diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 20a6cca48a..f390cc8177 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427) - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408) - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609) +- Update M365 Teams service metadata to new format [(#9685)](https://github.com/prowler-cloud/prowler/pull/9685) + --- diff --git a/prowler/providers/m365/services/teams/teams_email_sending_to_channel_disabled/teams_email_sending_to_channel_disabled.metadata.json b/prowler/providers/m365/services/teams/teams_email_sending_to_channel_disabled/teams_email_sending_to_channel_disabled.metadata.json index 306530b61c..f03526d1ac 100644 --- a/prowler/providers/m365/services/teams/teams_email_sending_to_channel_disabled/teams_email_sending_to_channel_disabled.metadata.json +++ b/prowler/providers/m365/services/teams/teams_email_sending_to_channel_disabled/teams_email_sending_to_channel_disabled.metadata.json @@ -1,30 +1,35 @@ { "Provider": "m365", "CheckID": "teams_email_sending_to_channel_disabled", - "CheckTitle": "Ensure users are not be able to email the channel directly.", + "CheckTitle": "Email to Teams channel addresses is disabled", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Teams Settings", - "Description": "Ensure users can not send emails to channel email addresses.", - "Risk": "Allowing users to send emails to Teams channel email addresses introduces a security risk, as these addresses are outside the tenant’s domain and lack proper security controls. This creates a potential attack vector where threat actors could exploit the channel email to deliver malicious content or spam.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/get-csteamsclientconfiguration?view=teams-ps", + "ResourceType": "", + "Description": "Microsoft Teams tenant configuration for **channel email addresses** determines if channels can receive messages via email. This evaluates the `allow_email_into_channel` setting.", + "Risk": "Allowing email into channels lets outsiders inject content, links, and attachments into Teams. Leaked addresses enable **phishing**, **malware delivery**, and spam, undermining **confidentiality** and **integrity**, and adding noise that affects **availability**; posts may bypass user-authenticated context.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://admin.teams.microsoft.com.", + "https://learn.microsoft.com/en-us/powershell/module/teams/get-csteamsclientconfiguration?view=teams-ps" + ], "Remediation": { "Code": { "CLI": "Set-CsTeamsClientConfiguration -Identity Global -AllowEmailIntoChannel $false", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Teams select Teams settings. 3. Under email integration set Users can send emails to a channel email address to Off.", + "Other": "1. Sign in to the Microsoft Teams admin center: https://admin.teams.microsoft.com\n2. Go to Teams > Teams settings\n3. Under Email integration, set \"Users can send emails to a channel email address\" to Off\n4. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Disable the ability for users to send emails to Teams channel email addresses to reduce the risk of external abuse and enhance control over organizational communications.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/get-csteamsclientconfiguration?view=teams-ps" + "Text": "Disable email into channels by default. If needed, limit senders to approved domains, apply anti-phishing/malware filtering, enforce DLP and retention on inbound mail, monitor postings, rotate channel addresses, and prefer authenticated connectors-applying **least privilege** and **defense in depth**.", + "Url": "https://hub.prowler.com/check/teams_email_sending_to_channel_disabled" } }, "Categories": [ - "e3" + "email-security", + "internet-exposed" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/m365/services/teams/teams_external_domains_restricted/teams_external_domains_restricted.metadata.json b/prowler/providers/m365/services/teams/teams_external_domains_restricted/teams_external_domains_restricted.metadata.json index dbae20a0f6..c43e24d32d 100644 --- a/prowler/providers/m365/services/teams/teams_external_domains_restricted/teams_external_domains_restricted.metadata.json +++ b/prowler/providers/m365/services/teams/teams_external_domains_restricted/teams_external_domains_restricted.metadata.json @@ -1,29 +1,39 @@ { "Provider": "m365", "CheckID": "teams_external_domains_restricted", - "CheckTitle": "Ensure external domains are restricted.", + "CheckTitle": "External domain access is disabled for Teams users", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Teams Settings", - "Description": "Ensure external domains are restricted from being used in Teams admin center.", - "Risk": "Allowing unrestricted communication with external domains in Microsoft Teams increases the risk of exposure to social engineering attacks, phishing, malware delivery (e.g., DarkGate), and exploitation tactics such as GIFShell or username enumeration.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps", + "ResourceType": "", + "Description": "**Microsoft Teams** tenant external access configuration is assessed. The expected posture is **federation with external domains** disabled, so users cannot chat, call, or meet with accounts in other domains.", + "Risk": "**Unrestricted external federation** enables delivery of phishing links and malware via chats/calls, user enumeration, and data leakage through messages or file shares. This directly threatens **confidentiality** and **integrity**, and can aid social engineering-driven lateral movement.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps", + "https://admin.teams.microsoft.com/.", + "https://learn.microsoft.com/ar-sa/entra/architecture/5-secure-access-b2b", + "https://vmwaretroubleshooter.com/breaking-down-information-barriers-for-external-users-in-teams-microsoft-community-hub/", + "https://www.solutions2share.com/microsoft-teams-security-collaboration/", + "https://www.thatlazyadmin.com/2019/03/28/microsoft-teams-cant-chat-external-domains/", + "https://cybersecuritynews.com/microsoft-teams-defender-portal/" + ], "Remediation": { "Code": { "CLI": "Set-CsTenantFederationConfiguration -AllowFederatedUsers $false", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/. 2. Click to expand Users select External access. 3. Under Teams and Skype for Business users in external organizations set Choose which external domains your users have access to to one of the following: Allow only specific external domains or Block all external domains. 4. Click Save.", + "Other": "1. Sign in to the Teams admin center: https://admin.teams.microsoft.com/\n2. Go to Org-wide settings (or Users) > External access\n3. Turn off \"Users can communicate with other Skype for Business and Teams users\"\n4. