- Applies to:
- Microsoft Teams
The Teams service model can be modified to improve the customer experience. For example, the default refresh or access token expiration times can be changed to improve authentication performance and stability for those using Teams. Any such changes would be made with the goal of keeping equipment inherently safe and reliable.
Microsoft Teams, as part of the Microsoft 365 and Office 365 services, follows all security best practices and procedures, such as: B. Service-level security through defense-in-depth, in-service customer controls, hardening of security and best operating practices. You can find detailed information in theMicrosoft Trust Center.
trustworthy by nature
Teams was designed and developed in accordance with Microsoft's Trustworthy Computer Security (SDL) development lifecycle, which is described inMicrosoft Security Development Life Cycle (SDL). The first step in creating a more secure unified communications system was to design threat models and test each feature during design. Various security related enhancements have been incorporated into the process and coding practices. Build-time tools detect buffer overflows and other potential security threats before the code is incorporated into the final product. It is impossible to design against all unknown security threats. No system can guarantee complete security. However, because product development incorporated secure design principles from the start, Teams incorporates industry-standard security technologies as a fundamental part of its architecture.
Trusted by default
Network communication in Teams is encrypted by default. By requiring all servers to use certificates and using OAUTH, Transport Layer Security (TLS), and Secure Real-Time Transport Protocol (SRTP), all Teams data is protected on the network.
How Teams handles common security threats
This section identifies the most common threats to the security of the Teams service and how Microsoft mitigates each threat.
compromised key attack
Teams takes advantage of the PKI capabilities of the Windows Server operating system to protect key data used to encrypt TLS connections. The keys used for media encryption are exchanged over TLS connections.
Network denial of service attack
A Distributed Denial of Service (DDOS) attack occurs when an attacker prevents legitimate users from using and operating the network normally. Through a denial of service attack, the attacker can:
- Send invalid data to applications and services running on the attacked network to disrupt their normal operation.
- Send a large amount of traffic and overload the system until it stops responding or responds slowly to legitimate requests.
- Hide evidence of attacks.
- Prevent users from accessing network resources.
Teams mitigates these attacks by running Azure DDOS network protection and throttling client requests from the same endpoints, subnets, and federated entities.
Eavesdropping occurs when an attacker gains access to the data path in a network and has the ability to monitor and read the traffic. Eavesdropping is also known as sniffing or sniffing. If the traffic is in clear text, the attacker can read the traffic by gaining access to the route. An example is an attack via router control in the data path.
Teams uses mutual TLS (MTLS) and server-to-server (S2S) OAuth (among other protocols) for server communication within Microsoft 365 and Office 365, and also uses TLS from clients to the service. All network traffic is encrypted.
These methods of communication make it difficult or impossible to eavesdrop within the span of a single conversation. TLS authenticates all parties and encrypts all traffic. While TLS does not prevent eavesdropping, the attacker cannot read the traffic unless the encryption is broken.
HeTraversal using relays around NATThe (TURN) protocol is used for real-time multimedia purposes. The TURN protocol does not require traffic encryption, and the information being sent is protected by message integrity. Although it can be eavesdropped on, the information it sends, i.e. IP addresses and port, can be directly extracted by looking at the source and destination addresses of the packets. The Teams service ensures that the data is valid by verifying the integrity of the message using the key derived from some elements, including a TURN password that is never sent unencrypted. SRTP is used for media traffic and is also encrypted.
Phishing (IP address spoofing)
Phishing occurs when an attacker identifies and then uses an IP address from an unauthorized network, computer, or network component. A successful attack allows the attacker to act as if it were the entity normally identified by the IP address.
TLS authenticates all parties and encrypts all traffic. Using TLS prevents an attacker from spoofing IP addresses on a specific connection (for example, mutual TLS connections). An attacker could still spoof the Domain Name System (DNS) server address. However, because authentication in Teams is done using certificates, an attacker doesn't have the valid information needed to spoof either party to the communication.
