Microsoft Teams Privacy & Custom Security Settings: The 2026 IT Admin’s Playbook

12 min read

Microsoft Teams Privacy & Custom Security Settings: The 2026 IT Admin’s Playbook


By Narasima Perumal Chandramohan

Microsoft MVP (10+ Years) | Co-Founder & Technical Lead, Apps4.Pro

Introduction

Microsoft Teams is the main app that powers today’s modern workplace. Chats, files, meetings, and collaboration with coworkers, partners, and customers all happen in one place. While this makes teamwork easier, it also creates security challenges for IT administrators. A single mistake – such as making a team public instead of private, allowing too much guest access, or letting anonymous users join meetings – can expose sensitive company data.

The good news is that you don’t have to lock down everything to keep Teams secure. By configuring the right Microsoft Teams privacy settings and applying custom security controls only where they are needed, each team can have the appropriate level of access and collaboration without increasing security risks.

This guide walks you through the controls that matter in 2026 – from a single team’s privacy toggle to tenant-wide policies, Microsoft Purview sensitivity labels, shared-channel governance, and Teams Premium meeting protection.

Public vs. Private Teams: Your First Privacy Decision

Every team in Microsoft Teams gets a privacy status – Public, Private, or Org-wide. It’s the single most important team privacy setting, because it decides who can even see the team exists.

Privacy type

Who can find it

Who can join

Best for

Private

Only members and owners

By owner invite or approved request

HR, finance, M&A, anything confidential

Public

Anyone in your tenant

Anyone in your org, no approval needed

Communities of practice, open knowledge sharing

Org-wide

Everyone in the tenant (auto-added)

All licensed users

Company announcements (only for tenants with 10,000 or fewer users; up to five org-wide teams per tenant)


When in doubt, go Private. It’s far easier to open a team up later than to walk back a data leak.

Change Team Privacy Settings in Teams (Step-by-Step)

Privacy status controls who can see that a team exists. Setting it correctly is the first step to preventing accidental data leaks.

Team owners can change privacy themselves, as long as your admin policy hasn’t locked it down.

Step 1: In Microsoft Teams, click Teams in the left rail and find the team you own.

Step 2: Click More options (the three dots ⋯) next to the team name, then select Manage team.

Step 3: Open the Settings tab and expand Team details.

Step 4: Click Edit, then pick Private or Public from the Privacy dropdown.

Step 5: Click Done to save.

Once a team is private, it vanishes from the Teams catalog. New members have to be invited by an owner or come in through a join request.

Admin tip: 

If owners can’t see the Privacy dropdown at all, your tenant has the Set-Team policy locked. You can still change it yourself with PowerShell:

Connect-MicrosoftTeams Set-Team -GroupId <TeamId> -Visibility Private

Connect-MicrosoftTeams Set-Team -GroupId <TeamId> -Visibility Private

Custom Security Settings in the Teams Admin Center


These tenant-wide toggles set the security baseline for every team at once, so a single misconfiguration here can affect your whole organization.

For tenant-wide guardrails, the Microsoft Teams admin center is home base. Review these four areas at least once a quarter, meaning: spot-check the toggle values, audit any policy exceptions, and confirm no new defaults were silently introduced by a Microsoft service update.

For a complete walkthrough of configuring Guest Access and External Access in the Microsoft Teams admin center, including every setting and permission.

Control Meeting Privacy and Lobby Settings

Open lobby and anonymous-join settings let uninvited users or bots slip into sensitive meetings, so locking them down protects confidential conversations.

Meeting privacy issues are one of the most common security risks. If the “Everyone can bypass the lobby” setting is enabled, anonymous users or even bots can join your boardroom meeting directly without waiting in the lobby.

Tenant-wide setting:

Step 1: In the Teams admin center, go to Meetings > Meeting settings.

Step 2: set Anonymous users can join a meeting to On or Off.

Microsoft Teams admin center showing Meetings > Meeting settings, where Anonymous users can join a meeting is enabled, with numbered steps highlighting the navigation and Save button.

Per-organizer policy:

Step 1: Go to Meetings > Meeting policies and open the policy you want to edit. Start with Global (Org-wide default).

Microsoft Teams admin center showing Meetings > Meeting policies, highlighting the Global (Org-wide default) meeting policy with numbered navigation steps.

