Microsoft Tech Community Live:  Microsoft Teams Edition
November 09, 2021, 08:00 AM - 12:00 PM (PST)

Secure and compliant collaboration with Microsoft Teams

Published Mar 02 2021 06:00 AM 25.7K Views

We hope you have the chance to join us virtually at Microsoft Ignite to catch all of the latest announcements. Be sure to check out our featured session, Secure and compliant collaboration with Microsoft Teams, to hear from some of our product engineering and community experts! Below is a summary of the latest Microsoft Teams announcements around security and compliance capabilities that enable safe and trustworthy online collaboration.

Microsoft Teams Multi-Geo Support
Microsoft Teams will now support Multi-Geo capabilities, similar to those already being leveraged by customers with Exchange Online, SharePoint Online, and OneDrive Multi-Geo. Microsoft 365 Multi-Geo provides greater control to organizations over the location of specific data centers their data is stored, especially helpful for multi-national organizations. Teams Multi-Geo enables customers to store Teams core customer data at rest for end users and teams in the geo locations of their choice to help meet data residency requirements. IT administrators will utilize an end user or Microsoft 365 Group’s Preferred Data Location (PDL) AAD attribute, already leveraged by existing Microsoft 365 Multi-Geo services, to specify what geo location the data should be stored in.



All existing information protection and compliance capabilities will continue working as is with Microsoft 365 Multi-Geo. For customers who are already using Microsoft 365 Multi-Geo licensing and capabilities, Teams will be included and respect PDLs that have been set by IT automating the migration. If an end user or tenant’s multi-geo license is removed, Teams data will migrate to the tenant default geo location. For customers who have not setup and enabled Microsoft 365 Multi-Geo, there will be no impact. As a reminder, Microsoft 365 Multi-Geo is designed to support data residency requirements and is not designed for performance optimization. Teams Multi-Geo will be available in Q2 2021.

End-to-end encryption option for Microsoft Teams 1:1 Calls
Today, we shared that an end-to-end encryption option for Teams 1:1 ad hoc VoIP calls will be available in preview to commercial customers planned for the first half of this year. Over the last year, we have gathered feedback from global customers, analysts, and the security community around particular industries and specific cases where end-to-end encryption (E2EE) for online collaboration might be important. To help support customer security and compliance obligations, Microsoft is planning to support E2EE for Teams 1:1 calls to provide additional option for conducting sensitive online conversations.

Organizations will have the ability to enable E2EE capabilities for 1:1 ad hoc Teams VoIP calls. In order to maintain compliance and have full discretion of how E2EE is used within the company, customers will have control of who in their organization can use this capability. E2EE for 1:1 Teams ad hoc calls can only be utilized if both the caller and callee are enabled by IT and have both opted in. As we release E2EE for Teams 1:1 calls, we will continue to learn from customers how the scenarios address their needs. We will then work to bring E2EE capabilities to online meetings later. Microsoft remains committed to helping customers address security, compliance, and privacy needs with a broad portfolio of tooling.


Meeting safety controls:
Meeting option: invite-only lobby setting
To help prevent uninvited participants from gaining access to meetings, Microsoft Teams has introduced a new lobby setting available in Teams Meeting Options where only meeting participants who were explicitly invited to the meeting can join it directly. Once this invite-only meeting option is applied by the meeting organizer, any participants who were not invited and are attempting to join the meeting will be directed to the meeting lobby. Meeting organizers can leverage this invite-only meeting option, along with applying a do-not-forward setting to the Teams meeting, to help prevent unauthorized participants from attempting to join their meeting. The Invite-only meeting option will be generally available this month.

Meeting Options (2).png


Disable attendee video during meetings
We are excited to share that soon meeting organizers will be able to disable the video of an individual or all attendees within a meeting. This meeting safety capability, similar to hard mute, will help those running a meeting or class to have more control and better manage undesired disruptions. Disable video will be rolling out later this spring.

Disable Camera (K-12).png


Meeting option: chat moderation controls
Another recent meetings option feature to help meeting organizers maintain control is the ability to moderate the meeting chat. Organizers will have the ability to determine whether meeting chat is enabled, disabled, or only enabled during the meeting. Chat moderation can be especially useful for large lectures and classroom settings where the conversation may need to be limited to during the event only. Chat moderation controls are another meeting safety tool that organizers can leverage to keep the meeting focus where they need it.

Co-authoring enabled in encrypted documents using Office Apps
Co-authoring allows multiple authors to simultaneously edit a document using different OS platforms, as well as the Office desktop apps, Office web apps, and Teams. Today we announced a new ability for multiple users to simultaneously edit an Office document that has been encrypted using Microsoft Information Protection, including auto-save. Sensitive documents will remain protected with the same sensitivity label and protection applied.