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Restrict external collaboration by configuring Teams to either Block all external domains or Allow only specific, trusted external domains. This ensures users can only interact with vetted organizations, significantly reducing the attack surface.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps" + "Text": "Adopt a **default-deny** stance: disable external access. *If collaboration is required*, allowlist only trusted domains and apply **least privilege** with cross-tenant policies. Prefer **B2B guest/shared channels**, require **MFA** and compliant devices, and review logs and domain lists regularly.", + "Url": "https://hub.prowler.com/check/teams_external_domains_restricted" } }, "Categories": [ + "trust-boundaries", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/teams/teams_external_file_sharing_restricted/teams_external_file_sharing_restricted.metadata.json b/prowler/providers/m365/services/teams/teams_external_file_sharing_restricted/teams_external_file_sharing_restricted.metadata.json index 6a84dec3c4..62c9491873 100644 --- a/prowler/providers/m365/services/teams/teams_external_file_sharing_restricted/teams_external_file_sharing_restricted.metadata.json +++ b/prowler/providers/m365/services/teams/teams_external_file_sharing_restricted/teams_external_file_sharing_restricted.metadata.json @@ -1,29 +1,34 @@ { "Provider": "m365", "CheckID": "teams_external_file_sharing_restricted", - "CheckTitle": "Ensure external file sharing in Teams is enabled for only approved cloud storage services", + "CheckTitle": "Teams external file sharing is restricted to only approved cloud storage services", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Teams Settings", - "Description": "", - "Risk": "Allowing unrestricted third-party cloud storage services in Teams increases the risk of data exfiltration, compliance violations, and unauthorized access to sensitive information. Users may store or share data through unapproved platforms with weaker security controls.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/get-csteamsclientconfiguration?view=teams-ps", + "ResourceType": "", + "Description": "Microsoft Teams client settings restrict **external file sharing** via third-party storage providers to an approved allowlist. Configuration is considered in place when only sanctioned providers are enabled, or when all non-approved providers are disabled.", + "Risk": "Unrestricted third-party storage in Teams weakens **confidentiality** and **integrity**:\n- Data may bypass DLP, eDiscovery, and retention\n- Sensitive files can be shared to unmanaged tenants\n- Unvetted apps can deliver tampered content, enabling **data exfiltration** and **malware**", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://admin.teams.microsoft.com.", + "https://learn.microsoft.com/en-us/powershell/module/teams/get-csteamsclientconfiguration?view=teams-ps" + ], "Remediation": { "Code": { - "CLI": "Set-CsTeamsClientConfiguration -AllowGoogleDrive $false -AllowShareFile $false -AllowBox $false -AllowDropBox $false -AllowEgnyte $false", + "CLI": "Set-CsTeamsClientConfiguration -AllowGoogleDrive $false -AllowShareFile $false -AllowBox $false -AllowDropbox $false -AllowEgnyte $false", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Teams select Teams settings. 3. Set any unauthorized providers to Off.", + "Other": "1. Go to https://admin.teams.microsoft.com and sign in\n2. Navigate to Teams > Teams settings\n3. Under Files > Third-party storage, turn Off any unapproved providers (Box, Dropbox, Google Drive, Egnyte, ShareFile)\n4. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Restrict external file sharing in Teams to only approved cloud storage providers, such as SharePoint Online and OneDrive. Configure Teams policies to block unauthorized services and enforce compliance with organizational data protection standards.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/get-csteamsclientconfiguration?view=teams-ps" + "Text": "Adopt a **deny-by-default allowlist** for Teams file sharing with third-party storage.\n- Enable only vetted providers aligned with governance\n- Prefer **SharePoint Online/OneDrive** for collaboration\n- Enforce **least privilege**, DLP, and eDiscovery on allowed paths\n- Block unsanctioned apps and limit external sharing to trusted domains", + "Url": "https://hub.prowler.com/check/teams_external_file_sharing_restricted" } }, "Categories": [ + "trust-boundaries", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/teams/teams_external_users_cannot_start_conversations/teams_external_users_cannot_start_conversations.metadata.json b/prowler/providers/m365/services/teams/teams_external_users_cannot_start_conversations/teams_external_users_cannot_start_conversations.metadata.json index 34a92f131e..34d4a85981 100644 --- a/prowler/providers/m365/services/teams/teams_external_users_cannot_start_conversations/teams_external_users_cannot_start_conversations.metadata.json +++ b/prowler/providers/m365/services/teams/teams_external_users_cannot_start_conversations/teams_external_users_cannot_start_conversations.metadata.json @@ -1,29 +1,37 @@ { "Provider": "m365", "CheckID": "teams_external_users_cannot_start_conversations", - "CheckTitle": "Ensure external users cannot start conversations.", + "CheckTitle": "External Teams users cannot start conversations", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "critical", - "ResourceType": "Teams Settings", - "Description": "Ensure external users cannot initiate conversations.", - "Risk": "Allowing unmanaged external Teams users to initiate conversations increases the risk of phishing, malware distribution such as DarkGate, social engineering attacks like those by Midnight Blizzard, GIFShell exploitation, and username enumeration.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps", + "Severity": "high", + "ResourceType": "", + "Description": "**Teams external access** blocks conversation initiation from **unmanaged Teams accounts** when `AllowTeamsConsumerInbound=false`.", + "Risk": "Permitting unmanaged externals to start chats enables **phishing**, **malware delivery**, and **social engineering**, leading to credential theft and data exfiltration. It also allows **user enumeration** and presence probing, aiding **account takeover** and lateral movement, impacting confidentiality and integrity.