Microsoft Teams: School Connection – Providing access to parents via their phone number

🚨 The Signal: Microsoft Teams School Connection now allows parents to access student profiles via phone number login if registered by the school. This expands access methods, potentially increasing the attack surface for student data.

The Impact

Parents and guardians are affected by new login methods, increasing the risk of unauthorized access to student data if phone numbers are compromised or mismanaged.

• Parents: Easier access to student data, but increased risk if phone number is compromised.
• Schools: Must ensure accurate and secure registration of parent phone numbers.
• Students: Their data is exposed to new access vectors via parent accounts.
• Security Teams: Need to assess new identity verification risks for student data.

The Action

1. Review and update school policies regarding parent/guardian phone number registration and verification for School Connection.
2. Educate parents on the importance of securing their mobile devices and phone numbers used for School Connection access.
3. Implement strong identity verification processes for school staff managing parent contact information in Teams.
4. Monitor audit logs for School Connection access, particularly for phone number-based logins, to detect anomalies.

Domain: Entra · Impact: high · Workload: Teams · Essential Eight: Multi-Factor Authentication · ISM: ISM-0109, ISM-0123, ISM-0140, ISM-0974, ISM-1173, ISM-1228, ISM-1401, ISM-1504, ISM-1505, ISM-1679, ISM-1680, ISM-1681, ISM-1682, ISM-1683, ISM-1815, ISM-1819, ISM-1872, ISM-1873, ISM-1874, ISM-1892, ISM-1893, ISM-1894, ISM-1906, ISM-1907