Step 2: In the Meeting join & lobby section, review:

  • Anonymous users can join a meeting – controls whether external or unauthenticated users can join at all.
  • Anonymous users and dial-in callers can start a meeting – leave Off unless you have a strong reason. Otherwise unverified accounts can launch meetings at odd hours.
  • Who can bypass the lobby – set to People in my org for the safest default. Use People in my org and guests only for trusted federations.
  • People dialing in can bypass the lobby – usually best left Off.
  • Who can admit from lobby – restrict to Organizers and co-organizers for sensitive meetings.

Step 3: Save. Changes can take up to 24 hours to take effect.

Microsoft Teams admin center showing Meeting join & lobby settings, including anonymous join options, lobby controls, verification settings, and the Save button.

Pro tip: ( Microsoft is retiring the standalone CAPTCHA verification check (locked from May 2026, fully removed by August 2026) in favor of a new bot-detection capability that flags external meeting bots at join and prompts organizer approval. Enable bot detection and keep lobby bypass set to People in my org.

Manage SharePoint Sharing for Team Sites

Every team is backed by a SharePoint site, and that site has its own sharing controls. If your Teams privacy is buttoned up but SharePoint sharing is wide open, you’ve still got a leak waiting to happen.

Step 1: Open the SharePoint admin center.

Step 2: Go to Sites > Active sites and pick the site backing your team.

Step 3: Click Sharing in the top toolbar.

SharePoint admin center showing Sites > Active sites, selecting a site, then opening More actions (...) > Sharing to manage external sharing settings.

Step 4: Set the external-sharing limit – Anyone, New and existing guests, Existing guests, or Only people in your organization. Never set it more permissive than the parent tenant policy.

SharePoint admin center Sharing panel showing external sharing options, with New and existing guests selected for the active SharePoint site.

Sensitivity Labels: Custom Security for 100+ Teams Without Manual Work

Manually clicking through every team works fine when you have ten of them. It does not work when you have a thousand. This is where sensitivity labels in Microsoft Purview become the backbone of custom security in Teams, one published label can enforce policy across every new team, group, and SharePoint site automatically.

A sensitivity label applied to a Microsoft 365 group, and by extension, its Team and SharePoint site, can automatically enforce:

  • Privacy (public or private)
  • External user access (guests allowed or blocked)
  • External sharing from the SharePoint site
  • Unmanaged-device access (block, read-only, or full access)
  • Default sharing link type
  • Authentication context – meaning the user must satisfy a specific Conditional Access policy (for example, sign in with MFA or use a compliant device) before opening the team’s content

Set Up Group and Site Sensitivity Labels

Container labels enforce privacy, guest access, and sharing automatically at scale, so configuring them once saves manual cleanup across hundreds of teams.

Step 1: In the Microsoft Purview portal, go to Information Protection > Sensitivity Labels.

Step 2: Click + Create a label (or edit an existing one).

Step 3: Define the scope for this label, check Groups & sites – this is what makes the label a “container label,” meaning it applies to the team’s M365 group and SharePoint site rather than to individual files. Add Items too if you also want the same label to protect files and emails.

Step 4: Walk through the wizard and configure Privacy and external user access, plus External sharing and Conditional Access.

Step 5: Publish the label to the users and groups who should see it.

Step 6: Before users can apply container labels, enable them in your tenant once via

Connect-MgGraph -Scopes "Directory.ReadWrite.All" 
 $grpUnified = Get-MgBetaDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"}
 $params = @{ Values = @( @{ Name = "EnableMIPLabels"; Value = "True" } ) } 
 Update-MgBetaDirectorySetting -DirectorySettingId $grpUnified.Id -BodyParameter $params 
 # Then sync labels from Security & Compliance PowerShell: 
 Execute-AzureAdLabelSync 

After publishing, every time a user creates a new team they pick a sensitivity label from a dropdown. The team, the group, and the SharePoint site inherit the matching protections automatically. No more manual cleanup.

Privacy in Shared Channels and Private Channels

Channels add a second layer of privacy inside a team, and as the admin who fields the “why can’t I see this channel?” tickets, you’ll want to know how each one behaves.

Channel type

Visibility

Membership

Storage

Standard

Visible to all team members

Inherits team membership

Files in the team’s SharePoint site, under a channel folder

Private

Visible only to invited team members

Subset of team members; owners managed separately

Dedicated, hidden SharePoint site per channel

Shared

Visible to invited members from inside or outside the team (and even other tenants)

Can include people who aren’t members of the parent team

Dedicated SharePoint site that inherits the parent team’s sensitivity label


The key shared-channel rule for admins: only people with owner or member permissions in the shared channel can access its content. Parent-team members – even you, as a tenant admin – don’t automatically get in. You have to be added to the channel itself.