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps", + "https://admin.teams.microsoft.com/.", + "https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat", + "https://learn.microsoft.com/en-us/entra/architecture/9-secure-access-teams-sharepoint", + "https://learn.microsoft.com/en-us/microsoftteams/communicate-with-users-from-other-organizations" + ], "Remediation": { "Code": { "CLI": "Set-CsTenantFederationConfiguration -AllowTeamsConsumerInbound $false", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/. 2. Click to expand Users select External access. 3. Scroll to Teams accounts not managed by an organization. 4. Uncheck External users with Teams accounts not managed by an organization can contact users in my organization. 5. Click Save.", + "Other": "1. Sign in to the Teams admin center: https://admin.teams.microsoft.com/\n2. Go to Users > External access\n3. Under \"Teams accounts not managed by an organization\", clear the checkbox \"External users with Teams accounts not managed by an organization can contact users in my organization\"\n4. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Disable the ability for external Teams users not managed by an organization to initiate conversations by unchecking the option that permits them to contact users in your organization. This provides an added layer of protection, especially if exceptions are made to allow limited communication with unmanaged users.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps" + "Text": "Disable inbound initiation from unmanaged accounts (`AllowTeamsConsumerInbound=false`). If external collaboration is required, prefer **allowlists** for trusted domains and use **guest access** with **least privilege**. Apply **defense in depth**: conditional access, link/file scanning, user education, and monitor for anomalous external chats.", + "Url": "https://hub.prowler.com/check/teams_external_users_cannot_start_conversations" } }, "Categories": [ + "trust-boundaries", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/teams/teams_meeting_anonymous_user_join_disabled/teams_meeting_anonymous_user_join_disabled.metadata.json b/prowler/providers/m365/services/teams/teams_meeting_anonymous_user_join_disabled/teams_meeting_anonymous_user_join_disabled.metadata.json index 5d6e0615d2..dc04bcf676 100644 --- a/prowler/providers/m365/services/teams/teams_meeting_anonymous_user_join_disabled/teams_meeting_anonymous_user_join_disabled.metadata.json +++ b/prowler/providers/m365/services/teams/teams_meeting_anonymous_user_join_disabled/teams_meeting_anonymous_user_join_disabled.metadata.json @@ -1,29 +1,34 @@ { "Provider": "m365", "CheckID": "teams_meeting_anonymous_user_join_disabled", - "CheckTitle": "Ensure anonymous users are not able to join meetings.", + "CheckTitle": "Anonymous users cannot join Teams meetings", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "critical", - "ResourceType": "Teams Global Meeting Policy", - "Description": "Ensure individuals who are not sent or forwarded a meeting invite will not be able to join the meeting automatically.", - "Risk": "Allowing anonymous users to join meetings can lead to unauthorized access, information leakage, and potential disruptions, especially in meetings involving sensitive data.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps", + "Severity": "high", + "ResourceType": "", + "Description": "**Microsoft Teams** org-wide meeting policy is evaluated to ensure **anonymous meeting join** is disabled, preventing non-authenticated participants from joining.", + "Risk": "Anonymous meeting access allows unaccountable attendees to join, eavesdrop, capture shared content, and impersonate others.\n\nThis undermines **confidentiality** and **integrity**, and threatens **availability** via meeting hijacking, spam, and disruption.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://admin.teams.microsoft.com.", + "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + ], "Remediation": { "Code": { "CLI": "Set-CsTeamsMeetingPolicy -Identity Global -AllowAnonymousUsersToJoinMeeting $false", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under meeting join & lobby set Anonymous users can join a meeting to Off.", + "Other": "1. Sign in to the Microsoft Teams admin center (https://admin.teams.microsoft.com)\n2. Go to Meetings > Meeting policies\n3. Select Global (Org-wide default)\n4. Set \"Anonymous users can join a meeting\" to Off\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Disable anonymous user access to Microsoft Teams meetings to ensure only invited participants can join. This adds a layer of vetting by requiring organizer approval for anyone not explicitly invited.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + "Text": "Disable **anonymous meeting join** tenant-wide and require authenticated users or managed guests.\n\nUse **lobby** admission for externals, limit presenter rights per **least privilege**, and enforce **conditional access** or registration to control who enters.", + "Url": "https://hub.prowler.com/check/teams_meeting_anonymous_user_join_disabled" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/teams/teams_meeting_anonymous_user_start_disabled/teams_meeting_anonymous_user_start_disabled.metadata.json b/prowler/providers/m365/services/teams/teams_meeting_anonymous_user_start_disabled/teams_meeting_anonymous_user_start_disabled.metadata.json index 7c8b2a9cbe..5a4a5d4d9b 100644 --- a/prowler/providers/m365/services/teams/teams_meeting_anonymous_user_start_disabled/teams_meeting_anonymous_user_start_disabled.metadata.json +++ b/prowler/providers/m365/services/teams/teams_meeting_anonymous_user_start_disabled/teams_meeting_anonymous_user_start_disabled.metadata.json @@ -1,29 +1,36 @@ { "Provider": "m365", "CheckID": "teams_meeting_anonymous_user_start_disabled", - "CheckTitle": "Ensure anonymous users are not able to start meetings.", + "CheckTitle": "Anonymous users cannot start Teams meetings", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "critical", - "ResourceType": "Teams Global Meeting Policy", - "Description": "Ensure anonymous users and dial-in callers are not able to start meetings.", - "Risk": "Allowing anonymous users and dial-in callers to start meetings without an authenticated participant present can lead to meeting spamming, unauthorized activity, and potential misuse of organizational resources.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps", + "Severity": "medium", + "ResourceType": "", + "Description": "**Microsoft Teams meeting policies** disable `AllowAnonymousUsersToStartMeeting` so **anonymous users** and **dial-in callers** cannot start meetings and must wait in the lobby until an authenticated participant joins", + "Risk": "Without this control, outsiders can launch **hostless meetings**, enabling:\n- social engineering before staff join\n- malicious link sharing and meeting hijack\nIt also allows **PSTN toll abuse** by dial-in callers.