Public M365 Group

Microsoft 365 Groups underpin various Office 365 applications, particularly Microsoft Teams, where each Team corresponds to an associated M365 Group. You can create these groups and later configure them with either private or public privacy settings, which works as follows:

When creating a group you'll need to decide if you want it to be a private group or a public group. Content in a public group can be seen by anybody in your organization, and anybody in your organization can join the group. Content in a private group must be seen by the members of the group and people who want to join a private group have to be approved by a group owner.

Public groups offer convenience but also pose risks, as any user within the organization's tenant, including guest users, can freely join these groups and gain access to the data they contain. For example:

• Teams: Conversations and shared files (actually stored in a SharePoint site)
• OneDrive: Shared libraries
• Exchange Online: Outlook group mailbox
• OneNote: Shared notes
• Microsoft Planner and Microsoft To Do tasks
• Azure cloud resources (because M365 Groups can have assigned Azure roles)
• Etc.

Malicious or curious users can easily discover public groups without requiring any hacking tools. For example, they can find them via the "Create and join teams and channels" feature in Teams, in Outlook, or through the "My Apps Groups Access Panel", etc.

In Microsoft 365, end-users themselves create groups and choose whether they are public or private, typically from applications like Teams (most common), Outlook, or SharePoint, rather than relying on an IT administrator to create them, like security groups. As a result, end-users often select the public privacy option without fully comprehending that this allows anyone within the organization's Entra tenant to join the group without requiring approval from a group owner, thereby granting them access to all the group's content.

Microsoft 365 Groups, also known as "unified groups" and formerly referred to as "Office 365 groups", are one of the types of groups stored in Entra ID. This Indicator of Exposure focuses specifically on these Microsoft 365 Groups, rather than the more commonly known Microsoft Entra Security Groups, which do not have the same public/private privacy options.

Limitation: This Indicator of Exposure (IoE) cannot automatically determine whether a Public M365 Group is legitimate.

Note: Private groups can also inadvertently expose sensitive information, as by default, their name, description, and member list are visible to anyone within the organization's tenant. This metadata alone may be enough to infer confidential details, such as the target of a potential acquisition if it's included in the group name. To mitigate this risk, Microsoft provided options to hide private groups from directory listings and conceal their member lists. However, these settings are disabled by default, meaning organizations must proactively enable them to ensure that private group metadata remains confidential.

This IoE reports on all Microsoft 365 groups configured with the public setting. As the IoE cannot automatically determine the legitimacy of a group's public status, you must review each finding and take one of the following actions:

• If the group contains private information, change its privacy setting to private and ensure that it only includes authorized users as group members. With this configuration, group owners will receive access requests whenever someone asks to join the group.
• If the group is intentionally set to public, for example, because it contains only public information, add it to the IoE's exclusion option to acknowledge that the public setting is appropriate.

Microsoft 365 groups have designated owners who are responsible for managing the group's settings and membership. If you need to confirm the appropriate privacy setting for a group, you can contact the group owners via email or Teams chat.

You can change the privacy setting of Microsoft 365 groups to public or private using various methods:

• Microsoft 365 admin center: In the "Teams & groups" -> "Active teams & groups" menu, click on the group and change its "Privacy" setting in the "Settings" tab.
• Teams admin center: In the "Teams" -> "Manage teams" menu, click on the group and edit its "Privacy" setting in the "Settings" tab.
• Microsoft Graph PowerShell: Use the Update-MgGroup -Visibility Public|Private|HiddenMembership cmdlet.
• Microsoft Graph API: Use the Update group API and set the visibility property.
• Exchange PowerShell: Use the Set-UnifiedGroup -AccessType Public|Private cmdlet.
• Outlook classic or web: Follow the procedures as outlined in the article.

By default, M365 Groups created in Outlook and Azure portal have the private setting, which you can change.

To prevent the creation of new public groups that may not adhere to your organization's security and privacy policies, you have several options:

• Use sensitivity labels (subject to licensing requirements). Tie sensitivity labels to allowed or disallowed privacy settings. For example, restrict a Teams team marked with a "Confidential" sensitivity label to the private privacy setting only.
• Manage who can create Microsoft 365 Groups (subject to licensing requirements). Limit group creation to knowledgeable admins who can select the appropriate privacy level. Implement a custom form for group creation to ensure proper privacy settings. Caution: This approach may reduce end-user autonomy, as users generally want the ability to create Teams themselves.
• Educate end-users about their responsibilities and the impact of each privacy option. Refer to Microsoft's documentation on explaining Microsoft 365 Groups to your users. Make end-users aware of their responsibilities and empower them to make informed decisions about group privacy settings.
• Use a script or this IoE to regulary enumerate public Microsoft 365 groups. Send emails or Teams messages to group owners to remind them of the risks associated with public groups. Allow owners to confirm their intention or change the group's privacy setting.

Name: Public M365 Group

Codename: PUBLIC-M365-GROUP

Severity: Medium