A man-in-the-middle attack occurs when an attacker redirects communication between two users through the attacker's computer without the knowledge of the two communicating users. The attacker can monitor and read the traffic before forwarding it to the intended recipient. Each user in the communication unknowingly sends and receives traffic from the attacker, thinking that he is only communicating with the intended user. This scenario can occur if an attacker can modify Active Directory Domain Services to add your server as a trusted server, change DNS settings, or use other means to trick clients into connecting via the attacker's creation .
The use prevents man-in-the-middle attacks on media traffic between two endpoints participating in Teams audio, video, and app sharingReal-time secure transport protocol(SRTP) to encrypt the media stream. Cryptographic keys are negotiated between the two endpoints via a proprietary signaling protocol (Teams Call Signaling Protocol) over a TLS 1.2 and AES-256 encrypted UDP or TCP channel (in GCM mode).
RTP-Replay-Angriff (Real Time Transport Protocol).
A replay attack occurs when a valid media stream between two parties is intercepted and retransmitted for malicious purposes. Teams uses SRTP with a secure signaling protocol that protects transmissions from replay attacks by allowing the receiver to maintain an index of already received RTP packets and compare each new packet with packets already in the index.
Spims are unsolicited commercial instant messages or presence subscription requests, similar to spam but in the form of instant messages. While not itself a network compromise, it is at least annoying, can reduce resource availability and throughput, and potentially compromise the network. An example of this is users tricking each other when submitting requests. Users can block each other to prevent spimming. However, if federation is used by a malicious actor to launch a coordinated spimming attack, it can be difficult to overcome unless you disable federation for the partner.
viruses and worms
A virus is a unit of code whose purpose is to reproduce other similar units of code. To function, a virus needs a host, such as a file, email, or program. Like a virus, a worm is a unit of code that replicates several similar units of code, but unlike a virus, it does not require a host. Viruses and worms appear mainly during file transfers between clients or when sending URLs of other users. For example, if there is a virus on your computer, it can exploit your identity and send instant messages on your behalf. Standard client security best practices, such as: B. Regular virus scanning can mitigate this problem.
Team security framework
Teams champions security ideas like zero trust and the principles of least privileged access. This section provides an overview of the fundamental elements that make up a security framework for Microsoft Teams.
The central elements are:
- Azure Active Directory (Azure AD), which provides a single, trusted back-end repository for user accounts. User profile information is stored in Azure AD using Microsoft Graph actions.
- Various tokens can be issued, which you can see by tracing your network traffic. Including Skype tokens that you can see in the traces when looking at chat and audio traffic.
- Transport Layer Security (TLS) encrypts the current channel. Authentication is done using certificate-based mutual TLS (MTLS) or Azure AD-based service-to-service authentication.
- Peer-to-peer audio, video, and application sharing streams are encrypted and verified for integrity using Secure Real-Time Transport Protocol (SRTP).
- You'll see OAuth traffic in your trace, specifically related to token swapping and permission negotiation as you switch between tabs in Teams, for example to switch from posts to files. You can find an example of the OAuth flow for tabs here:view this document.
- Teams uses industry-standard user authentication protocols whenever possible.
The next few sections discuss some of these core technologies.
Azure Active Directory
Azure Active Directory acts as a directory service for Microsoft 365 and Office 365. It stores all application and user directory information and policy assignments.
Computer traffic encryption
This table shows the most important traffic types and which protocol is used for encryption.
|type of traffic||encrypted by|
|server to server||TLS (with MTLS or service-to-service OAuth)|
|Client to server, such as instant messaging and presence||TLS|
|Media streams, e.g. audio and video media sharing||TLS|
|media audio and video sharing||SRTP/TLS|
|Advanced client-to-client encryption (for example, end-to-end encryption calls)||SRTP/DTLS|
Certificate revocation list (CRL) distribution points.
Microsoft 365 and Office 365 traffic travels over TLS/HTTPS encrypted channels, which means certificates are used to encrypt all traffic. Teams requires that all server certificates contain one or more CRL distribution points. CRL Distribution Points (CDPs) are places from which CRLs can be downloaded to verify that the certificate has not been revoked since it was issued and that the certificate is still within its validity period. A CRL distribution point is indicated as a URL in the certificate properties and is HTTP secure. The Teams service checks the CRL for each certificate authentication.
