PRACTITIONER GUIDE
Practitioner Guide11 min read

Slack and Microsoft Teams Security Hardening: Admin Configuration, DLP, and Data Retention

channels:history
OAuth scope that grants a third-party Slack app read access to all message history in accessible channels, making it the highest-risk permission to allow without admin review.
90 days
recommended maximum guest account inactivity period before access review and revocation in Microsoft Teams and Slack.
7 years
typical retention requirement for compliance-relevant business communications in finance and legal channels under common regulatory frameworks.
SAML 2.0
authentication protocol used to enforce SSO for both Slack and Teams, routing login through the corporate IdP and its phishing-resistant MFA policies.

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Collaboration platforms are among the highest-value targets for data exfiltration because they aggregate messages, files, and credentials that users share informally. Slack and Teams each contain years of business discussions, shared credentials in messages, file attachments with sensitive data, and integration tokens stored in channel descriptions and pinned messages. Default configurations for both platforms prioritize onboarding speed over security control depth.

Hardening these platforms is an admin configuration exercise that does not require additional tooling. The settings exist in the admin consoles of both platforms; the work is finding them, understanding their implications, and configuring them systematically before an incident forces a reactive review.

Authentication and app control: the foundation

SSO enforcement and OAuth app restriction address the two highest-risk collaboration platform attack vectors. Without SSO enforcement, former employees retain Slack or Teams access after their corporate account is disabled because platform credentials are managed independently of the corporate identity store. Without app approval controls, any user can install third-party integrations that receive broad OAuth tokens scoped to read message history and file data across the workspace. These two configuration areas should be addressed before any other hardening work because they represent persistent access paths that bypass organizational offboarding and create unreviewed data exfiltration channels.

Enforce SSO before auditing any other Slack or Teams settings

SSO enforcement is the single highest-impact Slack security configuration: it ensures that authentication for the platform uses your organization's IdP with its MFA requirements, conditional access policies, and account deprovisioning automation. Without SSO enforcement, former employees with Slack credentials retain access after their corporate account is disabled because Slack credentials are independent of the corporate identity store. Configure SAML 2.0 integration, test with a pilot group, and then enable Must use SSO to sign in. Coordinate MFA enrollment completion before enabling SSO enforcement to prevent accidental lockout of users without IdP MFA configured.

Audit existing Slack app OAuth scopes before restricting new installations

Before restricting new app installations, audit the OAuth scopes of all currently installed apps. Go to Admin, Installed Apps, and review each app's requested permissions. Apps with channels:history or files:read scopes can read all accessible message history and files. Apps with admin or chat:write scopes can write messages on behalf of users or modify workspace settings. Remove apps that are no longer actively used, contact vendors of high-scope apps to confirm the scope is legitimately required for the stated functionality, and document the business justification for each app that retains high-privilege access. This audit baseline makes the app approval workflow meaningful going forward.

Data governance: retention, DLP, and guest access

Data retention policies, DLP integration, and guest access controls determine what sensitive information stays in the platform and who retains the ability to read it. Collaboration platforms accumulate years of business discussions, shared credentials, and confidential file attachments that persist indefinitely under default retention settings. Guest accounts added for specific projects frequently retain channel access after the engagement ends, and DLP scanning is rarely enabled by default even on enterprise plans. Configuring these three governance layers requires deliberate admin action but can be completed using built-in platform capabilities without additional tooling purchases on most enterprise Slack and Teams plans.

Segment retention policies by channel type and compliance requirement

Apply different retention periods to different Slack channel types based on the data they contain and the compliance obligation that applies. Create a #legal-matters channel type with 7-year retention for compliance, standard project channels with 1-year retention, and general discussion channels with 90-day retention. In Slack Enterprise Grid, use retention policy settings to configure per-channel-type retention. For Microsoft Teams, use Microsoft Purview retention policies with adaptive scopes that target teams tagged with specific metadata. Shorter retention periods for informal discussion channels reduce the sensitive data volume stored in the platform without affecting compliance-relevant communications that require longer retention.

Configure quarterly automated access reviews for guest accounts

Guest access accumulates over time because removing access requires active effort while adding it is a low-friction invite. Configure automated quarterly access reviews using Azure AD Access Reviews for Microsoft Teams guests, requiring team owners to certify that each guest still requires access. For Slack, schedule a quarterly admin audit using the SCIM API or admin export to list all guest accounts with last activity date and channel membership, then require business owners to confirm active guests. Set a process to revoke guest access automatically if the owner does not confirm within 14 days of the review request.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The bottom line

Slack and Microsoft Teams security hardening prioritizes SSO enforcement and OAuth app control first because they address the highest-risk attack vectors. SSO ensures that corporate identity deprovisioning extends to the collaboration platform and that MFA requirements apply. OAuth app restriction prevents third-party integrations from exfiltrating workspace message history with stolen tokens. Data retention policies, guest access reviews, and DLP policies provide the data governance layer that reduces sensitive data accumulation and prevents unauthorized external access. All of these are admin configuration changes that require no additional tooling purchases for most enterprise Slack and Teams deployments.

