Forum Discussion
Securing Microsoft Teams Best Practice & Cleanup
Block Teams Creations- Correct, you will need to restrict the creation of M365 Groups and create a security group for those allowed to create new teams.
Expire or Archive old Teams- To expire Teams, you can create a M365 group expiration policy in AAD Admin Center. For Archiving, you can go to Teams Admin Center or archive the team using PowerShell or MS Graph.
There is also the option to use retention policies by going to MS Purview Compliance portal.
Governance Example Policy
“All guest accounts must be approved, require MFA, and be reviewed every 90 days. Guest accounts inactive for 90 days will be automatically disabled. Sharing of content must be restricted to authenticated guests only — anonymous links are prohibited.”
Quick Implementation Checklist
- Restrict who can invite guests
- Require MFA for all guest accounts
- Limit external sharing (no “Anyone with the link”)
- Classify Teams/sites with sensitivity labels
- Set up Access Reviews for recurring guest audits
- Enable logging & monitoring of guest activity
Thanks for this. For the block is that via the PowerShell script I've been seeing around Google.
I like that governance policy. When enforicing MFA to guest accounts will that allow them to use any type of authenticator?
If you restrict guest invitations and somebody requires a guest invited to Teams or Sharepoint can an admin do that for them?
Thanks so much for this very helpful.
Here is an article for MFA and guest users- https://learn.microsoft.com/en-us/entra/external-id/b2b-tutorial-require-mfa