Information
Microsoft Teams enables collaboration via file sharing. This file sharing is conducted within Teams, using SharePoint Online, by default; however, third-party cloud services are allowed as well.
Rationale:
Ensuring that only authorized cloud storage providers are accessible from Teams will help to dissuade the use of non-approved storage providers.
Impact:
Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To Set external file sharing in Teams, use the Microsoft 365 Admin Center:
Under Admin Centers choose Teams.
Expand Org-wide settings select Teams settings.
Set each cloud storage service under Files to On if it is authorized.
** To verify external file sharing in Teams you may also utilize Powershell. Ensure that the Skype for business online, Windows Powershell module and Microsoft Teams module are both installed. **
Install the Powershell module for teams. Skype module will need downloaded from Microsoft.
Install-Module MicrosoftTeams
Import-Module SkypeOnlineConnector
Connect to your tenant as a Global Administrator, methods will differ based on whether 2FA is enabled. See the following article for more information - https://docs.microsoft.com/en-us/office365/enterprise/powershell/manage-skype-for-business-online-with-office-365-powershell
Run the following command to verify which cloud storage providers are enabled for Teams
Get-CsTeamsClientConfiguration | select allow*
Run the following Powershell command to disable external providers that are not authorized. (the example disables ShareFile, GoogleDrive, Box, and DropBox
Set-CsTeamsClientConfiguration -AllowGoogleDrive $false -AllowShareFile $false -AllowBox $false -AllowDropBox $false -AllowEgnyte $false
You may verify this worked by running the following Powershell command again.
Get-CsTeamsClientConfiguration | select allow*
Default Value:
On
Additional Information:
Skype Online Connector - https://www.microsoft.com/en-us/download/details.aspx?id=39366