Teams clients
This section describes the design decisions associated with Teams clients according to guidance in ASD's Blueprint for Secure Cloud.
Estimated reading time: 8 minutes
The Microsoft Teams client operates across multiple platforms and devices, necessitating distinct security and management approaches. Configuration spans both local client settings and integrations with Entra ID, Intune, Defender for Office 365, and Purview.
These approaches are shaped by the two primary contexts in which Teams clients are used:
User clients: This includes desktop clients (Windows, macOS, VDI), mobile clients (iOS, Android), and web clients. These are used by individual users signing in interactively. This context supports security controls such as Multi-Factor Authentication (MFA), as well as Intune compliance and data protection policies.
Device clients: This includes Microsoft Teams Rooms (MTRs) and panels, and Teams Phones. These are typically communal, appliance-like devices that sign in automatically using non-interactive resource accounts. As such, they do not support MFA. Instead, they rely on Intune device compliance policies and other foundational security measures to reduce the attack surface.
User client configuration
Teams client configurations are managed through a combination of Entra ID, Intune, and the Teams admin center. Together, these platforms control access, enforce compliance, and govern in-app functionality:
- Entra ID evaluates Conditional Access policies to enforce user authentication and session prerequisites.
- Intune secures endpoints by applying device compliance rules and application data protection policies.
- The Teams admin center manages in-app functionality through service-side, user-centric policies for meetings, messaging, and calling.
Design decisions
| Decision point | Design decision | Justification |
|---|---|---|
| Access control | Incorporate Teams in baseline Conditional Access policies for all M365 apps | Ensures a consistent authentication experience for users |
| Device security posture | Use Intune device compliance policies as a grant control in Conditional Access | Blocks access from unhealthy or non-compliant corporate devices |
| Unmanaged device data protection | Use Intune App Protection Policies as a grant control in Conditional Access for unmanaged devices | Protects corporate data on unmanaged devices without requiring full device enrolment |
| In-app functionality | Manage all user and feature settings in the Teams admin centre | Centralises feature management in the dedicated service admin portal |
User client deployment
User clients are managed differently depending on their platform. The Teams desktop client is typically deployed as part of the Microsoft 365 Apps for Enterprise suite but follows its own update lifecycle. Mobile clients are distributed via public app stores or managed through Intune.
Design decisions
| Decision point | Design decision | Justification |
|---|---|---|
| Desktop deployment method | Include the Teams client in the base Microsoft 365 Apps deployment | Simplifies the initial rollout and ensures all users receive Teams by default |
| Desktop client update mechanism | Use the Teams client’s native auto-update engine | Reduces administrative overhead and ensures the client remains current with security updates |
| Mobile client deployment | Use Intune to manage the deployment of Teams on corporate mobile devices | Ensures clients are properly installed and managed, and enables compliance checks |
Device security and management
Shared Teams devices should be managed separately from user clients because they use non-interactive resource accounts, which do not support user-based security controls like multi-factor authentication (MFA).
A layered security model is required to manage sign-in, compliance, platform hardening, and updates. Intune enforces device-level configuration and compliance, while the Teams admin centre manages application settings and certified firmware updates.
Design decisions
| Decision point | Design decision | Justification |
|---|---|---|
| Access control | Use a Conditional Access policy for resource accounts that requires both device compliance and a trusted network location | Provides a strong, multi-layered compensating control for non-interactive sign-in by excluding MFA |
| Device compliance | Apply platform-specific Intune compliance policies to all shared devices | Ensures only healthy, policy-compliant devices can access services via Conditional Access |
| Platform hardening | Use Intune device restriction profiles to disable unnecessary features (e.g. unused USB ports, app sideloading) | Reduces the attack surface by limiting access to potentially exploitable device capabilities |
| Application and firmware updates | Manage software and firmware updates for Teams hardware via the Teams admin centre | Ensures specialised devices receive certified updates from their native management platform |
| Network isolation | Place devices on a dedicated VLAN or trusted network segment with restricted access | Limits exposure to lateral movement and reduces the device’s value as an attack vector |
| Physical security | Where possible, use lockable enclosures, port blockers, and tamper-evident seals | Prevents theft, physical tampering, and unauthorised peripheral access |
| Operational controls | Monitor sign-in logs and regularly inspect devices for physical tampering | Supports anomaly detection |
Virtual desktop infrastructure (VDI)
Running Teams in VDI introduces unique requirements not present on physical clients:
- The VDI platform should support media optimisation to offload AV processing from the session host to the user’s local endpoint, which is required to prevent high latency and server load.
- The client should be installed per-machine on the golden image. For the VDI 2.0 architecture, this is a slim client that requires periodic image updates, even though its PWA components auto-update.