Extended key usage
All components of the Teams service require that all server certificates support Enhanced Key Usage (EKU) for server authentication. Setting the EKU field for server authentication means that the certificate is valid for server authentication. This EKU is essential for MTLS.
TLS for equipment
Teams data is encrypted in transit and at rest within Microsoft services, between services, and between clients and services.Microsoft uses industry standard technologies such as TLS and SRTP to encrypt all data in transit. The transferred data includes messages, files, meetings, and other content. Enterprise data is also encrypted at rest in Microsoft services, allowing organizations to decrypt content as needed to meet security and compliance obligations through methods such as eDiscovery. For more information about encryption in Microsoft 365, seeEncryption in Microsoft 365
TCP data streams are encrypted with TLS, and MTLS and service-to-service OAuth protocols enable endpoint-authenticated communication between services, systems, and clients. Teams uses these protocols to create a network of trusted systems and to ensure that all communication over that network is encrypted.
With a TLS connection, the client requests a valid certificate from the server. To be valid, the certificate must be issued by a certificate authority (CA) that is also trusted by the client, and the DNS name of the server must match the DNS name in the certificate. If the certificate is valid, the client uses the certificate's public key to encrypt the symmetric encryption keys to be used in the communication, so that only the original owner of the certificate can use its private key to decrypt the content of the communication. The resulting connection is trusted and will not be challenged by other trusted servers or clients from then on.
Using TLS helps prevent both eavesdropping and man-in-the-middle attacks. In a man-in-the-middle attack, the attacker redirects communications between two network entities through the attacker's computer without either party knowing. The TLS and Trusted Servers Teams specification partially mitigates the risk of an application-layer man-in-the-middle attack by using coordinated encryption between the two endpoints using public-key cryptography. In order to decrypt the communication, an attacker would need to have a valid and trusted certificate with the corresponding private key, issued in the name of the service with which the client is communicating.
Encryption in Teams and Microsoft 365
There are multiple layers of encryption at work in Microsoft 365. Encryption in Teams works with the rest of Microsoft 365 encryption to protect your organization's content. This article describes encryption technologies that are specific to Teams. For an overview of encryption in Microsoft 365, seeEncryption in Microsoft 365.
Call flows in Teams are based onSession Description Protocol (SDP) RFC 8866Offer and response model over HTTPS. As soon as the called party accepts an incoming call, the caller and the called party agree on the session parameters.
Media traffic is encrypted by the caller and caller and flows between them using Secure RTP (SRTP), a Real-Time Transport Protocol (RTP) profile that provides confidentiality, authentication, and protection against replay attacks for the RTP traffic. SRTP uses a session key generated by a secure random number generator and is exchanged over the TLS signaling channel. In most cases, client-to-client media traffic is negotiated over client-to-server link signaling and encrypted in direct client-to-client transmission using SRTP.
In normal call flows, the negotiation of the encryption key occurs over the call signaling channel. In an end-to-end encrypted call, the signal flow is the same as in a normal one-to-one team call. However, Teams uses DTLS to derive an encryption key based on the per-call certificates generated on both client ends. Because DTLS derives the key based on client certificates, the key is opaque to Microsoft. Once both clients agree on the key, the media stream begins using this DTLS-negotiated encryption key over SRTP.
To protect against a man-in-the-middle attack between the caller and the caller, Teams obtains a 20-digit security code from the SHA-256 fingerprints of the calling certificates of the caller's end and of the person receiving the call. The caller and the caller can validate the 20-digit security codes by reading them to each other to see if they match. If the codes do not match, the connection between the caller and the called party has been intercepted by a man-in-the-middle attack. If the call has been compromised, users can end the call manually.
Teams uses a credential-based token for secure access to streaming media through TURN. Media repeaters exchange the token over a TLS-secured channel.
Federal Information Processing Standard (FIPS)
Teams uses FIPS-compliant algorithms for the exchange of encryption keys. For more information on FIPS implementation, seeFederal Information Processing Standard (FIPS) Publication 140-2.
User and client authentication
A relying party is a user whose credentials have been authenticated by Azure AD in Microsoft 365 or Office 365.
Authentication is the provision of user credentials to a trusted server or service. Teams uses the following authentication protocols based on the user's status and location.