For cross-tenant shared channels, you also need to configure Microsoft Entra cross-tenant access settings so identities from the partner tenant can authenticate cleanly. Skip that step and your end users hit endless “request access” loops, and your help desk hears about it.

Teams Premium: When the Standard Policy Isn’t Enough

If your organization handles board meetings, legal discovery, M&A (Mergers & Acquisitions), or government-related work, the standard Teams meeting policy alone isn’t enough.

That’s where Teams Premium comes in. It’s an add-on license designed for users who need a higher level of security. From an admin’s perspective, it provides additional security controls and enforcement options that aren’t available in the standard version of Microsoft Teams.

What you can enforce as an admin:

  • Watermarks on shared video, audio, and screen content – every frame is stamped with the viewer’s email.
  • End-to-end encryption for meetings with up to 200 participants.
  • Limit who can record to just organizers and co-organizers.
  • Controlled-content meeting templates that lock policy choices for the organizers under your governance.
  • Block copy-paste from meeting chat – for clean-room discussions.
  • Apply a sensitivity label to the meeting itself – so the label’s policies (chat retention, recording, encryption) move with it.

Three Methods to Configure Custom Security in Teams (Compared)

There’s no single right way to apply custom security – most organizations use a mix. Here’s how the three main approaches stack up.

Method

Best for

Pros

Cons

Manual configuration (Teams + SharePoint admin centers)

Small tenants (<50 teams), one-off exceptions

Total control; no licensing dependencies

Time-consuming; easy to drift; owners can re-flip privacy

Sensitivity labels (Microsoft Purview)

Mid-size to enterprise; regulated industries

Scalable; enforced at creation; covers Teams + groups + sites in one shot

Needs Microsoft 365 E3/E5 or Entra ID P1; one-time PowerShell setup

Owner-driven governance (with chatbot or self-service app)

Organizations where IT can’t sustain manual labeling

Distributes responsibility; faster onboarding

Quality depends on owner training; needs a governance tool or custom bot


Microsoft Teams Privacy & Security: Quarterly Review Checklist

Run this every 90 days. Block 2 hours on your calendar – it’s faster than recovering from an incident.

Tenant-level

  • Confirm default privacy stance is Private
  • Audit Guest access master toggle and granular permissions
  • Audit External access domain allow/block list against your approved-partner list
  • Verify Anonymous meeting join and lobby bypass policies match your baseline
  • Confirm SharePoint org-level sharing is no more permissive than your Teams policy
  • Confirm Microsoft Purview sensitivity labels for groups and sites are enabled
  • Confirm 3–4 labels are published and applied (Public, General, Confidential, Highly Confidential)

Team-level

  • Every team has an assigned sensitivity label
  • No Public teams contain confidential data (run a label-coverage report)
  • Inactive teams are archived or deleted via access reviews
  • Each team has at least two active owners (no ownerless teams)
  • Shared channels list reviewed for stale external members

Meeting-level

  • Default lobby = People in my org
  • Anonymous start = Off
  • Bot detection = Onfor anonymous/external joins (replaces the retired CAPTCHA check)
  • Sensitive meetings use Teams Premium templates with watermarks and restricted recording

Keep going

Pair this guide with the rest of the Apps4.Pro security playbook:

Planning a Microsoft Teams migration? Talk to the Apps4.Pro team We help Microsoft 365 admins consolidate, secure, and migrate Teams at enterprise scale.

Migrate Everything to Microsoft 365

Exchange Online SharePoint Online OneDrive For Business Microsoft Teams Microsoft Planner Viva Engage (Yammer) Microsoft Bookings Microsoft Forms Power Automate Microsoft Power BI Exchange Online SharePoint Online OneDrive For Business Microsoft Teams Microsoft Planner Viva Engage (Yammer) Microsoft Bookings Microsoft Forms Power Automate Microsoft Power BI
  • No Data Loss
  • Zero Downtime
  • ISO-Certified Protection

Start your free 15-days trial today !


4.5 out of 5

Bot Logo

Apps4.Pro Bot

Hey!👋 Ready to make your Microsoft 365 migration journey easier? Tell me what you’re looking.

What gets migrated?
I have a sales question
I'm here for tech support
Learn about Apps4.Pro