If you work remotely on the web, you’re probably getting comfortable with multiple video chat tools. At Freedom of the Press Foundation, we’ve published a high-level comparison of some common video chat applications, and many others maintain detailed comparison spreadsheets to help you compare dozens of tools. We also wanted to dive deeper into what we know about a few individual tools. This “fact sheet” will detail some security, privacy, usability, and anti-abuse properties of Microsoft Teams. In particular, we’re focusing on properties that are critical to high-risk users, like journalists, and developed a series of questions to help examine these properties.
In our fact sheets, we’ll be taking a closer look at several tools in common use at media organizations. We can’t possibly cover them all. In addition to Microsoft Teams, we’ll examine…
Each of these platforms changes regularly, so check back to see our regular updates. And if you see anything wrong, let us know.
Microsoft Teams is the long-established Redmond hegemon’s answer to workplace chat tools, such as Slack. Like Slack, it features online chat channels, file sharing, and video meeting calls. It also integrates into existing Microsoft Office 365 installations for access to workplace calendars, files, and contacts.
Teams is a relatively new product that has largely evaded the spotlight that Zoom has taken while rapidly growing its user base since the COVID-19 pandemic began. Its feature set overlaps with many competing platforms, but unlocking features, as with other Microsoft offerings, requires figuring out exactly the right combination of account types, subscriptions and services that require it. Additionally, its own default settings could, in some conditions, be susceptible to similar harassment attacks that Zoom had become known for.
Does the platform support two-factor authentication? By what methods?
Yes, depending on the type of account you use to log in. For two-factor authentication, standard Microsoft Live accounts can use SMS messages, an alternate email address, authenticator apps, and a proprietary Microsoft Authenticator option which features the ability to authenticate from the app itself. Some hardware security keys are also supported but require setting up a device-specific PIN you have to remember when logging in, without a clear means of resetting it if you forget it.
Teams may be set up to use an organization-specific authentication framework using Office 365, in which case 2FA options are limited by the combination of authentication services used and what 2FA methods organizational admins have chosen.
Does the platform support transit encryption? How is it implemented?
Yes. TLS between clients and servers and MTLS between Microsoft’s servers. Secure Real-Time Transport Protocol (SRTP) is used for encrypting video chat.
Does the platform support end-to-end encryption? How is it implemented?
Has the platform undergone an independent security audit? If so, what were the results, and how did the platform respond to any identified vulnerabilities?
Microsoft claims to conduct some form of audits as part of its compliance framework (PDF). It has not shared publicly whether the Teams video conferencing feature specifically has undergone an independent security audit. Microsoft did not respond to a request for comment.
Has the platform been breached before? How did they respond?
Microsoft as a whole has had breaches throughout its history, but also has a recent history of cooperating with security researchers on patching vulnerabilities relatively quickly, as demonstrated through its recent mitigation of installer package, gif sharing and iOS app vulnerabilities, all of which were patched relatively quickly.
How does the platform handle contact discovery?
Microsoft Teams is designed for intra-organization use and includes mechanisms for looking up other members of an organization. However, if someone outside your organization opts in to share their contacts they may be able to see if you have a Teams account if you are in the contacts they shared.
Can I use the platform without making an account?
You need an account to create a video chat meeting, but not to join one, depending on the settings for that meeting.
What user metadata and content is logged by the platform?
A very long — but not definitive — list of data and content that may be collected is provided in Microsoft’s privacy statement. This includes contacts, demographic data, voice data, image metadata, location data, and more. This is not, however, a complete list of all possible content and metadata that could be collected with any particular combination of Microsoft-owned products or services tied to a Microsoft account, each of which may be collecting additional metadata. Examples of video-related metadata were not included in Microsoft’s privacy statement. Microsoft could not be reached for comment on retention of video chat metadata.
What can they sell?
Microsoft says they do “not use your email, chat, files, or other personal content to target ads to you.” There are currently no known uses of Teams data used by Microsoft for ad targeting. Although Teams is available with limited features for free, Teams is often bundled as part of the Microsoft 365 suite, which requires a paid subscription.
