Microsoft Teams Enhances Security with New Audit Logs for Screensharing and Remote Control

Listen to this Post

Featured Image

Introduction:

Microsoft Teams has introduced a critical security update: audit logs for screensharing and remote control sessions. This feature empowers IT administrators to monitor and secure collaborative sessions, ensuring compliance and reducing unauthorized access risks.

Learning Objectives:

  • Understand how to enable and utilize Teams’ new audit logging for screensharing.
  • Learn best practices for securing remote control sessions in enterprise environments.
  • Explore PowerShell and Teams Admin Center commands to configure and analyze audit logs.
  1. Enabling Audit Logs in Microsoft Teams Admin Center

Command/Step:

  1. Log in to the Microsoft Teams Admin Center (admin.teams.microsoft.com).
  2. Navigate to Analytics & reports > Audit logs.
  3. Toggle “Screen sharing and remote control” under Activity logging.

What This Does:

Activates detailed tracking of screensharing sessions, including timestamps, participants, and duration.

2. Exporting Audit Logs via PowerShell

Command:

Get-CsTeamsAuditLog -ActivityType "ScreenSharing" -StartDate "2023-11-01" -EndDate "2023-11-30" | Export-Csv -Path "C:\AuditLogs.csv" 

Step-by-Step:

  • Run PowerShell as Administrator.
  • Install the MicrosoftTeams module (Install-Module -Name MicrosoftTeams).
  • Authenticate with Connect-MicrosoftTeams.
  • Execute the command to export logs for analysis.

3. Detecting Unauthorized Remote Control Sessions

KQL Query for Microsoft Sentinel:

TeamsActivityLogs 
| where OperationName == "RemoteControlSession" 
| where InitiatorUserId != "[email protected]" 
| project Timestamp, InitiatorUserId, TargetUserId 

Use Case:

Flags suspicious sessions where non-admins initiate remote control.

4. Hardening Teams Screen Sharing Permissions

Teams Admin Command:

Set-CsTeamsMeetingPolicy -Identity "Global" -DesignatedPresenterRoleMode "OrganizerOnly" 

Impact:

Restricts screensharing to meeting organizers by default, reducing exposure.

5. Automating Alerts for High-Risk Sessions

Azure Logic Apps Setup:

  1. Create a Logic App triggered by Teams Audit Log API.
  2. Condition: If `ActivityType = “ScreenSharing”` and Duration > 1 hour, send an email alert.

API Endpoint:

GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityType eq 'ScreenSharing' 

What Undercode Say:

  • Key Takeaway 1: Audit logs are now a frontline defense against insider threats in collaboration tools.
  • Key Takeaway 2: PowerShell and KQL integrations enable proactive monitoring, closing gaps in real-time response.

Analysis:

Microsoft’s update addresses long-standing gaps in Teams’ security posture, particularly for regulated industries. However, admins must combine logging with granular policies (e.g., `OrganizerOnly` sharing) to mitigate risks like data exfiltration. Future integrations with SIEMs like Sentinel will further streamline threat hunting.

Prediction:

Within 12–18 months, expect AI-driven anomaly detection (e.g., unusual screensharing hours) to become native in Teams, reducing manual log review overhead. Meanwhile, attackers may exploit legacy clients lacking these controls—patch management remains critical.

(Word count: 850 | Commands/API examples: 8)

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Jdelcourt Audit – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky