L1 BIO 11.02.01 ISO A.11.1.5 CIS 4.1.3

Teams Meeting Lobby: Alleen Organization Members Bypassen

πŸ“… 2025-10-30
β€’
⏱️ 7 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Het configureren van Teams meeting lobby zodat alleen organization members automatisch worden toegelaten (AutoAdmittedUsers is EveryoneInCompany) zorgt ervoor dat alle external participants (guests, federated, anonymous) in de lobby wachten totdat de meeting organizer hen explicit admitted, waardoor meeting security wordt verbeterd en ungeautoriseerde access wordt voorkomen.

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
6/10
Implementatie
3u (tech: 1u)
Van toepassing op:
βœ“ Microsoft Teams
βœ“ M365

Teams meeting lobby is een security control die bepaalt WIE automatisch meetings kan joinen vs. WIE moet wachten voor organizer approval. Zonder proper lobby restrictions: EXTERNAL PARTICIPANTS krijgen instant meeting access zonder verification waarbij: competitors kunnen meetings joinen zonder check, ungeautoriseerde guests infiltreren discussions, recording bots kunnen data harvesten; EAVESDROPPING RISKS waarbij: uninvited external attendees confidential discussions horen, meeting recordings worden gemaakt door ungeautoriseerde parties, business intelligence leaks naar externe partijen; NO ACCOUNTABILITY omdat: organizer niet weet wie meeting joined (automatische admission is no review), external attendees kunnen anonymous blijven (minimal identity verification), audittrail incomplete (who really attended?). Real-world scenarios: Sales meeting met customers β†’ Competitor analyst joins via guessed meeting link β†’ Overhears pricing strategy discussions, Executive strategy meeting β†’ External party joins uninvited β†’ Records entire discussion β†’ Corporate intel leaked, Confidential HR discussion β†’ Ungeautoriseerde employee joins β†’ Privacy violations. Lobby control mitigates dit door: Organization members (employees) bypass lobby automatische (convenience), External participants (guests, federated, anonymous) moet wait in lobby (security), Organizer expliciet admits elke external attendee (verification), Rejected participants kan niet join (access denied). Dit balances productivity (internal fast join) met security (external controlled admission).

PowerShell Modules Vereist
Primary API: Teams PowerShell
Connection: Connect-MicrosoftTeams
Required Modules: MicrosoftTeams

Implementatie

Deze control configureert Teams Meeting Policy setting AutoAdmittedUsers is EveryoneInCompany (of EveryoneInSameAndFederatedCompany if federated partners trusted). Effect per participant type: ORGANIZATION MEMBERS (employees met M365 license binnen tenant): Bypass lobby automatic, Instant meeting join, No waiting; EXTERNAL PARTICIPANTS mΓΌssen wachten: Anonymous users (no auth): Lobby, Organizer moet admit, Guests (B2B invited users): Lobby, Organizer verification vereist, Federated users (external org M365): Depends - met EveryoneInCompany is lobby, met EveryoneInSameAndFederatedCompany is bypass (if vertrouwde federation); LOBBY WORKFLOW: External participant joins meeting β†’ Enters lobby (waiting room), Organizer sees notification: '[Name] is waiting in lobby', Organizer admits (allow) of denies (reject), Admitted participant joins meeting, Rejected gets access denied message. Best practice configuration: AutoAdmittedUsers is EveryoneInCompany (STRICTest - zelfs federated moet wait), Alternative (if heavy federated collaboration): EveryoneInSameAndFederatedCompany (trust federated orgs), AVOID: Everyone (no lobby control - security risk), Per-meeting override: Organizers can adjust per specific meeting if needed. aanvullend lobby settings: AllowPSTNUsersToBypassLobby is False (dial-in users wait too), AutoAdmittedUsersType governs behavior. Implementation via Teams admin center β†’ Meeting policies.

Vereisten

  1. Microsoft Teams licentie (M365 E3/E5, Business Premium)
  2. Teams Administrator of Globale beheerder rechtenistrator rol
  3. PowerShell met MicrosoftTeams module
  4. Meeting organizer training: Lobby admission procedures
  5. User awareness: External participants wachten in lobby (communicate delays)
  6. Business process: wie are 'trusted' federations (if considering EveryoneInSameAndFederatedCompany)?
  7. Exception handling: Procedure voor meetings requiring everyone bypass (rare)

Implementatie

Implementatie via Teams admin center:

Gebruik PowerShell-script lobby-org-only.ps1 (functie Invoke-Remediation) – PowerShell script voor setting AutoAdmittedUsers is EveryoneInCompany.

  1. Teams admin center β†’ Meetings β†’ Meeting policies
  2. Select Global policy (applies to alle users) of Maak aan specific policy
  3. Participants & guests section:
  4. - automatisch admit people: People in my organization (aanbevolen)
  5. Alternative: People in my organization en vertrouwde organizations (if federated)
  6. AVOID: Everyone (no lobby control)
  7. - Dial-in gebruikers kunnen bypass lobby: Off (PSTN users wait too)
  8. Save policy
  9. Test: External participant joins meeting β†’ zou moeten wait in lobby
  10. Train organizers: hoe to admit van lobby (click 'Admit' button)

PowerShell implementation:

  1. Connect-MicrosoftTeams
  2. Configureer Global policy: Set-CsTeamsMeetingPolicy -Identity Global -AutoAdmittedUsers 'EveryoneInCompany'
  3. Alternative voor federated: Set-CsTeamsMeetingPolicy -Identity Global -AutoAdmittedUsers 'EveryoneInSameAndFederatedCompany'
  4. Verify: Get-CsTeamsMeetingPolicy -Identity Global | Select AutoAdmittedUsers

Monitoring

Gebruik PowerShell-script lobby-org-only.ps1 (functie Invoke-Monitoring) – Controleert AutoAdmittedUsers policy setting.

  1. Teams admin center: Verifieer meeting policy AutoAdmittedUsers is EveryoneInCompany
  2. Meeting participation reports: Volg external attendee counts
  3. Organizer feedback: Is lobby workflow manageable? ook veel admits?
  4. beveiligingsincidenten: Ungeautoriseerde meeting joins (zou moeten zijn 0 met lobby)
  5. User complaints: External participants delayed door lobby? (acceptable trade-off)

Compliance en Auditing

Lobby regelt dragen bij aan meeting security compliance: CIS Microsoft 365 Foundations Benchmark - control 4.1.3 (Zorg ervoor dat meeting lobby is geconfigureerd appropriately), BIO 11.02 (Toegangsbeveiliging - Access verification), ISO 27001:2022 A.11.1.5 (Segregation - Physical en logical separation), NIS2 Artikel 21 (Toegangscontrole en authenticaties voor vergaderingen met gevoelige informatie). Lobby control voorkomt ungeautoriseerde access tot business discussions.

Remediatie

Gebruik PowerShell-script lobby-org-only.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Lobby for Organization Only .DESCRIPTION Ensures only organization members bypass meeting lobby .NOTES NL Baseline v2.0 #> #Requires -Version 5.1 #Requires -Modules MicrosoftTeams [CmdletBinding()] param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Lobby Organization Only" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Lobby for Organization Only .DESCRIPTION Ensures only organization members bypass meeting lobby .NOTES NL Baseline v2.0 #> #Requires -Version 5.1 #Requires -Modules MicrosoftTeams [CmdletBinding()] param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $ErrorActionPreference='Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Lobby Organization Only" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Connect-MicrosoftTeams -ErrorAction Stop | Out-Null $policy = Get-CsTeamsMeetingPolicy -Identity Global $autoAdmit = $policy.AutoAdmittedUsers $isSecure = $autoAdmit -in @('EveryoneInCompany', 'EveryoneInSameAndFederatedCompany') Write-Host " Auto-Admit Users: $autoAdmit" -ForegroundColor $(if($isSecure){'Green'}else{'Red'}) Write-Host "`n Options:" -ForegroundColor Cyan Write-Host " β€’ EveryoneInCompany: Organization only (most secure)" -ForegroundColor Gray Write-Host " β€’ EveryoneInSameAndFederatedCompany: Includes federated" -ForegroundColor Gray Write-Host " β€’ Everyone: All bypass lobby (least secure)" -ForegroundColor Gray if ($isSecure) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red exit 1 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Connect-MicrosoftTeams -ErrorAction Stop | Out-Null Set-CsTeamsMeetingPolicy -Identity Global -AutoAdmittedUsers 'EveryoneInCompany' Write-Host "`n[OK] Set to organization only" -ForegroundColor Green exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { Connect-MicrosoftTeams -ErrorAction Stop | Out-Null $policy = Get-CsTeamsMeetingPolicy -Identity Global $autoAdmit = $policy.AutoAdmittedUsers $isSecure = $autoAdmit -in @('EveryoneInCompany', 'EveryoneInSameAndFederatedCompany') Write-Host " Auto-Admit Users: $autoAdmit" -ForegroundColor $(if ($isSecure) { 'Green' }else { 'Red' }) Write-Host "`n Options:" -ForegroundColor Cyan Write-Host " β€’ EveryoneInCompany: Organization only (most secure)" -ForegroundColor Gray Write-Host " β€’ EveryoneInSameAndFederatedCompany: Includes federated" -ForegroundColor Gray Write-Host " β€’ Everyone: All bypass lobby (least secure)" -ForegroundColor Gray if ($isSecure) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red exit 1 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Lobby for Organization Only .DESCRIPTION Ensures only organization members bypass meeting lobby .NOTES NL Baseline v2.0 #> #Requires -Version 5.1 #Requires -Modules MicrosoftTeams [CmdletBinding()] param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $ErrorActionPreference='Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Lobby Organization Only" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Connect-MicrosoftTeams -ErrorAction Stop | Out-Null $policy = Get-CsTeamsMeetingPolicy -Identity Global $autoAdmit = $policy.AutoAdmittedUsers $isSecure = $autoAdmit -in @('EveryoneInCompany', 'EveryoneInSameAndFederatedCompany') Write-Host " Auto-Admit Users: $autoAdmit" -ForegroundColor $(if($isSecure){'Green'}else{'Red'}) Write-Host "`n Options:" -ForegroundColor Cyan Write-Host " β€’ EveryoneInCompany: Organization only (most secure)" -ForegroundColor Gray Write-Host " β€’ EveryoneInSameAndFederatedCompany: Includes federated" -ForegroundColor Gray Write-Host " β€’ Everyone: All bypass lobby (least secure)" -ForegroundColor Gray if ($isSecure) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red exit 1 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Connect-MicrosoftTeams -ErrorAction Stop | Out-Null Set-CsTeamsMeetingPolicy -Identity Global -AutoAdmittedUsers 'EveryoneInCompany' Write-Host "`n[OK] Set to organization only" -ForegroundColor Green exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { Connect-MicrosoftTeams -ErrorAction Stop | Out-Null Set-CsTeamsMeetingPolicy -Identity Global -AutoAdmittedUsers 'EveryoneInCompany' Write-Host "`n[OK] Set to organization only" -ForegroundColor Green exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Lobby for Organization Only .DESCRIPTION Ensures only organization members bypass meeting lobby .NOTES NL Baseline v2.0 #> #Requires -Version 5.1 #Requires -Modules MicrosoftTeams [CmdletBinding()] param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $ErrorActionPreference='Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Lobby Organization Only" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Connect-MicrosoftTeams -ErrorAction Stop | Out-Null $policy = Get-CsTeamsMeetingPolicy -Identity Global $autoAdmit = $policy.AutoAdmittedUsers $isSecure = $autoAdmit -in @('EveryoneInCompany', 'EveryoneInSameAndFederatedCompany') Write-Host " Auto-Admit Users: $autoAdmit" -ForegroundColor $(if($isSecure){'Green'}else{'Red'}) Write-Host "`n Options:" -ForegroundColor Cyan Write-Host " β€’ EveryoneInCompany: Organization only (most secure)" -ForegroundColor Gray Write-Host " β€’ EveryoneInSameAndFederatedCompany: Includes federated" -ForegroundColor Gray Write-Host " β€’ Everyone: All bypass lobby (least secure)" -ForegroundColor Gray if ($isSecure) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red exit 1 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Connect-MicrosoftTeams -ErrorAction Stop | Out-Null Set-CsTeamsMeetingPolicy -Identity Global -AutoAdmittedUsers 'EveryoneInCompany' Write-Host "`n[OK] Set to organization only" -ForegroundColor Green exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
Medium: MEDIUM RISICO: External participants zonder lobby control is ungeautoriseerde meeting access. Competitors, uninvited guests, recording bots kunnen meetings joinen zonder verification. Business confidential discussions exposure. Recent: Zoom-bombing equivalents in Teams waarbij ungeautoriseerde parties disrupt/record meetings. Lobby control is organizer gate-keeps external access (verification voordat admit).

Management Samenvatting

Configureer Teams lobby: AutoAdmittedUsers is EveryoneInCompany. Organization members bypass lobby (convenience), external participants wait voor organizer admission (security). Voldoet aan CIS 4.1.3, BIO 11.02. Implementatie: 1-3 uur inclusief organizer training. aanbevolen voor alle organizations met external meeting participants.