How long does the platform hold on to my data after I delete it, or close my account?
Teams may be configured to work under many compliance frameworks each with its own policies on how long data is retained after it (or the associated account) has been deleted.
Generally, Microsoft accounts retain user data for 90 days after an account is deleted. After that period, the account is disabled and customer data associated with it, including cache and backups, is deleted: https://www.microsoft.com/en-us/trust-center/privacy/data-management.
Can I self-host?
Does the platform publish a yearly transparency report?
Does the platform alert users to requests for their data?
Generally yes, “except in the most exceptional circumstances.” According to their FAQ, this includes “emergencies where notice could result in danger (e.g., child exploitation investigations), or where notice would be counterproductive (e.g., where the user’s account has been hacked).”
How much of my content and metadata can the service hand over in the case there’s a legal request? Has the platform been court-tested?
The scale of potential reach in a legal case is expansive and conditional. Microsoft accounts may be linked to dozens of Microsoft properties including Skype, XBox Live, Bing, Office 365, LinkedIn, and potentially other services owned by Microsoft but not yet listed in their privacy dashboard. Windows devices that you are signed into a Microsoft account on at the system level may be able to collect data on location, voice (Cortana), media viewing history through certain apps, Edge web browsing history, bookmarks, settings and more.
We are not aware of any unsealed cases involving Teams video chat and Microsoft could not be reached for comment. Teams is part of Office 365, which features a dedicated e-Discovery dashboard designed to make it easy to extract your Teams content by a Teams admin for legal orders.
Does the platform offer the ability to broadcast?
Yes, with a specific set of licensing provisions:
- An Office 365 Enterprise E1, E3, or E5 license or an Office 365 A3 or A5 license
- A Microsoft Teams license
- A Microsoft Stream license
Other prerequisites include region availability.
Can I use this platform to host closed room meetings?
Yes, a meeting may be closed to Teams instance users only if a Teams admin turns off the “Anonymous users can join a meeting” option.
Can I control who can access my call if I want to?
Rooms are closed by default so that the chat attendee/presenter has to approve guests outside an organization before they can join. To approve guests, a guest waits in the “lobby” and the owner can see their presented name (only) before being allowed in. There is no mechanism available for meeting presenters to verify that the person asking to join is the person they say they are, as any invited guest can make up their own name, and are not required to provide an email address or other identifier. The invitation link to be sent to attendees is identical across recipients. Additionally, the setting for “Who can present” in public meetings is set to “Everyone” by default unless otherwise set by a Teams admin.
What is the maximum meeting group size?
Are there accessibility features? If so, what are they?
Microsoft provides extensive guides and documentation on using Microsoft Teams with screen reader software, including JAWS, NVDA, and Narrator on Windows, VoiceOver on macOS and iOS and TalkBack on Android. The guides themselves are also designed to be readable by the screen readers. Some features may not be fully supported, for example, virtual cursors used in Microsoft Teams have to be enabled in JAWS to make that feature work in Teams.
Who can record meeting video? Audio? Chats? Minutes?
Only the meeting attendee/presenter can record video/audio, and it's saved in a “Stream” server provided in Office 365, the underlying platform that supports Microsoft Teams. Chats are saved in Teams and accessible to members of a Teams… team.
Can I mute users in the call?
Yes, a presenter can mute other users in a call. Those attendees can unmute themselves afterwards without approval from the presenter.
Can I kick users out of the call?
Yes, a presenter can kick attendees out of a call. However, under default settings, members of the same team can return to the call without further approval to re-enter. Guests may try to re-join a meeting after being kicked out, but they would be sent back to the waiting room and need to be approved to re-enter. Since guests may select their own name, the same invitation link may be used again with a new name without any way for a meeting presenter to know it’s the same person.
Now that you’ve read all about the platform, you can evaluate whether it’s right for your situation. If you want to check out another platform, consider looking to our short guide for a high-level comparison, or videoconferencing.guide for many more details. And as always, contact our training team if you need more assistance.