Microsoft Teams Simulations

This feature is currently in Beta. Contact your Customer Success Manager for latest updates on this feature.

This document provides technical guidance for the configuration to send Microsoft Teams based phishing simulations within your organization. These simulations use a “bad actor” lightweight Microsoft 365 account that is given access to Microsoft Teams for the sole purpose of sending simulation messages to “colleagues”. These messages are sent for the sole purpose of training employees to better detect phishing attacks via means other than email.

Microsoft Teams based simulations outline a real-life scenario of an employee who has had their corporate credentials or their device compromized – both are viable outcomes from a sophisticated phishing attack on an employee, or their company.

Requirements

The following are requirements to successfully launch Teams Phishing Simulations in your organization.

  • A Microsoft 365 User License must be available, providing access to Microsoft Teams, for every simulation “bad actor” user account created. The most cost-effective option may be a Microsoft 365 F1 license.
  • Microsoft Entra ID Security Defaults must not be enabled in your organization, to allow simulation “bad actor” users to have Multi-Factor Authentication (MFA) switched off.
  • SCIM Integration must be configured with your Entra ID (Azure AD), to synchronize users – Setting up SCIM with Entra ID

Step One: Enable User ingestion (SCIM) from your Entra ID

A prerequisite for this feature is to first setup SCIM API integration with your Entra ID (formerly Azure AD).

This ensures that users in your organization are synchronized with the OutThink platform, and the correct Entra ID identifiers are used. OutThink requires these identifiers to send messages to users within Microsoft Teams. If SCIM Integration is not correctly setup for your Organization, Microsoft Teams messages will not arrive.

If you have not already done so, refer to the Entra ID SCIM Integration setup instructions here.

Step Two: Create Microsoft 365 “Bad Actor” account


For assistance with the below steps, follow Microsoft help guidance here.

The user account that you create here does not need to be permanent. You can create the account immediately before the phishing simulation campaign is launched, and delete it afterwards.
Alternatively, keeping the account for longer periods means that it can be re-used across multiple campaigns in the future. Your strategy here is up to you.

  • Sign in to the Microsoft 365 Admin Center with an account in the desired tenant with the appropriate administrative rights.
  • In the left-side menu, expand the Active Users tab, then Add a User.
  • The name given to this user will be instantly visible in Microsoft Teams for any user receiving the simulated attack. The example below uses “Marie Sandoza”, but you can choose any name you wish. Select the name wisely to maximize impact of the simulation.
  • Select an appropriate unique email address, and record this. You will need this later.
  • Set a complex password, and record this securely. You will need it later.
  • Click Next.

Setting License & Properties

  • Grant the new user an appropriate license that grants access to Microsoft Teams.
  • Click Next.
  • Complete the creation of the user by setting appropriate properties. You may wish to segregate this user into a special organization unit, department or division to ensure it is treated seperately from your operational organization.
  • Click Next followed by Finish Adding.

Finding User’s Object ID

The new user just created has a unique Object ID in your Entra ID Directory.
We need to find and record this identifier as it will be needed in the final step of the configuration.

  • Navigate to the Microsoft 365 Admin Center with an account in the desired tenant with the appropriate administrative rights.
  • In the left-side menu, expand the Admin Centers section at the bottom and then select the Microsoft Entra option to launch the admin console in a new browser window.
  • Select Users.
  • Browse to or search for the new user, then select the account name to view the user account’s profile information.
  • The Object ID is located in the Identity section on the right. Record this value.

Step Three: Disable Multi-Factor Authentication (MFA)

To send Teams messages seamlessly, we need to disable MFA for this user. Whilst it may be possible to use a user account that has had security information registration deferred, the recommendation is to permanently disable MFA on this user account.

For most Enterprise customers with an Entra ID Premium P1 or P2 license, disabling MFA for a single user can be achieved through an exception in your Conditional Access Policies.

Refer to your own policies and exclude this user from any relevant MFA-based policy. For assistance, contact your Information Security or IT Team.

The following instructions are provided for reference only and may not be appropriate in your organization.

  1. Sign-in to Microsoft Entra admin center with an account in the desired tenant with the appropriate administrative rights.
  2. Navigate to the Protection drop-down box and select the Conditional Access option.
  3. Click on + Create new policy to create a new policy and give a suitable name for your policy.
  4. Under Assignments, add All users in the Include section and select the new “bad actor” user account in the Exclude section.
  5. Under the Access controls section, grant access by selecting Require multifactor authentication from the Grant blade, and then click Select to confirm your choice.
  6. Finally, enable the policy to On mode and click Create.

Please remember that the existence of the “bad actor” user account and any MFA exceptions can be temporary for the life of the Teams phishing simulation, and removed subsequently.

Step Four: Command Center Configuration

The final stage of configuration is to provide the details of your new “bad actor” account in the Command Center, so that it can be used to send simulated phishing messages.

Login to the Command Center, and navigate to Settings. Ensure the correct organization is selected on the left, and head to Integrations > MS Teams Simulations. Ensure the feature is Enabled and then click Settings.

The following information should be supplied here:

Microsoft Entra tenant ID – The unique identifier of your Entra tenant. Refer here for assistance finding this identifier.
User email – The email address of the user account you just created in the M365 Admin Center.
User password – The password of the user saved from the previous section.
User Azure ID – The Object ID of the user in your Entra ID, as saved from the previous section.

If you wish, you can add further bad actor accounts on this screen. Where more than one account exists, the OutThink platform will select a random account to use for each simulation that you create.

When done, click Save changes.

Testing

Before sending any large-scale simulations, it is important to test the integration. This can be done by running a Microsoft Teams Phishing Simulation to a group of a few users from the OutThink Command Center.

Please follow the steps in our help guide, or contact your OutThink Customer Success representative for assistance.


Disclaimer

Your use of Microsoft 365 will be bound by terms of use accepted by your organization during sign-up. OutThink accept no responsibility whatsoever for any use of such accounts which may contravene terms and conditions which your organization has previously accepted. It is your responsibility for ensuring that use of Microsoft 365 for the purposes stated in this document, including sending simulated phishing attacks via Microsoft Teams, adhere to any local or regional terms outlined by Microsoft and accepted by you.


Banner photo by Mika Baumeister

Was this helpful?

2 / 0