\nImpacts: confidentiality, integrity, and availability/cost.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/microsoftteams/settings-policies-reference", + "https://admin.teams.microsoft.com.", + "https://docs.tminus365.com/security/teams/anonymous-users-shall-not-be-enabled-to-start-meetings", + "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + ], "Remediation": { "Code": { "CLI": "Set-CsTeamsMeetingPolicy -Identity Global -AllowAnonymousUsersToStartMeeting $false", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under meeting join & lobby set Anonymous users and dial-in callers can start a meeting to Off.", + "Other": "1. Sign in to the Microsoft Teams admin center (https://admin.teams.microsoft.com)\n2. Go to Meetings > Meeting policies\n3. Select Global (Org-wide default)\n4. Under Meeting join & lobby, set \"Anonymous users and dial-in callers can start a meeting\" to Off\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Ensure that anonymous users and dial-in callers are required to wait in the lobby until a verified user from the organization or a trusted external domain starts the meeting. This reduces the risk of abuse and maintains meeting integrity.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + "Text": "Keep `AllowAnonymousUsersToStartMeeting` disabled. Require an **authenticated organizer** to start meetings and enforce the **lobby** so anonymous and dial-in participants wait. Limit lobby bypass to internal or invited users, disable anonymous join if unnecessary, and apply least-privilege and zero-trust principles to meeting access.", + "Url": "https://hub.prowler.com/check/teams_meeting_anonymous_user_start_disabled" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/teams/teams_meeting_chat_anonymous_users_disabled/teams_meeting_chat_anonymous_users_disabled.metadata.json b/prowler/providers/m365/services/teams/teams_meeting_chat_anonymous_users_disabled/teams_meeting_chat_anonymous_users_disabled.metadata.json index 0beb3918e5..317e1f0bb3 100644 --- a/prowler/providers/m365/services/teams/teams_meeting_chat_anonymous_users_disabled/teams_meeting_chat_anonymous_users_disabled.metadata.json +++ b/prowler/providers/m365/services/teams/teams_meeting_chat_anonymous_users_disabled/teams_meeting_chat_anonymous_users_disabled.metadata.json @@ -1,29 +1,34 @@ { "Provider": "m365", "CheckID": "teams_meeting_chat_anonymous_users_disabled", - "CheckTitle": "Ensure meeting chat does not allow anonymous users", + "CheckTitle": "Teams Meetings global policy does not allow anonymous users in meeting chat", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "critical", - "ResourceType": "Teams Global Meeting Policy", - "Description": "Ensure meeting chat does not allow anonymous users.", - "Risk": "Allowing anonymous users to participate in meeting chat can expose sensitive information and increase the risk of inappropriate content being shared by unverified participants.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps", + "Severity": "high", + "ResourceType": "", + "Description": "**Microsoft Teams meeting policies** restrict chat so **anonymous participants** cannot send or read messages.\n\nAccepted configurations include `EnabledExceptAnonymous` or `EnabledInMeetingOnlyForAllExceptAnonymous`.", + "Risk": "**Anonymous chat** enables unverified users to leak sensitive content, post **phishing/malware links**, and impersonate others.\n\nThis undermines **confidentiality** and accountability, and can disrupt meetings through spam, affecting **availability** and auditability.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://admin.teams.microsoft.com.", + "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + ], "Remediation": { "Code": { - "CLI": "Set-CsTeamsMeetingPolicy -Identity Global -MeetingChatEnabledType 'EnabledExceptAnonymous'", + "CLI": "Set-CsTeamsMeetingPolicy -Identity Global -MeetingChatEnabledType EnabledExceptAnonymous", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under meeting engagement verify that Meeting chat is set to On for everyone but anonymous users.", + "Other": "1. Sign in to the Microsoft Teams admin center: https://admin.teams.microsoft.com\n2. Go to Meetings > Meeting policies\n3. Open Global (Org-wide default)\n4. Under Meeting engagement, set Meeting chat to \"On for everyone but anonymous users\"\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Restrict chat access during meetings to only authenticated and authorized users. Disable chat capabilities for anonymous users to maintain confidentiality and prevent misuse.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + "Text": "Enforce chat for **authenticated users only** following **least privilege**.\n- Block chat for anonymous users\n- Use guest access with identity verification and lobby controls\n- Apply DLP and link/file protection to chat\n- Monitor audit logs and set retention to ensure traceability", + "Url": "https://hub.prowler.com/check/teams_meeting_chat_anonymous_users_disabled" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/teams/teams_meeting_dial_in_lobby_bypass_disabled/teams_meeting_dial_in_lobby_bypass_disabled.metadata.json b/prowler/providers/m365/services/teams/teams_meeting_dial_in_lobby_bypass_disabled/teams_meeting_dial_in_lobby_bypass_disabled.metadata.json index 632c257e0c..a22060a247 100644 --- a/prowler/providers/m365/services/teams/teams_meeting_dial_in_lobby_bypass_disabled/teams_meeting_dial_in_lobby_bypass_disabled.metadata.json +++ b/prowler/providers/m365/services/teams/teams_meeting_dial_in_lobby_bypass_disabled/teams_meeting_dial_in_lobby_bypass_disabled.metadata.json @@ -1,29 +1,40 @@ { "Provider": "m365", "CheckID": "teams_meeting_dial_in_lobby_bypass_disabled", - "CheckTitle": "Ensure that dial-in users cannot bypass the lobby in Teams meetings", + "CheckTitle": "Teams Meetings global policy does not allow dial-in users to bypass the lobby", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "critical", - "ResourceType": "Teams Global Meeting Policy", - "Description": "Ensure that dial-in users cannot bypass the lobby in Teams meetings", - "Risk": "Allowing dial-in users to bypass the lobby may result in unauthorized or unauthenticated individuals joining sensitive meetings without prior validation, increasing the risk of information leakage or meeting disruptions.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps", + "Severity": "high", + "ResourceType": "", + "Description": "**Teams meeting policies** prevent **PSTN dial-in callers** from bypassing the lobby (`AllowPSTNUsersToBypassLobby=false`), requiring admission by organizers or presenters.", + "Risk": "Direct admission of dial-in callers enables unauthenticated access, caller-ID spoofing, and meeting hijacking. Sensitive content can be overheard or recorded (**confidentiality**), discussions manipulated (**integrity**), and sessions disrupted (**availability**).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://admin.teams.microsoft.com.", + "https://learn.microsoft.com/en-us/microsoftteams/who-can-bypass-meeting-lobby", + "https://gencarenow.com/blog/b/microsoft-teams-pstn-conferencing-and-bypassing-the-lobby", + "https://github.com/MicrosoftDocs/office-docs-powershell/blob/main/teams/teams-ps/teams/Set-CsTeamsMeetingPolicy.md", + "https://alyaconsulting.ch/Solutions/MicrosoftTeams/Set-CsTeamsMeetingPolicy", + "https://blog.hametbenoit.info/2020/01/06/teams-a-new-meeting-policy-setting-is-available-to-control-dial-in-user-to-bypass-the-lobby/", + "https://blog.admindroid.com/major-microsoft-teams-meeting-configurations-to-boost-secure-score-by-8-points/", + "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + ], "Remediation": { "Code": { "CLI": "Set-CsTeamsMeetingPolicy -Identity Global -AllowPSTNUsersToBypassLobby $false", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under meeting join & lobby set People dialing in can bypass the lobby to Off.", + "Other": "1. Sign in to the Microsoft Teams admin center: https://admin.teams.microsoft.com\n2. Go to Meetings > Meeting policies\n3. Select Global (Org-wide default)\n4. In Meeting join & lobby, set \"People dialing in can bypass the lobby\" to Off\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Require all users dialing in by phone to wait in the lobby until admitted by the meeting organizer, co-organizer, or presenter. This ensures proper vetting before granting access to potentially sensitive discussions.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + "Text": "Enforce the lobby for all **PSTN dial-in callers**. Restrict admission to organizers or presenters, and allow only authenticated or explicitly invited users to bypass. Standardize via org-wide meeting policies or templates to uphold **least privilege** and **defense in depth**.", + "Url": "https://hub.prowler.com/check/teams_meeting_dial_in_lobby_bypass_disabled" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/teams/teams_meeting_external_chat_disabled/teams_meeting_external_chat_disabled.metadata.json b/prowler/providers/m365/services/teams/teams_meeting_external_chat_disabled/teams_meeting_external_chat_disabled.metadata.json index 9a414f6e3b..fb60d7d67c 100644 --- a/prowler/providers/m365/services/teams/teams_meeting_external_chat_disabled/teams_meeting_external_chat_disabled.metadata.json +++ b/prowler/providers/m365/services/teams/teams_meeting_external_chat_disabled/teams_meeting_external_chat_disabled.metadata.json @@ -1,29 +1,38 @@ { "Provider": "m365", "CheckID": "teams_meeting_external_chat_disabled", - "CheckTitle": "Ensure external meeting chat is off", + "CheckTitle": "External meeting chat for untrusted organizations is disabled", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Teams Global Meeting Policy", - "Description": "Ensure users can't read or write messages in external meeting chats with untrusted organizations.", - "Risk": "Allowing chat in external meetings increases the risk of exploits like GIFShell or DarkGate malware being delivered to users through untrusted organizations.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps", + "ResourceType": "", + "Description": "**Teams meeting policy** setting `AllowExternalNonTrustedMeetingChat` governs whether users can read or send chat messages in meetings hosted by **untrusted organizations**.\n\nThis assesses the org-wide default policy to confirm external meeting chat with non-trusted tenants is blocked.", + "Risk": "Permitting chat in external meetings with **untrusted tenants** risks:\n- Confidential data exposure via messages/files\n- **Malware delivery** through links or media (e.g., GIF-based techniques)\n- **Social engineering** enabling account compromise and **lateral movement**, degrading confidentiality and integrity", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoftteams/set-csteamsmeetingpolicy?view=teams-ps", + "https://admin.teams.microsoft.com.", + "https://github.com/MicrosoftDocs/office-docs-powershell/blob/main/teams/teams-ps/teams/Set-CsTeamsMeetingPolicy.md", + "https://video2.skills-academy.com/en-us/microsoftteams/manage-meeting-chat", + "https://office365itpros.com/2023/10/23/block-meeting-chat-untrusted/", + "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + ], "Remediation": { "Code": { - "CLI": "Set-CsTeamsMeetingPolicy -Identity Global -AllowExternalNonTrustedMeetingChat $false", + "CLI": "Set-CsTeamsMeetingPolicy -Identity Global -AllowExternalNonTrustedMeetingChat $False", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under meeting engagement set External meeting chat to Off.", + "Other": "1. Sign in to the Teams admin center: https://admin.teams.microsoft.com\n2. Go to Meetings > Meeting policies\n3. Select Global (Org-wide default)\n4. Under Meeting engagement, set External meeting chat (untrusted organizations) to Off\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Disable external meeting chat to prevent potential security risks from untrusted organizations. This helps protect against exploits like GIFShell or DarkGate malware.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + "Text": "Block chat for meetings hosted by **non-trusted organizations** and restrict collaboration to a vetted allowlist.\n\nAdopt **defense in depth**: limit content sharing, enable link/file scanning, enforce **DLP**, and user training. Review external trust relationships regularly per **least privilege**.", + "Url": "https://hub.prowler.com/check/teams_meeting_external_chat_disabled" } }, "Categories": [ + "trust-boundaries", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/teams/teams_meeting_external_control_disabled/teams_meeting_external_control_disabled.metadata.json b/prowler/providers/m365/services/teams/teams_meeting_external_control_disabled/teams_meeting_external_control_disabled.metadata.json index ef46ae25c4..caf484cc74 100644 --- a/prowler/providers/m365/services/teams/teams_meeting_external_control_disabled/teams_meeting_external_control_disabled.metadata.json +++ b/prowler/providers/m365/services/teams/teams_meeting_external_control_disabled/teams_meeting_external_control_disabled.metadata.json @@ -1,29 +1,39 @@ { "Provider": "m365", "CheckID": "teams_meeting_external_control_disabled", - "CheckTitle": "Ensure external participants can't give or request control", + "CheckTitle": "Teams Meetings Global policy prevents external participants from giving or requesting control", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Teams Global Meeting Policy", - "Description": "Ensure external participants can't give or request control in Teams meetings.", - "Risk": "Allowing external participants to give or request control during meetings could lead to unauthorized content sharing or malicious actions by external users.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps", + "ResourceType": "", + "Description": "**Teams meeting policies** govern whether **external participants** can give, be given, or request control during screen sharing via `allowExternalParticipantGiveRequestControl`.\n\nEvaluation targets the org-wide default policy to confirm external control actions are blocked.", + "Risk": "External control during sharing enables remote input on the presenter's device, impacting:\n- Confidentiality: viewing/copying sensitive data\n- Integrity: unauthorized changes, keystroke injection, malware launch\n- Availability: session disruption or app termination", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoftteams/set-csteamsmeetingpolicy?view=teams-ps", + "https://admin.teams.microsoft.com.", + "https://www.powershellgallery.com/packages/Microsoft365DSC/1.20.716.1/Content/DSCResources\\MSFT_TeamsMeetingPolicy\\MSFT_TeamsMeetingPolicy.psm1", + "https://learn.microsoft.com/en-us/microsoftteams/meeting-who-present-request-control", + "https://alyaconsulting.ch/Solutions/MicrosoftTeams/Set-CsTeamsMeetingPolicy", + "https://web.archive.org/web/20200628083544/https://docs.microsoft.com/en-us/microsoftteams/meeting-policies-in-teams", + "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + ], "Remediation": { "Code": { "CLI": "Set-CsTeamsMeetingPolicy -Identity Global -AllowExternalParticipantGiveRequestControl $false", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under content sharing set External participants can give or request control to Off.", + "Other": "1. Open Microsoft Teams admin center: https://admin.teams.microsoft.com\n2. Go to Meetings > Meeting policies\n3. Select Global (Org-wide default)\n4. In Content sharing, set \"External participants can give or request control\" to Off\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Disable the ability for external participants to give or request control during Teams meetings to prevent unauthorized content sharing and maintain meeting security.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + "Text": "Apply **least privilege**: disable external give/request control by setting `allowExternalParticipantGiveRequestControl=false` in the org-wide policy.\n\nIf business-justified, restrict presenters to trusted users, limit sharing to `SingleApplication`, use lobby/presenter roles, and monitor for misuse.", + "Url": "https://hub.prowler.com/check/teams_meeting_external_control_disabled" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/teams/teams_meeting_external_lobby_bypass_disabled/teams_meeting_external_lobby_bypass_disabled.metadata.json b/prowler/providers/m365/services/teams/teams_meeting_external_lobby_bypass_disabled/teams_meeting_external_lobby_bypass_disabled.metadata.json index 60a63bc218..d4a4eb9052 100644 --- a/prowler/providers/m365/services/teams/teams_meeting_external_lobby_bypass_disabled/teams_meeting_external_lobby_bypass_disabled.metadata.json +++ b/prowler/providers/m365/services/teams/teams_meeting_external_lobby_bypass_disabled/teams_meeting_external_lobby_bypass_disabled.metadata.json @@ -1,29 +1,35 @@ { "Provider": "m365", "CheckID": "teams_meeting_external_lobby_bypass_disabled", - "CheckTitle": "Ensure only people in the organization can bypass the lobby.", + "CheckTitle": "Teams Meetings global policy allows only people in the organization to bypass the lobby", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "critical", - "ResourceType": "Teams Global Meeting Policy", - "Description": "Ensure only people in the organization can bypass the lobby.", - "Risk": "Allowing external users or unauthenticated participants to bypass the lobby increases the risk of unauthorized access to sensitive meetings and potential disruptions. It may also lead to unscheduled meetings being initiated by external parties.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps", + "Severity": "high", + "ResourceType": "", + "Description": "Teams Meetings global policy restricts **lobby bypass** so only `EveryoneInCompanyExcludingGuests`, `OrganizerOnly`, or `InvitedUsers` are auto-admitted; all others wait in the lobby.", + "Risk": "Auto-admitting external or anonymous users undermines **confidentiality** via covert listening and access to chat/files, and **integrity** through meeting hijacks, malicious screen sharing, and phishing. It also impacts **availability** by enabling disruptions and unsanctioned sessions.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://admin.teams.microsoft.com.", + "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + ], "Remediation": { "Code": { - "CLI": "Set-CsTeamsMeetingPolicy -Identity Global -AutoAdmittedUsers 'EveryoneInCompanyExcludingGuests' ", + "CLI": "Set-CsTeamsMeetingPolicy -Identity Global -AutoAdmittedUsers 'EveryoneInCompanyExcludingGuests'", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under meeting join & lobby set Who can bypass the lobby to People in my org.", + "Other": "1. Sign in to the Microsoft Teams admin center (https://admin.teams.microsoft.com)\n2. Go to Meetings > Meeting policies\n3. Select Global (Org-wide default)\n4. Under Meeting join & lobby, set Who can bypass the lobby to People in my org\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Ensure that only people within the organization can bypass the lobby, requiring external users and dial-in participants to wait for approval from an organizer, co-organizer, or presenter. This helps secure sensitive meetings and prevents unauthorized access.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + "Text": "Apply **least privilege** to lobby admission: set auto-admit to internal-only or to organizer/invitees, and require approval for guests, federated, anonymous, and PSTN. Enforce **authentication** and **conditional access**, and default to limited presenters for **defense in depth**.", + "Url": "https://hub.prowler.com/check/teams_meeting_external_lobby_bypass_disabled" } }, "Categories": [ + "identity-access", + "trust-boundaries", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/teams/teams_meeting_presenters_restricted/teams_meeting_presenters_restricted.metadata.json b/prowler/providers/m365/services/teams/teams_meeting_presenters_restricted/teams_meeting_presenters_restricted.metadata.json index 3d5064aa53..86c4e842f4 100644 --- a/prowler/providers/m365/services/teams/teams_meeting_presenters_restricted/teams_meeting_presenters_restricted.metadata.json +++ b/prowler/providers/m365/services/teams/teams_meeting_presenters_restricted/teams_meeting_presenters_restricted.metadata.json @@ -1,29 +1,34 @@ { "Provider": "m365", "CheckID": "teams_meeting_presenters_restricted", - "CheckTitle": "Ensure only organizers and co-organizers can present", + "CheckTitle": "Teams Meetings org-wide default policy allows only organizers and co-organizers to present", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "high", - "ResourceType": "Teams Global Meeting Policy", - "Description": "Ensure only organizers and co-organizers can present in a Teams meeting. The recommended state is 'Only organizers and co-organizers'.", - "Risk": "Allowing everyone to present increases the risk that a malicious user can inadvertently show inappropriate content.", - "RelatedUrl": "https://learn.microsoft.com/en-us/microsoftteams/meeting-who-present-request-control", + "Severity": "medium", + "ResourceType": "", + "Description": "**Teams meeting policy** sets the default `Who can present` to **only organizers and co-organizers** in the org-wide policy.\n\nThis evaluates whether attendees are limited to the attendee role by default rather than joining as presenters.", + "Risk": "Allowing everyone to present enables unsolicited screen sharing and content uploads, causing data exposure (confidentiality), misleading or altered information during sessions (integrity), and meeting takeovers or disruptions (availability). External participants can exploit this to distribute phishing links or malware.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/microsoftteams/meeting-who-present-request-control", + "https://admin.teams.microsoft.com." + ], "Remediation": { "Code": { "CLI": "Set-CsTeamsMeetingPolicy -Identity Global -DesignatedPresenterRoleMode \"OrganizerOnlyUserOverride\"", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under content sharing set Who can present to Only organizers and co-organizers.", + "Other": "1. Sign in to the Teams admin center: https://admin.teams.microsoft.com\n2. Go to Meetings > Meeting policies\n3. Select Global (Org-wide default)\n4. Under Content sharing, set Who can present to \"Only organizers and co-organizers\"\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Restrict presentation capabilities to only organizers and co-organizers to reduce the risk of inappropriate content being shown.", - "Url": "https://learn.microsoft.com/en-us/microsoftteams/meeting-who-present-request-control" + "Text": "Set `Who can present` to **Only organizers and co-organizers** by default.\n\nApply **least privilege**:\n- Grant presenter rights only to designated users per meeting\n- Keep others as attendees, especially externals\n- Use lobby/guest controls to limit elevation\n\nAdopt **defense in depth** with monitoring and clear host procedures.", + "Url": "https://hub.prowler.com/check/teams_meeting_presenters_restricted" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/teams/teams_meeting_recording_disabled/teams_meeting_recording_disabled.metadata.json b/prowler/providers/m365/services/teams/teams_meeting_recording_disabled/teams_meeting_recording_disabled.metadata.json index 8effe74064..2476a99553 100644 --- a/prowler/providers/m365/services/teams/teams_meeting_recording_disabled/teams_meeting_recording_disabled.metadata.json +++ b/prowler/providers/m365/services/teams/teams_meeting_recording_disabled/teams_meeting_recording_disabled.metadata.json @@ -1,26 +1,30 @@ { "Provider": "m365", "CheckID": "teams_meeting_recording_disabled", - "CheckTitle": "Ensure meeting recording is disabled by default", + "CheckTitle": "Teams Meetings Global (Org-wide default) policy has meeting recording disabled by default", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "high", - "ResourceType": "Teams Global Meeting Policy", - "Description": "Ensures that only authorized users, such as organizers, co-organizers, and leads, can initiate a recording.", - "Risk": "Allowing meeting recordings by default increases the risk of unauthorized individuals capturing and potentially sharing sensitive meeting content.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps", + "Severity": "medium", + "ResourceType": "", + "Description": "Microsoft Teams Global meeting policy has **cloud meeting recording** disabled by default (`AllowCloudRecording=false`).", + "Risk": "Recording allowed by default enables uncontrolled capture of meetings, threatening **confidentiality**. Files and transcripts persist in collaboration stores and can be broadly shared, leading to insider exfiltration, accidental leakage, and long-lived exposure of sensitive discussions.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://admin.teams.microsoft.com.", + "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + ], "Remediation": { "Code": { "CLI": "Set-CsTeamsMeetingPolicy -Identity Global -AllowCloudRecording $false", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under Recording & transcription set Meeting recording to Off.", + "Other": "1. Sign in to Microsoft Teams admin center: https://admin.teams.microsoft.com\n2. Go to Meetings > Meeting policies\n3. Select Global (Org-wide default)\n4. Under Recording & transcription, set Cloud recording to Off\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Disable meeting recording in the Global meeting policy to ensure only authorized users can initiate recordings. Create separate policies for users or groups who need recording capabilities.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps" + "Text": "Adopt a stance of **no default recording** and grant recording only to specific roles or groups per **least privilege**. Require explicit consent, restrict sharing to need-to-know, and apply retention and access controls. Periodically review policies as part of **defense in depth** to minimize data exposure.", + "Url": "https://hub.prowler.com/check/teams_meeting_recording_disabled" } }, "Categories": [ diff --git a/prowler/providers/m365/services/teams/teams_security_reporting_enabled/teams_security_reporting_enabled.metadata.json b/prowler/providers/m365/services/teams/teams_security_reporting_enabled/teams_security_reporting_enabled.metadata.json index 2137160f18..1b2a404d9b 100644 --- a/prowler/providers/m365/services/teams/teams_security_reporting_enabled/teams_security_reporting_enabled.metadata.json +++ b/prowler/providers/m365/services/teams/teams_security_reporting_enabled/teams_security_reporting_enabled.metadata.json @@ -1,26 +1,33 @@ { "Provider": "m365", "CheckID": "teams_security_reporting_enabled", - "CheckTitle": "Ensure users can report security concerns in Teams", + "CheckTitle": "Teams messaging policy has security reporting enabled", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "Teams Global Messaging Policy", - "Description": "Ensure Teams user reporting settings allow a user to report a message as malicious for further analysis", - "Risk": "Without proper security reporting enabled, users cannot effectively report suspicious or malicious messages, potentially allowing security threats to go unnoticed.", - "RelatedUrl": "https://learn.microsoft.com/en-us/defender-office-365/submissions-teams?view=o365-worldwide", + "ResourceType": "", + "Description": "**Teams messaging policies** enable **end-user security reporting** via `AllowSecurityEndUserReporting`, letting users report messages from chats, channels, and meetings for security review.", + "Risk": "**Disabled reporting** hides **phishing, malicious links, and social engineering** in Teams.\n\nThis delays detection and response, enabling **lateral movement** and **data exfiltration**, and degrading **confidentiality** and **integrity**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoftteams/set-csteamsmessagingpolicy?view=teams-ps", + "https://blog.hametbenoit.info/2023/03/30/teams-you-can-now-enable-quarantine-for-teams-preview/", + "https://github.com/MicrosoftDocs/office-docs-powershell/issues/10141", + "https://learn.microsoft.com/en-us/defender-office-365/submissions-teams?view=o365-worldwide", + "https://admin.teams.microsoft.com)." + ], "Remediation": { "Code": { "CLI": "Set-CsTeamsMessagingPolicy -Identity Global -AllowSecurityEndUserReporting $true", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center (https://admin.teams.microsoft.com). 2. Click to expand Messaging and select Messaging policies. 3. Click Global (Org-wide default). 4. Ensure Report a security concern is On.", + "Other": "1. Sign in to the Microsoft Teams admin center: https://admin.teams.microsoft.com\n2. Go to Messaging policies\n3. Open Global (Org-wide default)\n4. Turn on \"Report a security concern\"\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Enable security reporting in Teams messaging policy.", - "Url": "https://learn.microsoft.com/en-us/defender-office-365/submissions-teams?view=o365-worldwide" + "Text": "Enable `AllowSecurityEndUserReporting` in relevant messaging policies and route submissions to security operations for timely triage.\n\nReinforce **defense in depth** with link/file protection and monitoring, train users to report suspicious content, and apply **least privilege** to administrative access.", + "Url": "https://hub.prowler.com/check/teams_security_reporting_enabled" } }, "Categories": [ diff --git a/prowler/providers/m365/services/teams/teams_unmanaged_communication_disabled/teams_unmanaged_communication_disabled.metadata.json b/prowler/providers/m365/services/teams/teams_unmanaged_communication_disabled/teams_unmanaged_communication_disabled.metadata.json index cb514a220d..119df7cd42 100644 --- a/prowler/providers/m365/services/teams/teams_unmanaged_communication_disabled/teams_unmanaged_communication_disabled.metadata.json +++ b/prowler/providers/m365/services/teams/teams_unmanaged_communication_disabled/teams_unmanaged_communication_disabled.metadata.json @@ -1,30 +1,41 @@ { "Provider": "m365", "CheckID": "teams_unmanaged_communication_disabled", - "CheckTitle": "Ensure unmanaged communication is disabled.", + "CheckTitle": "Teams users cannot communicate with unmanaged users", "CheckType": [], "ServiceName": "teams", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "critical", - "ResourceType": "Teams Settings", - "Description": "Ensure unmanaged communication is disabled in Teams admin center.", - "Risk": "Allowing communication with unmanaged Microsoft Teams users increases the risk of targeted attacks such as phishing, malware distribution (e.g., DarkGate), and exploitation techniques like GIFShell and username enumeration. Unmanaged accounts are easier for threat actors to create and use as attack vectors.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps", + "Severity": "high", + "ResourceType": "", + "Description": "Teams external access configuration for **unmanaged Teams accounts** is reviewed, expecting the \"Teams accounts not managed by an organization\" option to be `Off`, preventing chats with personal Microsoft accounts.", + "Risk": "Allowing unmanaged accounts enables unsolicited contact that undermines **confidentiality** and **integrity**: attackers can enumerate users, deliver phishing or malware links, and run social-engineering leading to data exfiltration and unauthorized changes. It also fuels spam and alert fatigue.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps", + "https://admin.teams.microsoft.com/.", + "https://www.edtechirl.com/p/teams-security-baselines-unmanaged", + "https://github.com/microsoftgraph/msgraph-sdk-go/issues/935", + "https://bhargavs.com/index.php/2024/03/29/combat-spam-in-microsoft-teams/", + "https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat", + "https://helpdesk.sherweb.com/en-us/knowledge-base/articles/KA-02943", + "https://docs.tminus365.com/security/teams/unmanaged-user-access-shall-be-restricted" + ], "Remediation": { "Code": { "CLI": "Set-CsTenantFederationConfiguration -AllowTeamsConsumer $false", "NativeIaC": "", - "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/. 2. Click to expand Users select External access. 3. Scroll to Teams accounts not managed by an organization. 4. Set People in my organization can communicate with Teams users whose accounts aren't managed by an organization to Off. 5. Click Save.", + "Other": "1. Sign in to the Microsoft Teams admin center\n2. Go to Users > External access\n3. Under \"Teams accounts not managed by an organization\", turn OFF \"People in my organization can communicate with Teams users whose accounts aren't managed by an organization\"\n4. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Disable communication with Teams users whose accounts aren't managed by an organization by setting 'People in my organization can communicate with Teams users whose accounts aren't managed by an organization' to Off. This helps prevent unauthorized or risky external interactions.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps" + "Text": "Disable communication with **unmanaged Teams accounts** to enforce **least privilege** and reduce attack surface.\n\nIf collaboration is needed, allow only outbound initiation, prefer **guest access** or trusted domains, apply **defense in depth** with DLP/link protection, and monitor external interactions.", + "Url": "https://hub.prowler.com/check/teams_unmanaged_communication_disabled" } }, "Categories": [ - "e3" + "e3", + "trust-boundaries" ], "DependsOn": [], "RelatedTo": [],