Microsoft Teams: Adding and editing external contacts

🚨 The Signal: Teams phone users can now add and edit external contacts directly from their devices. This expands the attack surface for contact data and requires review of existing communication policies.

The Impact

All users are affected, with a moderate risk of uncontrolled external contact data management and potential data leakage.

• End users: Can add/edit external contacts, increasing risk of unmanaged data.
• Security teams: Need to review policies for external contact data handling.
• Admins: Must ensure device and Teams policies align with data governance.
• Compliance teams: Requires re-assessment of data privacy and retention for contact data.

The Action

1. Review existing Microsoft Teams calling policies for external communication controls.
2. Assess Microsoft Purview Data Loss Prevention (DLP) policies for contact information.
3. Communicate updated external contact management guidelines to end-users.
4. Verify Microsoft Intune device compliance policies for Teams phone devices.

Domain: Teams · Impact: medium · Workload: Teams