Microsoft Teams
This section describes the configuration of Microsoft Teams associated with systems built according to guidance in ASD's Blueprint for Secure Cloud.
Estimated reading time: 4 minutes
Instruction
The below pages outline the as built configuration for ASD’s Blueprint for Secure Cloud (the Blueprint) for the Microsoft Teams admin portal at the following URL:
https://admin.teams.microsoft.com/
The settings described on these pages provide a baseline implementation for a system configured using the Blueprint. Any implementation implied by these pages should not be considered as prescriptive as to how an organisation must scope, build, document, or assess a system.
Implementation of the guidance provided by the Blueprint will differ depending on an organisation’s operating context and organisational culture. Organisations should implement the Blueprint in alignment with their existing change management, business processes and frameworks.
settings in a Microsoft 365 tenancy exactly as outlined in the Configuration pages of the Blueprint. Organisations should ensure they customise configuration of their Microsoft 365 tenancies in accordance with their own design decisions and requirements, deviating from the Blueprint (including automated configuration files) where appropriate.
Placeholders such as <ORGANISATION.GOV.AU>, <BLUEPRINT.GOV.AU> and <TENANT-NAME> should be replaced with the relevant details as required.
Teams new admin experience
Microsoft has introduced a number of changes to the Teams admin centre to unify settings and policies. The new admin experience will soon become the default for all organisations, and the configuration guidance provided here aligns with this updated model.
Further information about the changes can be found here.
Automated Configuration Deployment and Assessment
Overview
Some of the Teams configurations can be automatically deployed using Microsoft 365 Desired State Configuration (DSC).
Some of the Teams configurations cannot be assessed using a DSC blueprint. Please refer to those configuration pages to conduct a manual assessment.
| Configuration | Blueprint automation provided |
|---|---|
| Teams & Channels | |
| - Teams | Yes (DSC)1 |
| - Teams update management | Yes (DSC) |
| - Migrating to Teams | Yes (DSC) |
| External collaboration | |
| - Guest access | Yes (DSC) |
| - B2B member access | No |
| Apps | Yes (DSC) |
| Meetings & Events | |
| - Audio conferencing | Yes (DSC) |
| - Meetings | Yes (DSC)2 |
| - Themes & customization | No |
| - Live events | Yes (DSC) |
| - Events | Yes (DSC)3 |
| Messaging | Yes (DSC) |
| Voice | |
| - Calling | Yes (DSC) |
| - Call park | Yes (DSC) |
| - Caller ID | No |
| - Mobility | Yes (DSC) |
| - Voicemail | Yes (DSC) |
| - Voice applications | No |
| Emergency | Yes (DSC) |
| Enhanced encryption | Yes (DSC) |
| Users | Yes (DSC) |
| Teams apps | No |
1: The Notifications and feeds, Tagging, Email integration, Search by name, Safety and communication and Shared channels configurations must be set manually.
2: The Include attendees in the report, Real-time-text (RTT), Allow streaming media input and Anonymous users can interact with apps in meetings configurations must be set manually.
3: The Recording & transcription configurations must be set manually.
Desired State Configuration
Before using the below DSC file, please refer to the setup and automated deployment pages for instructions.
Do not proceed with the automated deployment instructions until you’ve familiarised yourself with the addition configuration required below.
Desired State Configuration file
Download the Teams DSC file and rename the linked .txt file to .ps1.
Configuration data file
Download the configuration data file and rename the linked .txt file to .psd1.
Non-global policy settings
Teams includes a number of pre-configured default policies to help simplify onboarding by providing baseline settings for common scenarios. These policies are typically found in the custom policies sections of the Teams admin centre.
The DSC file includes settings for managing global policies but does not modify the pre-configured or custom policies.
Warning
Any existing settings in a tenancy that match the name or UID of any settings in the DSC will be overwritten.
Service principal permissions
For organisations importing the DSC as per the instructions on the automated deployment page, the following permissions will need to be added to the M365DSC app:
"TeamsAppPermissionPolicy", "TeamsAudioConferencingPolicy", "TeamsCallHoldPolicy", "TeamsCallingPolicy", "TeamsChannelsPolicy", "TeamsClientConfiguration", "TeamsComplianceRecordingPolicy", "TeamsDialInConferencingTenantSettings", "TeamsEventsPolicy", "TeamsFederationConfiguration", "TeamsFeedbackPolicy", "TeamsGroupPolicyAssignment", "TeamsGuestCallingConfiguration", "TeamsGuestMeetingConfiguration", "TeamsGuestMessagingConfiguration", "TeamsMeetingBroadcastConfiguration", "TeamsMeetingBroadcastPolicy", "TeamsMeetingConfiguration", "TeamsMeetingPolicy", "TeamsMessagingPolicy", "TeamsOrgWideAppSettings", "TeamsPstnUsage", "TeamsShiftsPolicy", "TeamsTemplatesPolicy", "TeamsTenantDialPlan", "TeamsTenantNetworkRegion", "TeamsTenantNetworkSite", "TeamsTranslationRule", "TeamsUpdateManagementPolicy", "TeamsUpgradeConfiguration"
Additional configuration
The following instructions must be completed before step 6 Deploy the configuration, on the automated deployment page:
- Assign the Entra, Teams Administrator role to the M365DSC service principal.
Settings & policies
This section describes the configuration of the settings and policies within Microsoft Teams associated with systems built according to guidance in ASD's Blueprint for Secure Cloud.
Users
This section describes the configuration of users within Microsoft Teams associated with systems built according to guidance in ASD's Blueprint for Secure Cloud.
Teams apps
This section describes the configuration of apps within Microsoft Teams associated with systems built according to guidance in ASD's Blueprint for Secure Cloud.