsoft Purview, not the standard DLP engine.
How often should a tenant review Teams external access settings?
Quarterly at minimum, monthly during periods of vendor turnover. The federation allow-list, guest-rights toggle, and meeting-lobby defaults belong on a recurring change-control review so settings do not drift back toward defaults after an admin-tool update.
What logs should be forwarded to a SIEM for Teams?
At minimum: Entra ID sign-in logs, Teams admin audit logs, Microsoft Purview DLP incidents, and meeting join events for external participants. Microsoft Defender for Cloud Apps adds anomaly detection on top, and Microsoft Sentinel correlates them with email and endpoint signals.
Do these settings change if staff use Teams on personal devices?
Yes. Conditional Access plus Intune App Protection policies should require either a managed device or app-protected access. Without that, Teams on a personal device exposes chat, files, and recordings to whatever the device is also running. The PIPEDA reasonable-safeguards test applies regardless of device ownership.
Where should a business start if Teams is already in production with no hardening?
Controls 1, 2, and 4 in the checklist are reversible and can ship the same day with no staff impact. Control 3 (Conditional Access) needs a pilot group. Controls 5 through 8 need a short staff communication. Most tenants complete the full eight controls inside one work week.
How does Bill C-8 change Teams obligations for Canadian SMBs?
Bill C-8, the federal cybersecurity bill replacing the lapsed C-26, introduces incident-reporting and baseline-control obligations for designated operators. SMBs in supply chains feel it through contract clauses. Teams controls 1, 3, and 7 map to the baseline expectations.

