Detections
Analytics

3.7 Ensure external file sharing in Teams is enabled for only approved cloud storage services

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Microsoft Teams enables collaboration via file sharing. This file sharing is conducted within Teams, using SharePoint Online, by default; however, third-party cloud services are allowed as well.

NOTE: Skype for business is deprecated as of July 31, 2021 although these settings may still be valid for a period of time. See the the link in the reference for more information.

Rationale:

Ensuring that only authorized cloud storage providers are accessible from Teams will help to dissuade the use of non-approved storage providers.

Impact:

Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To Set external file sharing in Teams, use the Microsoft 365 Admin Center:

Under Admin Centers choose Teams.

Expand Teams select Teams settings.

Set each cloud storage service under Files to On if it is authorized.

** To verify external file sharing in Teams you may also utilize Powershell. Ensure that the Skype for business online, Windows Powershell module and Microsoft Teams module are both installed. **

Install the Powershell module for teams. Skype module will need downloaded from Microsoft.

Install-Module MicrosoftTeams
Import-Module SkypeOnlineConnector

Connect to your tenant as a Global Administrator, methods will differ based on whether 2FA is enabled. See the following article for more information - https://docs.microsoft.com/en-us/office365/enterprise/powershell/manage-skype-for-business-online-with-office-365-powershell

Run the following command to verify which cloud storage providers are enabled for Teams

Get-CsTeamsClientConfiguration | select allow*

Run the following Powershell command to disable external providers that are not authorized. (the example disables ShareFile, GoogleDrive, Box, and DropBox

Set-CsTeamsClientConfiguration -AllowGoogleDrive $false -AllowShareFile $false -AllowBox $false -AllowDropBox $false -AllowEgnyte $false

You may verify this worked by running the following Powershell command again.

Get-CsTeamsClientConfiguration | select allow*

Default Value:

On

See Also

https://workbench.cisecurity.org/files/3729

Item Details

References: CSCv7|14.7

Plugin: microsoft_azure

Control ID: 23e663673881ec62704e0a179d7799f5ad642aceb41d425469fc5592e53e208f