Figure 5: Apply encryption protection settings for files and emails with sensitivity labelsFigure 5: Apply encryption protection settings for files and emails with sensitivity labels


By leveraging sensitivity labels integration with Azure Rights Management service, we can protect and encrypt a document to restrict access to that content to only authorized viewers. This helps ensure that the content can only be decrypted by users authorized by the label’s encryption settings and it remains encrypted wherever it travels – inside or outside of the organization. Once a document is protected by a sensitivity label with encryption, the document can be shared as an attachment or by sharing the document link all while remaining encrypted. Note that IT must ensure it has enabled sensitivity labels for Office files to take advantage.


Safe Links for Microsoft Teams
Safe Links is a feature in Microsoft Defender for Office 365 that helps provide URL scanning and time-of-click verification of URLs in links shared through email messages and other locations across Office 365. We are happy to announce that Teams will now leverage the power of Safe Links to help protect end users against potential malicious sites shared through Teams conversations, group chats, and channels. IT administrators will need to create a Safe Links policy in Microsoft Defender for Office 365, and enable Safe Links for Teams to begin taking advantage of these new capabilities. Safe Links for Teams will begin rolling out later this month.

Safe Links.png


Reinforcing our commitment to secure collaboration
Microsoft remains committed to helping customers protect content and meet compliance obligations by offering a broad portfolio of tooling. We are building on top of our industry standard secure platform, expanding our advanced security capabilities as highlighted by these latest announcements around helping customers meet data residency requirements, adding more meeting safety and moderation controls, and providing an additional option for conducting sensitive online conversations.

Microsoft 365 supports encryption in transit and at rest which provides multiple layers of encryption to work together to secure data. For organizations who may need more control over key arrangement requirements due to compliance obligations, Customer Key allows an organization to provide and control encryption keys – now in public preview for Teams!

Microsoft 365 compliance capabilities for Adaptive Card content
With Teams being the hub for collaboration, it brings together apps and services that we also need to help ensure are protected and handled appropriately. More than 70% of the apps today generate card content in Teams conversations, much of which is business communication that falls under the purview of regulations as is with Teams chat and file content. To help organizations maintain compliance, we happily announced that Microsoft 365 compliance capabilities are available for Adaptive Card content generated through apps in Teams messages! Legal hold, eDiscovery, audit, and retention capabilities are built into the platform and will be available for all apps including first party, third party, and line-of-business apps with no additional work from developers required to enable.

Security monitoring integration with Azure Sentinel and Secure Score
To help IT and secops teams proactively detect intrusions and respond appropriately, Teams integrates with Azure Sentinel to deliver intelligent security analytics and intelligence across the enterprise. Azure Sentinel collects event data across users, devices, apps, and infrastructure for your tenant applying AI to detect threats, investigate what’s going on, and can even automate your response using some simple yet powerful Playbooks. For instance, if Sentinel identifies a user account completing a large amount of suspicious activity - like deleting a lot of channels or adding a new external account to exfiltrate a bunch of data and then quickly removing that user to try to hide what happened - Sentinel can detect these items, automatically open a ticket, post an alert to your Teams security operations channel, and give your secops team ability to take action right away or investigate further. Additionally, we’ve recently included Teams integration with Microsoft Secure Score to provide recommendations on how to strengthen your organization’s security posture. You’ll see us adding more Teams configuration best practices to Microsoft Secure Score over time.

Frequent Contributor

Thanks for enabling co-authoring using Office Apps in encrypted documents! The lack of this functionality was a major issue for one of our customers during the roll-out of security labels with Microsoft Information Protection. 


@Harold van de Kamp thanks for the feedback, glad to hear this has helped unblock your customer!


For all of the latest security and compliance news around SharePoint and OneDrive, be sure to check out

Super Contributor

Now when you speak about security I would like to ask:


What is the current estimate for fix to the data leaking case with Teams when

A) an additional speaker is invited to the recurring meeting, and that person gets access to teams' chats and documents.

B) An meeting is scheduled and before the meeting there is pre-chat session. And if one of the person is removed after this, that person is not removed from the chat.

Respected Contributor

@Petri X Hello Petri, A) Would it be a suitable workaround using the meeting options and disable the chat in the specific meeting when needing to add an additional participant? And pretty soon you'll benefit from this preventing access after the meeting ends Microsoft 365 Roadmap | Microsoft 365 B) If I'm not mistaken you need to go to the chat itself and remove the user there as well (top right corner).