Frequently asked questions

What are the most important Slack security settings for admins to configure?

The highest-impact Slack admin security settings: enforce SSO authentication through your identity provider so users cannot authenticate with Slack-native credentials, restrict app installations to only admin-approved apps and require approval review for each app's OAuth scope before granting access, disable the ability for users to share channels with external organizations unless approved by an admin, configure data retention policies appropriate to your compliance requirements, enable two-factor authentication enforcement at the workspace level for any users not using SSO, restrict who can create public channels and DMs with external users, and enable audit logging to your SIEM for events including message exports, app installations, and admin configuration changes.

How do I configure Microsoft Teams security settings for an enterprise?

Microsoft Teams security configuration flows from Azure Active Directory and Microsoft Purview settings. In the Teams admin center, configure external access to allow communication only with specific trusted domains rather than all external organizations, and configure guest access to require MFA for guest authentication. In Azure AD conditional access, require MFA and device compliance for Teams access. Deploy Microsoft Purview DLP policies to detect and block sensitive data patterns in Teams messages and files. Configure information barriers if your organization has regulatory requirements to prevent communication between specific user groups. Enable audit logging in Microsoft Purview compliance center to retain Teams activity logs for your required retention period.

How do I prevent unauthorized Slack app integrations from accessing workspace data?

Configure Slack's App Management settings to restrict app installations to admin-approved apps only. Go to the Admin section, App Management, and set the policy to require admin approval for any new app installation. When reviewing app approval requests, examine the OAuth scopes the app requests, including channels:history (read message history), files:read (read files), and users:read (read user directory). Reject apps requesting scopes broader than the stated functionality requires. Audit existing installed apps periodically and revoke access for apps that are no longer used by removing them from the workspace. For Slack Enterprise Grid, configure organization-level approved apps to apply the approved list across all workspaces.

How do I configure DLP for Slack to detect sensitive data in messages?

Slack DLP integration works through two mechanisms: Slack's native Data Loss Prevention feature available on Enterprise Grid plans and third-party DLP integrations via the Slack API. Slack's native DLP uses keyword patterns and regular expressions to detect and block messages containing specific patterns such as credit card numbers, social security numbers, or custom confidential patterns before they are sent. Third-party DLP tools including Microsoft Purview, Nightfall, and Symantec integrate via the Slack Events API to inspect messages in real time and can take actions including blocking the message, alerting the admin, or quarantining the content for review. Configure DLP rules with monitoring mode initially to calibrate false positive rates before switching to blocking mode.

How do I audit and review guest access in Microsoft Teams?

Review guest access in Teams using the Azure AD portal under External Identities, where all guest accounts appear with their creation date, last sign-in date, and which Teams they belong to. Filter for guest accounts that have not signed in within 90 days and remove their access. In the Teams admin center, review the guest access report to see which teams have external guests and what channels those guests can access. Configure an Azure AD access review scheduled quarterly for guest users in Teams to require team owners to confirm that each guest still requires access. Remove guest accounts from teams where the project or business relationship that justified access has ended and revoke the guest account from Azure AD if the person has no remaining access requirements.

What should be included in a collaboration platform data retention policy?

A collaboration platform data retention policy should specify different retention periods for different data types based on compliance requirements and data sensitivity. Typical configurations include 7-year retention for channels used for compliance-relevant business communications (finance discussions, legal matters, formal decisions), 1-year retention for standard project and team channels, 90-day retention for general conversation channels and direct messages where no compliance requirement applies, and immediate deletion upon request for personal data covered by privacy regulations. In Microsoft Teams, configure retention policies in Microsoft Purview compliance center using adaptive scopes to target specific team types. In Slack, configure retention settings per channel type in the admin panel for Enterprise Grid plans.

How do I enforce SSO and MFA for Slack across the organization?

Slack SSO enforcement uses SAML 2.0 to require authentication through your identity provider. Configure the SAML integration in Slack admin settings by providing the IdP metadata or the SSO URL, certificate, and issuer from your IdP (Okta, Azure AD, or other SAML providers). After testing SSO with a pilot group, enable Must use SSO to sign in so users cannot authenticate with Slack email and password credentials. MFA is then enforced through your IdP's authentication policies rather than Slack's own MFA settings. Ensure your IdP MFA policy requires phishing-resistant MFA (hardware security key or authenticator app, not SMS) for Slack sessions. Users who have not enrolled in IdP MFA will be blocked from Slack access, requiring you to complete MFA enrollment before enabling SSO enforcement.

Sources & references

  1. Slack Security Best Practices for Admins
  2. Microsoft Teams Security Guide
  3. Microsoft Purview DLP for Teams
  4. Slack App Management

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.