prowler-cloud · puchy22 · Dec 23, 2025 · Dec 23, 2025
@@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
 - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
 - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609)
+- Update M365 Teams service metadata to new format [(#9685)](https://github.com/prowler-cloud/prowler/pull/9685)
+
 
 ---
 

@@ -1,30 +1,35 @@
 {
   "Provider": "m365",
   "CheckID": "teams_email_sending_to_channel_disabled",
-  "CheckTitle": "Ensure users are not be able to email the channel directly.",
+  "CheckTitle": "Email to Teams channel addresses is disabled",
   "CheckType": [],
   "ServiceName": "teams",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Teams Settings",
-  "Description": "Ensure users can not send emails to channel email addresses.",
-  "Risk": "Allowing users to send emails to Teams channel email addresses introduces a security risk, as these addresses are outside the tenant’s domain and lack proper security controls. This creates a potential attack vector where threat actors could exploit the channel email to deliver malicious content or spam.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/get-csteamsclientconfiguration?view=teams-ps",
+  "ResourceType": "",
+  "Description": "Microsoft Teams tenant configuration for **channel email addresses** determines if channels can receive messages via email. This evaluates the `allow_email_into_channel` setting.",
+  "Risk": "Allowing email into channels lets outsiders inject content, links, and attachments into Teams. Leaked addresses enable **phishing**, **malware delivery**, and spam, undermining **confidentiality** and **integrity**, and adding noise that affects **availability**; posts may bypass user-authenticated context.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://admin.teams.microsoft.com.",
+    "https://learn.microsoft.com/en-us/powershell/module/teams/get-csteamsclientconfiguration?view=teams-ps"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "Set-CsTeamsClientConfiguration -Identity Global -AllowEmailIntoChannel $false",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Teams select Teams settings. 3. Under email integration set Users can send emails to a channel email address to Off.",
+      "Other": "1. Sign in to the Microsoft Teams admin center: https://admin.teams.microsoft.com\n2. Go to Teams > Teams settings\n3. Under Email integration, set \"Users can send emails to a channel email address\" to Off\n4. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Disable the ability for users to send emails to Teams channel email addresses to reduce the risk of external abuse and enhance control over organizational communications.",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/get-csteamsclientconfiguration?view=teams-ps"
+      "Text": "Disable email into channels by default. If needed, limit senders to approved domains, apply anti-phishing/malware filtering, enforce DLP and retention on inbound mail, monitor postings, rotate channel addresses, and prefer authenticated connectors-applying **least privilege** and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/teams_email_sending_to_channel_disabled"
     }
   },
   "Categories": [
-    "e3"
+    "email-security",
+    "internet-exposed"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,29 +1,39 @@
 {
   "Provider": "m365",
   "CheckID": "teams_external_domains_restricted",
-  "CheckTitle": "Ensure external domains are restricted.",
+  "CheckTitle": "External domain access is disabled for Teams users",
   "CheckType": [],
   "ServiceName": "teams",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Teams Settings",
-  "Description": "Ensure external domains are restricted from being used in Teams admin center.",
-  "Risk": "Allowing unrestricted communication with external domains in Microsoft Teams increases the risk of exposure to social engineering attacks, phishing, malware delivery (e.g., DarkGate), and exploitation tactics such as GIFShell or username enumeration.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps",
+  "ResourceType": "",
+  "Description": "**Microsoft Teams** tenant external access configuration is assessed. The expected posture is **federation with external domains** disabled, so users cannot chat, call, or meet with accounts in other domains.",
+  "Risk": "**Unrestricted external federation** enables delivery of phishing links and malware via chats/calls, user enumeration, and data leakage through messages or file shares. This directly threatens **confidentiality** and **integrity**, and can aid social engineering-driven lateral movement.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps",
+    "https://admin.teams.microsoft.com/.",
+    "https://learn.microsoft.com/ar-sa/entra/architecture/5-secure-access-b2b",
+    "https://vmwaretroubleshooter.com/breaking-down-information-barriers-for-external-users-in-teams-microsoft-community-hub/",
+    "https://www.solutions2share.com/microsoft-teams-security-collaboration/",
+    "https://www.thatlazyadmin.com/2019/03/28/microsoft-teams-cant-chat-external-domains/",
+    "https://cybersecuritynews.com/microsoft-teams-defender-portal/"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "Set-CsTenantFederationConfiguration -AllowFederatedUsers $false",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/. 2. Click to expand Users select External access. 3. Under Teams and Skype for Business users in external organizations set Choose which external domains your users have access to to one of the following: Allow only specific external domains or Block all external domains. 4. Click Save.",
+      "Other": "1. Sign in to the Teams admin center: https://admin.teams.microsoft.com/\n2. Go to Org-wide settings (or Users) > External access\n3. Turn off \"Users can communicate with other Skype for Business and Teams users\"\n4. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Restrict external collaboration by configuring Teams to either Block all external domains or Allow only specific, trusted external domains. This ensures users can only interact with vetted organizations, significantly reducing the attack surface.",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps"
+      "Text": "Adopt a **default-deny** stance: disable external access. *If collaboration is required*, allowlist only trusted domains and apply **least privilege** with cross-tenant policies. Prefer **B2B guest/shared channels**, require **MFA** and compliant devices, and review logs and domain lists regularly.",
+      "Url": "https://hub.prowler.com/check/teams_external_domains_restricted"
     }
   },
   "Categories": [
+    "trust-boundaries",
     "e3"
   ],
   "DependsOn": [],

