Configure Teams meetings with baseline protection
Some features described in this article require Teams Premium.
For the baseline level of protection, we restrict Who can bypass the lobby by using a sensitivity label and set a default value for Who can present with a Teams admin policy. You can restrict other actions as well if your organization requires it.
Note
Meeting options in sensitivity labels and custom meeting templates require Teams Premium.
The following table describes which actions we restrict for baseline meetings and where those options are configured.
| Feature | Option | Location | Enforced |
|---|---|---|---|
| Allow camera for attendees | On | Template | No |
| Allow mic for attendees | On | Template | No |
| Apply a watermark to everyone's video feed | Off | Label | Yes |
| Apply a watermark to shared content | Off | Label | Yes |
| End-to-end encryption | Off | Label | Yes |
| Manage what attendees see | Off | Template | No |
| Meeting chat | On | Template | No |
| People dialing in can bypass the lobby | Off | Template | Yes |
| Prevent copying chat content to clipboard | Off | Label | Yes |
| Record automatically | Off | Template | No |
| Require a verification check from | Not required | Label or Template | Yes |
| Who can bypass the lobby? | People in my org, trusted orgs, and guests | Template | No |
| Who can present | People in my org and guests | Teams admin center | No |
| Who can record | Organizers, co-organizers, and presenters | Template | No |
The sensitivity label or meeting template enforces options that are listed as enforced. The meeting organizer can change Options that aren't enforced.
Default values for Who can present
The default value for Who can present is Everyone. For the baseline protection tier, we set a more secure default of People in my org and guests which meeting organizers can change if they want.
We can set this value with a sensitivity label, but the value would be enforced for any meetings with that label. This option isn't available in meeting templates, so we set it in the Teams admin center.
To configure who can present:
- In the Teams admin center, expand Meetings and select Meeting policies.
- Select the policy that you want to update.
- Under Content sharing, set Who can present to People in my org and guests.
- Select Save.
Default values for Who can admit from lobby
You can choose to keep the default for Who can admit from lobby as Organizers and presenters or change it to Organizers and co-organizers. This per-organizer policy sets a default that your organizers can change through their Meeting options. You must manage this setting through the Teams admin center. Meeting templates and sensitivity labels don't support this policy.
To configure who can admit from lobby:
- In the Teams admin center, expand Meetings and select Meeting policies.
- Select the policy that you want to update.
- Under Meeting join & lobby, for Who can admit from lobby, choose either Organizers and presenters(default value) or Organizers and co-organizers.
- Select Save
Watermarks and end-to-end encryption
In the baseline level of protection, we turn off watermarks and end-to-end encryption by using a sensitivity label. This setting prevents meeting organizers from using these features. Watermarks and end-to-end encryption are more applicable to sensitive meetings.
End-to-end encryption and watermarks turn off some other features such as PowerPoint Live. Turning them off for the baseline level of protection can avert instances where meeting organizers use these features without realizing the limits they impose.
If you work in a highly regulated industry, you might want to keep these features available even in the baseline level of protection.
Sensitivity labels
For the baseline level of protection, we use a sensitivity label that you can use directly in a meeting or as part of a meeting template. Depending on the configuration you choose, this label can also be used to classify teams and individual files.
If you already have sensitivity labels deployed in your organization, consider how this label fits with your overall label strategy. You can change the name or settings if needed to meet the needs of your organization. If you already have a label that you use for baseline or general protection, you can edit the label and add Teams meetings to it.
To learn how to create and manage a sensitivity label, see Use sensitivity labels to protect calendar items, Teams meetings and chat.
Meeting templates
In the baseline level of protection, we use the template to set a default value for who can bypass the lobby that includes external participants from trusted organizations.
We also prevent people dialing in by phone from bypassing the lobby. You can omit this setting if your organization frequently holds meetings where dial-in participants should be able to join directly. If there are certain types of meetings where this is true, consider using a separate template for those meetings.
If you turned off watermarks and end-to-end encryption in the sensitivity label, you can also use the template to hide those options from the meeting organizer.
To create a custom meeting template
- In the Teams admin center, expand Meetings and select Meeting templates.
- Select Add
- Type a name and description for the template.
- In the Apply sensitivity label section, choose the label you created.
- Select Apply sensitivity label, and then select Lock.
- In the Lobby dropdown, select People in my org, trusted orgs, and guests.
- Make sure People dialing in can bypass the lobby is set to Off, then select it and select Lock.
- If you turned off watermarks and end-to-end encryption with the sensitivity label, consider selecting those options here and selecting Hide so meeting organizers doesn't see them.
- Change any other options if desired.
- To prevent the meeting organizer from changing an option, select the option and then select lock.
- To prevent the meeting organizer from seeing an option, select the option and then select Hide.
- Select Save.