- Modern Authentication (MA)is Microsoft's implementation of OAUTH 2.0 for client-to-server communication. Enable security features like multi-factor authentication and conditional access. In order to use MA, both the online renter and customers must be activated for MA. Teams clients on PC and mobile devices, as well as the web client,all the support ma.
For more information about Azure AD authentication and authorization methods, see the Introduction and Azure AD authentication basics sections of this article.
Teams authentication is done through Azure AD and OAuth. The authentication process can be simplified as follows:
- User Login > Token Issuance > Next Request: Use the issued token.
Azure AD authenticates and authorizes client requests to the server using OAuth. Users with valid credentials issued by a federated partner are trusted and go through the same process as native users. However, administrators can set more restrictions.
For media authentication, the ICE and TURN protocols also use the digest challenge as described in the IETF TURN RFC.
Windows PowerShell and team management tools
In Teams, IT admins can manage their service through the Microsoft 365 admin center or through Tenant Remote PowerShell (TRPS). Tenant admins use modern authentication to authenticate with TRPS.
Set up access to Teams at your Internet border
For Teams to work properly, for example to allow users to join meetings, customers must configure their Internet access to allow outbound UDP and TCP traffic to Teams cloud services. For more information, seeOffice 365 URLs and IP address ranges.
UDP 3478-3481 y TCP 443
UDP ports 3478-3481 and TCP 443 are used by clients to request audiovisual content services. A client uses these two ports to assign UDP and TCP ports, respectively, to enable these media streams. Media flows on these ports are protected by a key exchanged over a TLS-protected signaling channel.
Federation protections for teams
Federation provides your organization with the ability to communicate with other organizations to share IM and presence. In Teams, federation is enabled by default. However, tenant administrators have the ability to control federation through the Microsoft 365 admin center.
Address threats to Teams meetings
There are two options for controlling who joins Teams meetings and who has access to the information they present.
You can control who joins your meetings through settingslobby.
Preference options Who can skip the lobby are available on the Meeting Options page Users choose to join the meeting directly The types of users go to the lobby people in my organization - In the tenant - guest of the tenant - Connected - Anonymous - PSTN dial-up People in my organization and trusted organizations - In the tenant - Guest of the tenant - Federated - Anonymous - PSTN dial-up in – Tenant – Tenant guest – Federated anonymous – PSTN dial-up
The second way is throughstructured meetings(where moderators can do whatever is necessary and participants have a controlled experience). After participating in a structured meeting, moderators control what meeting participants can do.
Behavior moderators Participant Talk and share your video Y Y Join the meeting chat Y Y Change settings in meeting options Y norte Mute other participants Y norte Remove other participants Y norte share content Y norte Allow more attendees from the lobby Y norte Make other participants presenters or participants Y norte Start or stop recording Y norte Take control when another participant shares a PowerPoint presentation Y norte
Teams gives business users the ability to create and join meetings in real time. Business users can also invite external users who don't have an Azure AD, Microsoft 365, or Office 365 account to join these meetings. Users who are employees of external partners with a secure and authenticated identity can also attend meetings and act as moderators with appropriate promotion. Anonymous users cannot create or join a meeting as a presenter, but they can be promoted to a presenter after joining.
For anonymous users to join Teams meetings, the Participant Meetings setting must be enabled in the Teams admin center.
The termanonymous usersmeans users who are not authenticated in the organization tenant. In this context, all external users are considered anonymous. Authenticated users include tenant users and tenant guest users.
Allowing external users to join Teams meetings can be useful, but it comes with some security risks. To counter these risks, Teams uses the following security measures:
The roles of the participants determine the permissions to control the meeting.
Attendee types allow you to restrict access to specific meetings.
Meeting scheduling is limited to users who have an AAD account and a Teams license.
Anonymous users, that is, unauthenticated users who want to join a dial-in conference, dial one of the conference access numbers. When the "Always allow callers to bypass the lobby" setting is enabledAndThen they must also wait for a moderator or authenticated user to join the meeting.
If you do not want anonymous users (users you do not specifically invite) to join a meeting, you must make sure thatAnonymous users can join a meetingis set toOutsideFor himParticipantmeeting area.
