(Updated) Microsoft Teams: Apps now supported in Private Channels
🚨 The Signal: Microsoft Teams private channels now support all apps, including bots and message extensions. This expands collaboration but introduces new vectors for data exposure and compliance risks within previously more isolated communication spaces.
The Impact
All Teams users and admins are affected, with a moderate security risk due to expanded app capabilities in private channels.
- Channel owners/members: Can add apps, increasing risk of unapproved data sharing.
- Admins: Must review app policies to prevent data exfiltration.
- Security teams: Need to monitor app usage in private channels for compliance.
- Developers: Apps now have broader access, requiring secure coding practices.
The Action
- Review and update Teams app permission policies in the Teams admin center (Teams apps > Manage apps > Org-wide app settings).
- Audit existing apps for permissions relevant to private channel data access (Teams admin center > Teams apps > Manage apps).
- Communicate updated app usage guidelines to users, emphasizing data handling in private channels.
- Implement or reinforce app governance processes for new app requests and approvals.
- Monitor Microsoft Purview audit logs for app installations and data access within private channels.
Domain: Teams · Impact: medium · Workload: Teams · Essential Eight: Application Control · ISM: ISM-0843, ISM-1490, ISM-1544, ISM-1582, ISM-1656, ISM-1657, ISM-1658, ISM-1659, ISM-1660, ISM-1870, ISM-1871