The original post: /r/cybersecurity by /u/etaylormcp on 2024-08-04 22:01:49.

I’ve been discussing the risks associated with Microsoft Teams’ default enablement of anonymous access. Years ago, I used federation to communicate with vendors while restricting access to my organization via the global directories, etc. Back then, anonymous access wasn’t enabled by default in O365 tenants, but Microsoft changed that back in 2020.

Recently, in a discussion comparing the risks of supporting anonymous access in Teams versus using tools like Zoom, I raised a concern about the potential for social engineering attacks. An attacker could manipulate an insider, pivot out of Teams, and gain access to other admin areas within an O365 tenant.

Ignoring the potential SOC 2 and compliance issues for a moment, I created a high-level “tabletop” scenario illustrating how an attacker could engineer an insider to achieve elevated privileges and compromise the tenant. Despite my explanations, some responses downplayed the risk, equating it to someone crashing a Zoom meeting. I pointed out that in this scenario, Zoom was not AAD integrated, so the risk profile is vastly different, as a compromised Zoom meeting can’t affect your O365 tenant in this scenario.

Given this, I am seeking insights from others in this field. Am I overly concerned, or is this a risk you would take seriously? Personally, I see it as a non-trivial risk that warrants careful consideration. If the organization insists on using anonymous access to meetings for external parties, it should be governed by a custom policy and applied selectively to trained individuals. Even Microsoft’s own security guidelines advise against allowing anonymous access by default.

When questioned why Microsoft sets it that way by default if it’s risky, I explained that Microsoft provides the tools, but it’s up to the users to manage them securely. Is this a valid concern, or would you dismiss it?