Super Contributor

Hi @ChristianBergstrom 

In my mind, as long as user need to remember to go to elsewhere they most likely forget it. So it would be much more appreciated if Outlook remind organizer that "you are adding a temporary participant, select permissions for s/he". Outlook is aware of this as when you are opening recurring meeting it is asking "This is one appointment in a series. What do you want to open? a) Just this one B) The entire series".

The roadmap item in my mind is for cases when someone just share the link to the meeting. Most likely it does not have impact if organizer itself invites speaker.

Also, if end users need to remove attendees from the chats by them selves, you most likely know how well that could be done. We are humans, and we just forget things. Or it could be so, that we are away while issue is active. It is highly appreciated if the issues like this is not on end users shoulders.


Ping: @Microsoft_Teams_team 

Respected Contributor

@Petri X There are quite a few things you can set up today but I hear what you're saying. For ex. you should disable anonymous join in the Teams settings to prevent the above, if not configuring the lobby options, either per-meeting or by using policy. You also have the option "only invited users join directly". As already mentioned the above roadmap id is a great addition to prevent recurring access. And to be fair, it's not that exhausting to remove someone from the chat but get if users forget to do that ;) Let's see if someone replies to your request.

Occasional Contributor

@Petri Xand @ChristianBergstrom For me when you add a participant to one occurrence of the meeting, this occurrence should have its own chat and not be included in  the series'chat...

@Harold van de Kampdid your customer tested between desktop and web users?

@John Gruszczykwhen do the documents labeled (with encryption) with MCAS be compatible with office online  is it at least in the roapmap?



Best Regards

Stay Safe


@ChristopheHumbert are you referring to being able to co-author an encrypted doc using Office online? Or use MCAS to apply AIP classification labels automatically?

A lot of other great points brought up and would like to ask about this item " For me when you add a participant to one occurrence of the meeting, this occurrence should have its own chat and not be included in  the series' chat.."


Would you be willing to give up chat persistency across meetings for this safety feature? The push back we hear from this angle is that if guests or an internal ad hoc participant is added to a meeting and it created it's own chat for compliance/privacy - which is quite common to have happen - that's now a separate meeting/chat thread for folks to look thru. Such as if I shared a document or links in that single occurrence. We have heard that the persistency/productivity and centralization is more important. Thoughts?

Super Contributor

@John Gruszczyk 

If user invites (using calendar in Outlook or Teams, not by sending just the link) an extra person to recurring meeting for one day. Then the default option should be isolation. By that I mean, a person is unable to see chats/files from past, neither in future after the meeting.


Also for a single meeting, if you invite group of people into the meeting and they are starting to chat before the actual meeting start. If organizer removes one of attendee after that, that ex-attendee should lose her/his access to the files and the chat as well.


Another question is, if organizer should have possibilities to override the default behavior. But even if that is not possible, it would be much easier to explain to the users why the person is losing her/his access to chat/files. Today as Teams is not working in that way, we are forced to explain why a person being not anymore invited is still a participate on the chat. Explaining that to security teams or compliance teams is even more harder job, as you might guess.

Occasional Contributor

@John Gruszczyk 

Thanks for your response

I was meaning to open and edit (if user has rights) in Office online a document labeled (with encryption) by MCAS


Very good point you are mentioning....

I don' t know if technically feasible but give access to the chat during this specific occurrence of the meeting (not with history) and by default only for the chat and files mentioned during this occurrence during a period to be set-up through meeting policies for example


I thing would be a good compromise...


Best Regards


Super Contributor

One extra question about the security to you @John Gruszczyk 

When looking for the User Agent details on Teams client, does it really means that Teams is using quite old version from Chromium?

TC Forum - Teams Chrome version.png

Or is it so that Chromium does not follow Chrome's versions?


@Petri X I will have to get back to you on that one, sorry I'm not 100% sure. I'm wondering if it may have to do with Electron

New Contributor

@Microsoft_Teams_team, Defender for Office 365 documentation states that Safe Links for Teams is still in TAP Preview. So, when is this feature going to GA?

Occasional Visitor

Hi MS Team,


If the MS Teams meeting organizer is with PDL = CAN, whether the video data will be stored after the meeting as well as the chat history?



Senior Member

End-to-end encryption option for Microsoft Teams 1:1 Calls


It says end of July. I still don't have this.

If we turn on encryption and cannot do recording, then it will defeat the purpose.

Version history
Last update:
‎Mar 02 2021 12:29 PM
Updated by: