BIO 09.02.01 ISO A.9.2.1

Teams: Restrict Team Creation To Approved Users

πŸ“… 2025-10-30
β€’
⏱️ 4 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Restrict Teams/M365 Group creation to approved security group - prevents team sprawl + shadow IT (uncontrolled collaboration spaces).

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
6/10
Implementatie
13u (tech: 3u)
Van toepassing op:
βœ“ Microsoft Teams

Uncontrolled team creation = governance nightmare: Default: ALL users can create Teams (anyone β†’ 'New team' button), Team sprawl: 1000+ Teams created (duplicate teams, abandoned teams, no ownership), Data sprawl: Each Team = SharePoint site (storage costs, data retention, compliance scope), Shadow IT: Unmanaged collaboration (no DLP, no governance, external sharing misconfiguration). Attack: Malicious user creates 'HR Confidential' Team β†’ invites outsiders β†’ data exfiltration. Governance: Restrict creation β†’ Security group 'Team Creators' (approved users: IT, managers, project leads) β†’ controlled Team lifecycle.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.Groups, MicrosoftTeams

Implementatie

Restrict Team creation: Azure AD policy: Office 365 Groups creation = Security group only, Approved group: 'M365-Team-Creators' (IT admins, managers, project leads), Effect: Regular users: Cannot create Teams (request via helpdesk/form), Approved users: Can create (with accountability), Governance: Naming conventions, expiration policies, ownership requirements.

Vereisten

  1. Azure AD Premium P1
  2. Security group: 'M365-Team-Creators'
  3. Governance framework: Team request process, naming conventions, lifecycle policies

Implementatie

Azure AD Portal β†’ Groups β†’ General β†’ Users can create Microsoft 365 groups: No β†’ Select groups: 'M365-Team-Creators'. Effect: Only members of this group can create Teams. Helpdesk: Team request form (approval workflow).

Compliance

BIO 09.02 (Access management), ISO 27001 A.9.2.1, AVG Art. 32 (Data governance).

Monitoring

Gebruik PowerShell-script unmanaged-teams-disabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script unmanaged-teams-disabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Unmanaged Teams Disabled .DESCRIPTION Prevents use of personal Teams accounts in organizational context .NOTES NL Baseline v2.0 #> #Requires -Version 5.1 #Requires -Modules MicrosoftTeams [CmdletBinding()] param([switch]$Monitoring) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Unmanaged Teams Disabled" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Connect-MicrosoftTeams -ErrorAction Stop $config = Get-CsTeamsClientConfiguration $result = @{ isCompliant = (-not $config.AllowTeamsConsumer) allowConsumerTeams = $config.AllowTeamsConsumer } Write-Host " Teams Consumer (Unmanaged): $(if($result.allowConsumerTeams){'ALLOWED'}else{'BLOCKED'})" -ForegroundColor $( if (-not $result.allowConsumerTeams) { 'Green' }else { 'Red' } ) Write-Host "`n Security Benefits:" -ForegroundColor Cyan Write-Host " β€’ Prevents personal Teams account usage" -ForegroundColor Gray Write-Host " β€’ Maintains organizational control" -ForegroundColor Gray Write-Host " β€’ Reduces security risks" -ForegroundColor Gray Write-Host " β€’ Ensures proper governance" -ForegroundColor Gray Write-Host "`n Security: Prevent use of personal Teams accounts in org context" -ForegroundColor Gray if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT - Unmanaged Teams blocked" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - Unmanaged Teams allowed!" -ForegroundColor Red exit 1 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } else { Write-Host "Use: -Monitoring" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } function Invoke-Remediation { <# .SYNOPSIS Herstelt de configuratie naar de gewenste staat .DESCRIPTION Dit is een monitoring-only control, remediation delegeert naar monitoring #> [CmdletBinding()] param() Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan Invoke-Monitoring }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: Uncontrolled Teams = sprawl (1000+ Teams, no governance, shadow IT).

Management Samenvatting

Restrict Teams creation to approved security group. Governance control. Prevent sprawl. Helpdesk request workflow. Implementatie: 3-13 uur.