It is also possible for a host to configure settings to allow callers to be the first in a meeting. This option is configured in the audio conference settings for users and applies to all meetings scheduled by the user.
Learn more about guest and external access in Teams hereArticle. It covers the features that guest or external users can expect when they sign in to Teams.
If you would like to record meetings and see a matrix of permissions to access the content, please contactThis articleand its matrix.
roles of the participants
Meeting participants are divided into three groups, each with their own privileges and limitations:
- organizerThe user who creates a meeting spontaneously or scheduled. A host must be an authenticated tenant user and have control over all end-user aspects of a meeting.
- moderatorA user authorized to present information in a meeting using any supported media. The host of a meeting is also a moderator by definition and determines who else can be a moderator. A host can make this decision when a meeting is scheduled or while the meeting is in progress.
- ParticipantA user who has been invited to join a meeting but does not have permission to act as a moderator.
A moderator can also promote a participant to the moderator role during the meeting.
types of participants
Meeting attendees are also categorized by location and credentials. These two features help you decide which users have access to specific meetings. Users can be roughly divided into the following categories:
Users belonging to the lessee. These users have credentials in Azure Active Directory for the tenant.
people in my organization- These users have credentials in Azure Active Directory for the tenant.people in my organizationincludes invited guest accounts.
remote user- These users join from outside the corporate network. This can include employees who work from home or on the go, and others, such as employees of trusted vendors who have been granted corporate leave as part of their terms of service. Remote users can create and join meetings and act as moderators.
Non-tenant users. These users do not have credentials in Azure AD for the tenant.
federated user- Federated users have valid credentials with federated partners and are therefore treated as authenticated by Teams, but are still outside of the meeting organizer's tenant. Federated users can attend meetings and be promoted to presenters after joining the meeting. However, they cannot create meetings in the companies they are connected to.
anonymous users- Anonymous users do not have an Active Directory identity and are not connected to the tenant.
Many meetings involve external users. The same customers also want to ensure the identity of external users before allowing them to join a meeting. The next section describes how Teams restricts meeting access to only explicitly allowed user types and requires all user types to display correctly.credentialswhen entering a meeting.
Recording of attendees
If you do not want anonymous users (users you do not specifically invite) to join a meeting, you must make sure thatAnonymous users can join a meetingis set toOutsideFor himParticipantmeeting area.
In Teams, anonymous users can be directed to a waiting area called the lobby. Moderators can thenadmitthese users in the meeting ordeclinethem. When these users are directed to the waiting room, the moderator and participants are notified, and anonymous users must wait until they are accepted, rejected, or disconnected.
By default, attendees dialing in via PSTN go directly to the meeting once an authenticated user joins the meeting. However, this option can be changed to force dial-in participants to go to the waiting room.
Meeting hosts control whether attendees can join a meeting without having to wait in the lobby. Each meeting can be configured to allow access using one of the following methods:
The default settings are:
- people in my organization- Any person outside the organization will wait in the lobby until they are admitted.
- People in my organization, trusted organizations, and guests- Authenticated users within the organization, including guest users and users from trusted organizations, join the meeting directly without having to wait in the lobby. The anonymous users are waiting in the lobby.
- in- All meeting participants bypass the lobby once an authenticated user has joined the meeting.
Meeting hosts control whether attendees can present during a meeting. Each meeting can be configured to limit presenters to one of the following options:
- people in my organization- All tenant users, including guests, can submit
- People in my organization and trusted organizations- All users in the tenant, including guests, can present, and external users from Teams and Skype for Business domains who are on the external access allow list can present.
- in- All meeting participants are moderators.
Change while the meeting is running
You can change meeting options while a meeting is in progress. If the change is saved, it will be visible in the current meeting within seconds. It also affects all future events in the meeting.
The 12 most important tasks for security teams to support working from home
Microsoft Trust Center
Manage meeting settings in Microsoft Teams
Optimize Microsoft 365 or Office 365 connectivity for remote users using VPN split tunnels
- VPN Split Tunneling Deployment
Meeting recordings in Teams, where the recordings are stored and who can access them