This detection rule identifies unauthorized configurations that enable guest access in Microsoft Teams, which can allow external users access to sensitive organizational resources. The rule utilizes audit logs from Microsoft 365 to monitor for specific actions taken within Teams. Particularly, it flags when the 'Set-CsTeamsClientConfiguration' action is executed successfully with the parameter 'AllowGuestUser' set to true. The risk associated with enabling guest access is highlighted, considering that adversaries may exploit this feature as a means of persisting access within an organization's environment. False positives may arise from legitimate administrative actions, necessitating careful consideration and verification mechanisms to distinguish between expected and unauthorized changes. Suggested investigation steps include reviewing logs to identify the user responsible for enabling guest access, assessing the legitimacy of their actions, and verifying compliance with organizational policies. The rule includes guidance on response procedures, emphasizing immediate corrective measures, thorough investigation of the event, and potential notification of security stakeholders.