Safe Links, Microsoft Teams Rooms or Zoom Rooms, and Preset Security Policies

Or “How to customize Microsoft 365 Preset Security Policies“!

The Preset Security Policies in Microsoft 365 allow you to assign to users, groups or domains the recommend anti-spam, anti-spoofing and anti-malware settings (amongst others). In the Microsoft 365 Security Portal (https://security.microsoft.com) where you set this there appears to be no way to customize these policies – and part of that is the point. Microsoft change and manage the policy for you.

But you might have a reason to do this, and one such reason is when you have Microsoft Teams Rooms and Direct Guest Join enabled. Direct Guest Join is when people use WebEx or Zoom to run meetings and you want this meeting displayed on your Microsoft Teams Room conference equipment.

Microsoft Teams Rooms detect the 3rd party conference service by checking the URL in the meeting invite, and as the meeting invite can be sent by the original sender or forwarded to the room by a recipient we need to ensure that Safe Links does not rewrite external or internal meeting invites for a select series of URLs.

Zoom Rooms have exactly the same process, except they show Zoom natively and meetings in other software via the web browser – for example Teams Meetings can be shown in a Zoom Room.

If you are not using Preset Security Policies you can add these exceptions to your policy as shown:

Safe Links Settings with Meeting Providers exempt from rewriting

But with Preset Security Policies in place you need to use Exchange Online PowerShell to write the above exception to the three preset policies (after you have created the first two of them using the GUI and the last one is the auto-created policy to protect all users that is new to M365 at the time of writing).

Set-SafeLinksPolicy "Standard Preset Security Policy*" -DoNotRewriteUrls "*.webex.com/*","*.zoom.us/*","zoom.us/*","*.teams.microsoft.com/*","teams.microsoft.com/*","zoom.com/*","*.zoom.com/*","*.zoomgov.com/*"

Set-SafeLinksPolicy "Strict Preset Security Policy*" -DoNotRewriteUrls "*.webex.com/*","*.zoom.us/*","zoom.us/*","*.teams.microsoft.com/*","teams.microsoft.com/*","zoom.com/*","*.zoom.com/*","*.zoomgov.com/*"

Set-SafeLinksPolicy "Built-In Protection Policy" -DoNotRewriteUrls "*.webex.com/*","*.zoom.us/*","zoom.us/*","*.teams.microsoft.com/*","teams.microsoft.com/*","zoom.com/*","*.zoom.com/*","*.zoomgov.com/*"

You will get a warning back saying “WARNING: All recommended properties will be controlled by Microsoft.” so it is possible that Microsoft will overwrite these “DoNotRewriteUrls” values at a later time – but for now, this works.

Safe Links Changes On Preset Security Policies – A Warning

For Teams Rooms you need the SafeLinks rewrite exempting the other products, i.e. Zoom, WebEx, Bluejeans etc. For Zoom Rooms you need to include Teams URLs in the exception list.

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.