Review and test new Teams setting: control of tenant users joining externally hosted Teams meetings

[rmoffitt-m]

💡 Summary

Microsoft added a feature in May of 2024 to allow tenant administrators to control whether some users can join externally hosted Teams meetings. Consider adding a policy to check these settings.

The Microsoft roadmap feature related to this issue has ID 187230.

Motivation and context

As per Microsoft, "This capability can be used by the tenant admins to protect potential data exfiltration from specific user groups within their organization."

Implementation notes

Acceptance criteria

How do we know when this work is done?

• Determine an update to Teams baseline to include the new setting

[adhilto]

See https://github.com/cisagov/ScubaGoggles/blob/main/baselines/meet.md#gwsmeet21v03 for the equivalent GWS baseline policy.

[nanda-katikaneni]

Reviewed and tested the new Teams config options to restrict tenant users joining externally hosted Teams meetings: this needs adding an additional Meeting Policy guidance to Teams SCB's. The details of the proposal new policy is below:

MS.TEAMS.1.8v1: Tenant users SHOULD be restricted in joining externally organized Teams meetings - they SHOULD be allowed to only meetings organized by 'People in Trusted Organizations'.

Rationale:
Allowing M365 tenant users to join externally organized meetings presents security concerns primarily because it exposes agencies/organizations to potential data leaks and malware risks from untrusted external domains. Tenant user joining meetings organized by unmanaged users can pose the risk of data leakage and other security threats. This policy provides protection by disabling internal user joining meetings from unmnaged/unknown users.

Implementation steps:

1. In the Teams Meeting Policies, update Global Policy with following change:
2. For "People can join external meetings hosted by" change the option from default "Anyone" to "Only people in trusted organizations".
3. Under the Users, select the "Trusted domain config", ensure that trusted domains are configured (similar to MS.TEAMS.2.3v1)

ScubaGear impact:
The proposed new policy will require two config checks; ScubaGear need to be enhanced with thise two checks.

Course of action:
A new issue will be added to track both baseline document changes and ScubaGear code updates. The new issue will be trageted to Marlin release (#1540 ).