@@ -1,29 +1,34 @@
 {
   "Provider": "m365",
   "CheckID": "teams_external_file_sharing_restricted",
-  "CheckTitle": "Ensure external file sharing in Teams is enabled for only approved cloud storage services",
+  "CheckTitle": "Teams external file sharing is restricted to only approved cloud storage services",
   "CheckType": [],
   "ServiceName": "teams",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Teams Settings",
-  "Description": "",
-  "Risk": "Allowing unrestricted third-party cloud storage services in Teams increases the risk of data exfiltration, compliance violations, and unauthorized access to sensitive information. Users may store or share data through unapproved platforms with weaker security controls.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/get-csteamsclientconfiguration?view=teams-ps",
+  "ResourceType": "",
+  "Description": "Microsoft Teams client settings restrict **external file sharing** via third-party storage providers to an approved allowlist. Configuration is considered in place when only sanctioned providers are enabled, or when all non-approved providers are disabled.",
+  "Risk": "Unrestricted third-party storage in Teams weakens **confidentiality** and **integrity**:\n- Data may bypass DLP, eDiscovery, and retention\n- Sensitive files can be shared to unmanaged tenants\n- Unvetted apps can deliver tampered content, enabling **data exfiltration** and **malware**",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://admin.teams.microsoft.com.",
+    "https://learn.microsoft.com/en-us/powershell/module/teams/get-csteamsclientconfiguration?view=teams-ps"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "Set-CsTeamsClientConfiguration -AllowGoogleDrive $false -AllowShareFile $false -AllowBox $false -AllowDropBox $false -AllowEgnyte $false",
+      "CLI": "Set-CsTeamsClientConfiguration -AllowGoogleDrive $false -AllowShareFile $false -AllowBox $false -AllowDropbox $false -AllowEgnyte $false",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Teams select Teams settings. 3. Set any unauthorized providers to Off.",
+      "Other": "1. Go to https://admin.teams.microsoft.com and sign in\n2. Navigate to Teams > Teams settings\n3. Under Files > Third-party storage, turn Off any unapproved providers (Box, Dropbox, Google Drive, Egnyte, ShareFile)\n4. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Restrict external file sharing in Teams to only approved cloud storage providers, such as SharePoint Online and OneDrive. Configure Teams policies to block unauthorized services and enforce compliance with organizational data protection standards.",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/get-csteamsclientconfiguration?view=teams-ps"
+      "Text": "Adopt a **deny-by-default allowlist** for Teams file sharing with third-party storage.\n- Enable only vetted providers aligned with governance\n- Prefer **SharePoint Online/OneDrive** for collaboration\n- Enforce **least privilege**, DLP, and eDiscovery on allowed paths\n- Block unsanctioned apps and limit external sharing to trusted domains",
+      "Url": "https://hub.prowler.com/check/teams_external_file_sharing_restricted"
     }
   },
   "Categories": [
+    "trust-boundaries",
     "e3"
   ],
   "DependsOn": [],

@@ -1,29 +1,37 @@
 {
   "Provider": "m365",
   "CheckID": "teams_external_users_cannot_start_conversations",
-  "CheckTitle": "Ensure external users cannot start conversations.",
+  "CheckTitle": "External Teams users cannot start conversations",
   "CheckType": [],
   "ServiceName": "teams",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "critical",
-  "ResourceType": "Teams Settings",
-  "Description": "Ensure external users cannot initiate conversations.",
-  "Risk": "Allowing unmanaged external Teams users to initiate conversations increases the risk of phishing, malware distribution such as DarkGate, social engineering attacks like those by Midnight Blizzard, GIFShell exploitation, and username enumeration.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps",
+  "Severity": "high",
+  "ResourceType": "",
+  "Description": "**Teams external access** blocks conversation initiation from **unmanaged Teams accounts** when `AllowTeamsConsumerInbound=false`.",
+  "Risk": "Permitting unmanaged externals to start chats enables **phishing**, **malware delivery**, and **social engineering**, leading to credential theft and data exfiltration. It also allows **user enumeration** and presence probing, aiding **account takeover** and lateral movement, impacting confidentiality and integrity.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps",
+    "https://admin.teams.microsoft.com/.",
+    "https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat",
+    "https://learn.microsoft.com/en-us/entra/architecture/9-secure-access-teams-sharepoint",
+    "https://learn.microsoft.com/en-us/microsoftteams/communicate-with-users-from-other-organizations"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "Set-CsTenantFederationConfiguration -AllowTeamsConsumerInbound $false",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/. 2. Click to expand Users select External access. 3. Scroll to Teams accounts not managed by an organization. 4. Uncheck External users with Teams accounts not managed by an organization can contact users in my organization. 5. Click Save.",
+      "Other": "1. Sign in to the Teams admin center: https://admin.teams.microsoft.com/\n2. Go to Users > External access\n3. Under \"Teams accounts not managed by an organization\", clear the checkbox \"External users with Teams accounts not managed by an organization can contact users in my organization\"\n4. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Disable the ability for external Teams users not managed by an organization to initiate conversations by unchecking the option that permits them to contact users in your organization. This provides an added layer of protection, especially if exceptions are made to allow limited communication with unmanaged users.",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-cstenantfederationconfiguration?view=teams-ps"
+      "Text": "Disable inbound initiation from unmanaged accounts (`AllowTeamsConsumerInbound=false`). If external collaboration is required, prefer **allowlists** for trusted domains and use **guest access** with **least privilege**. Apply **defense in depth**: conditional access, link/file scanning, user education, and monitor for anomalous external chats.",
+      "Url": "https://hub.prowler.com/check/teams_external_users_cannot_start_conversations"
     }
   },
   "Categories": [
+    "trust-boundaries",
     "e3"
   ],
   "DependsOn": [],

@@ -1,29 +1,34 @@
 {
   "Provider": "m365",
   "CheckID": "teams_meeting_anonymous_user_join_disabled",
-  "CheckTitle": "Ensure anonymous users are not able to join meetings.",
+  "CheckTitle": "Anonymous users cannot join Teams meetings",
   "CheckType": [],
   "ServiceName": "teams",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "critical",
-  "ResourceType": "Teams Global Meeting Policy",
-  "Description": "Ensure individuals who are not sent or forwarded a meeting invite will not be able to join the meeting automatically.",
-  "Risk": "Allowing anonymous users to join meetings can lead to unauthorized access, information leakage, and potential disruptions, especially in meetings involving sensitive data.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps",
+  "Severity": "high",
+  "ResourceType": "",
+  "Description": "**Microsoft Teams** org-wide meeting policy is evaluated to ensure **anonymous meeting join** is disabled, preventing non-authenticated participants from joining.",
+  "Risk": "Anonymous meeting access allows unaccountable attendees to join, eavesdrop, capture shared content, and impersonate others.\n\nThis undermines **confidentiality** and **integrity**, and threatens **availability** via meeting hijacking, spam, and disruption.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://admin.teams.microsoft.com.",
+    "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "Set-CsTeamsMeetingPolicy -Identity Global -AllowAnonymousUsersToJoinMeeting $false",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under meeting join & lobby set Anonymous users can join a meeting to Off.",
+      "Other": "1. Sign in to the Microsoft Teams admin center (https://admin.teams.microsoft.com)\n2. Go to Meetings > Meeting policies\n3. Select Global (Org-wide default)\n4. Set \"Anonymous users can join a meeting\" to Off\n5. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Disable anonymous user access to Microsoft Teams meetings to ensure only invited participants can join. This adds a layer of vetting by requiring organizer approval for anyone not explicitly invited.",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps"
+      "Text": "Disable **anonymous meeting join** tenant-wide and require authenticated users or managed guests.\n\nUse **lobby** admission for externals, limit presenter rights per **least privilege**, and enforce **conditional access** or registration to control who enters.",
+      "Url": "https://hub.prowler.com/check/teams_meeting_anonymous_user_join_disabled"
     }
   },
   "Categories": [
+    "identity-access",
     "e3"
   ],
   "DependsOn": [],