- A solution like FSLogix is required for non-persistent sessions to roam user-specific data and prevent Teams from re-installing or re-syncing at every sign-in.
- The user’s local device (thin client or PC) should be certified for optimisation and have a direct network path to Microsoft 365 media relays, bypassing the VDI connection.
End-to-end encryption (E2EE)
Teams supports E2EE for one-to-one calls and, with Teams Premium, for scheduled meetings of up to 200 participants. E2EE ensures only the communicating endpoints can decrypt content, providing maximum confidentiality.
E2EE disables features such as recording, transcription, live captions, call transfer, and compliance auditing. It can be used in scenarios where confidentiality requirements take precedence over collaboration features and oversight capabilities.
Network optimisation
A high-quality Teams experience requires an optimised network that provides a direct path to the Microsoft 365 service endpoints and prioritises real-time media traffic. Bandwidth needs can be estimated using the Network Planner tool, and ongoing network health is monitored using the Teams Call Quality Dashboard (CQD).
This network prioritisation can be implemented using Quality of Service (QoS) by applying Differentiated Services Code Point (DSCP) markings to packets and configuring clients and network infrastructure to respect those markings.
Design decisions
| Decision point | Design decision | Justification |
|---|---|---|
| Network path optimisation | Consider local internet egress and bypass proxies for trusted Microsoft 365 traffic | Can reduce latency by avoiding corporate network backhauling and deep packet inspection of known, trusted services |
| Media traffic prioritisation | Consider implementing internal network QoS and split tunnelling for VPN users | Helps protect real-time audio and video from packet loss and jitter on both corporate and remote networks |
| QoS policy scope | Apply any QoS policies to all clients and network infrastructure supporting Teams traffic | Ensures end-to-end traffic prioritisation for optimal user experience |
| Bandwidth planning | Size network connections based on concurrent user projections and usage patterns | Prevents network congestion during peak usage periods |
Microsoft Defender for Office 365 (MDO) integration
Teams is integrated with Defender for Office 365 which provides both Teams-specific features and broader security services that enable specific features within the Teams client.
Design decisions
| Decision point | Design decision | Justification |
|---|---|---|
| Safe Links for Teams | Enable Safe Links scanning for all Teams messages and apply organisation-wide | Provides real-time URL protection to detect and block malicious links before users click them |
| Safe Attachments for Teams | Enable Safe Attachments scanning for Teams files | Detects malware in files shared through Teams using dynamic detonation analysis |
| Zero-Hour Auto Purge (ZAP) for Teams | Enable ZAP for Teams chats, group chats, and channels with automatic user notification | Automatically removes malicious messages from user inboxes after delivery, mitigating damage from missed threats |
| User message reporting | Enable user reporting to security operations mailboxes (only) | Allows end users to contribute to threat detection whilst providing forensic data for incident response |
| Attack Simulation Training for Teams | Include Teams-based phishing simulations in organisation-wide security awareness campaigns | Tests user awareness and reinforces security training |
Purview integration
The Teams client enforces data governance policies configured in Purview. This integration is essential for protecting information in real time. Organisations should consider implementing Data Loss Prevention (DLP) policies using Sensitive Information Types (SITs) to automatically detect and block sensitive and security-classified information from being shared in chats and channels.
Additionally, Purview sensitivity labels can be applied to Teams meetings to enforce security controls and, with Teams Premium, these controls can include advanced protections such as applying watermarks to shared content or video feeds and blocking meeting recording.
Using Purview for Teams containers, chats, and channels is discussed in more detail in the labelling and classification design page.
Related information
Security and governance
- None identified
Design
Configuration
- Conditional Access policies
- Global settings
- Messaging
- Microsoft Teams protection
- Safe attachments policy
- Safe links policy
- User reported settings
References
- Conditional Access and Intune compliance for Microsoft Teams Rooms and panels
- Data loss prevention and Microsoft Teams
- Implement Quality of Service (QoS) in Microsoft Teams
- Implement Quality of Service (QoS) in Microsoft Teams desktop clients on Windows
- Improve call quality in Microsoft Teams
- Install Teams for Virtualized Desktop Infrastructure (VDI)
- IT Admins - Microsoft Teams deployment overview
- Manage teams in the Microsoft Teams admin center
- Microsoft Defender for Office 365 support for Microsoft Teams
- Microsoft Teams client
- Microsoft Teams Rooms on Windows and Teams Android device security
- New VDI solution for Teams
- Overview of Teams certified devices
- Prepare your organization’s network for Microsoft Teams
- Require end-to-end encryption for sensitive Teams meetings
- Microsoft Teams client
- Use end-to-end encryption for one-to-one Microsoft Teams calls
- Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites
- Use the Network planner for Microsoft Teams
- What is FSLogix?
- Why it’s important to keep Teams updated.