Meeting policies and settings for the administrator
To configure the following settings in the Teams admin center, you will need to be either a Global Administrator, a Teams Service Administrator, or a Teams Communication Admin. The Teams admin center can be accessed at the URL https://admin.teams.microsoft.com.
Let's start with meeting policies. After navigating to the Team admin center, expand the Meetings menu item and select Meeting policies. There is a policy named Global (Org-wide default), which is applied to all users by default. Select this policy and choose Edit from the menu.
There are lots of great settings in this policy for managing the meeting experience, but we are only going to focus on a few.
Under Content Sharing, there are two settings that control whether meeting participants and guests can give or request control:
- Allow a participant to give or request control
- Allow an external participant to give or request control
This can be important to make sure a participant, especially an external one, cannot request or take control of the desktop sharing session. While there is typically a handoff if the external participant requests control, this will prevent them from ever asking. Not only does this provide additional security, it also prevents disruptions in meetings.
The main security settings are in the Participants & guests section. This is primarily targeted at users dialing into meetings using a phone. Since the participants are dialing in, they are typically anonymous, so you need to treat them with extra care.
The first setting is a big one: Let anonymous people start a meeting. If this is enabled, an unauthenticated person can dial into your meeting and start it before anyone else joins. This also means they can dial into the meeting before or after it begins and sit on the conference bridge. My recommendation is to disable this setting.
The next setting is Automatically admit people. It has three options in the dropdown menu:
- Everyone in your organization
- Everyone in your organization and federated organizations
The most secure option is Everyone in your organization. This means that only authenticated, internal users can automatically join the meeting; external or anonymous users cannot automatically join. Those users will wait in the lobby until admitted by the organizer or presenter. I recommend this option.
The next most secure option is Everyone in your organization and federated organizations. If you have open federation, this might be a problem, but if you have a select group of external organizations in your allow list, presumably you trust them to join your meetings automatically. This will still prevent anonymous people from joining automatically.
Finally, there is the Everyone option. If your users have a problem admitting people from the lobby or dislike the user experience, then use this option. Just understand this opens up the meeting for anonymous people to join automatically.
Lastly, we have Allow dial-in users to bypass the lobby. This can only be set if the previous setting is not set to Everyone, which makes sense. If you are allowing everyone to join meetings automatically, then there is no need for dial-in users to wait in the lobby.
If this is set to True, dial-in users will automatically join the meeting once an organizer joins the meeting. If this is set to False, then the dial-in users will wait in the lobby until a user from the organization joins the meeting and admits them. For the highest security, I would set this to False.
Moving back to the Meetings menu, let's move over to Meeting settings. There's only one setting in here to worry about, and that is Anonymous users can join a meeting. If you are worried about anonymous users joining any meeting, then go ahead and disable this setting. This will require any participant joining your organization's meeting to have a Teams account. However, understand the implications of this for external people trying to join your meetings and potentially being blocked.
If you have audio conferencing licenses assigned to your users, then there is one final configuration we can perform. Audio conferencing enables a dial-in phone number to be attached to a meeting invitation. Back in the Teams admin center, navigate to Conference bridges under Meetings, then select Bridge settings. These settings are going to control the behavior for users dialing in by phone.
The first option is for meeting entry and exit notifications. This will alert people in the meeting when someone dialing in by phone joins or leaves the call. Note that this does not apply to people joining from a Teams client.
If meeting entry and exit notifications are enabled, the next setting configures the announcement type. Options include:
- Names or phone numbers
If Names or phone numbers is selected, then this displays another option to have callers record their name before joining a meeting. If Tones is selected, then this option disappears, and a tone or ding is played when callers join or leave the meeting. While this is a great notification of people joining or leaving a meeting, it can be somewhat disruptive for tones or names to be announced in the middle of a meeting.
Last is the length of the PIN your users can use to authenticate themselves when dialing into the meeting. This can be 4 to 12 digits (4 seems appropriate, but check with your security team).
Meeting settings for the organizer
While the settings configured by the administrator may cover most meetings, the meeting organizer can configure their settings on a per-meeting basis. Perhaps you work in HR or finance and need to schedule a sensitive meeting with additional security options. Let's look at what options are available.
When scheduling a Teams meeting in Outlook, the meeting body text will have the Teams join meeting link. Below this link are some additional options, such as finding a local number or resetting your PIN. The link we're interested in is Meeting options.
Since the meeting invite is in draft mode, you may need to hold down the Ctrl key when clicking the link. For now, this link will open your web browser to configure the meeting options. Hopefully, in the future, these options will be included directly in the meeting invitation window, like Skype for Business used to be.
Here are the available options; some will look familiar:
Here, the meeting organizer can configure who can bypass the lobby. If the administrator has set this to the less secure option of Everyone, then the meeting organizer can configure it to People in my organization if the meeting requires external people to wait in the lobby.
Next is letting callers bypass the lobby. The meeting organizer can decide whether to allow dial-in callers to bypass the lobby. Meeting organizers can also enable or disable the announcement feature we saw in the audio conferencing bridge settings earlier.
Finally, the big security setting is who can present during the meeting. Defining meeting participants as presenters and attendees does a couple of things. First, only meeting presenters can do things like:
- Share content
- Mute or remove other participants
- Admin people from the lobby
- Change the roles of other participants
- Start or stop recording
- End the meeting for everyone
For smaller meetings, having everyone as a presenter is probably going to be fine. However, for larger meetings, you will want to define meeting roles. Imagine having a few hundred people on a call where they are all presenters, and people are muting others, removing other participants from the meeting, or ending the meeting for everyone. This will cause some minor chaos.
The options for who can present include:
- People in my organization
- Specific people
- Only me
If you choose Specific people, then you can select other people who are on the meeting invite. You will need to send the invitation first, then navigate back to the meeting options page and select the specific presenters. If you are inviting a group (such as a distribution or Office 365 group) that contains the desired presenters, then you will need to add the presenters individually in the meeting invite. The ability to select specific presenters does not expand groups and only pulls individual names from the invite.
Upcoming road map options
There is an upcoming road map item related to meeting security that only allows the meeting organizer to join the meeting directly. This will add another Only me to the lobby bypass setting options. When this is selected, only the organizer will be able to join the meeting directly. Everyone else, including people in the same organization, must wait in the lobby. This is being targeted at the education sector to allow teachers to be the first to join meetings and then admit the students.
Subscribe to 4sysops newsletter!
Questions on meeting security? Drop me a note below to discuss further.