Information security understanding is becoming more and more crucial for Enterprises in the last 40-50 years, and it is inevitable for any industry to protect resources against cybercrime or attacks. These security demands are further challenging in the Pandemic era where people are working remotely. However, Microsoft® Teams - a trustworthy centralized collaboration system providing greater security within Microsoft 365 through security, compliance, and protection offerings - is making organizations safe and employees more productive. Although Teams has its own org-wide policies (Teams policies, meetings policies, messaging policies and much more to control users accesses and information from Microsoft Teams Admin center), it is essential to configure security within Microsoft 365 to protect teams that is strongly coupled with SharePoint, Exchange, OneDrive, and any other integrated services as per the org need.
In short, Microsoft Teams as one of the Microsoft 365 applications leverages security advantages from SharePoint, OneDrive, and Exchange by default. For example, as a site member, if a user is not allowed to access a file stored in Teams’ SharePoint site, the same experience will be inherited in the team for the user, even though they can access the teams. All these workloads further can be configured-investigated-secured for Microsoft Teams in Microsoft 365 using various security, protection and compliance Microsoft 365 policies described as follows:
Note: This article only covers Microsoft 365 policies that can be leveraged in Microsoft Teams Security; for more information on other security and compliance features apart from Microsoft 365 policies, go to the “Learn More” section of this article located at the bottom.
Security and Protection Policies for Teams
Microsoft Teams as a part of Microsoft 365 services allows to configure essential Microsoft 365 security and protection policies such as Safe attachment policy, safe link policy, conditional access policy, data encryption policy as described below to protect teams content as per the organization need. A good way to start is checking the Microsoft Secure store to know the organization security posture – the higher the number, the greater the security - available at Microsoft 365 Security center as indicated in the following screen.
Based on the security score, you can make an action plan from the “Improvement Actions” to further boosting security score; for example, “Require MFA for administrative roles,” which prevents attackers from accessing important information in case of admin password leakage or Restrict anonymous users from joining meetings which helps to align with company regulation such as external partner, must have a valid account to join the Teams meeting. Additionally, security score also helps to compare your security score with similar organizations as yours as explained here.
Safe Attachment policy
With safe attachment policy, you can protect users from opening or sharing the malicious files in SharePoint, OneDrive, and Teams. When a file is identified as suspicious as indicated in the following screen, users cannot access that file; however, they can delete it.
It is recommended to block the malicious files while configuring Safe Attachment policy from the Microsoft 365 Security center as indicated in the following screen.
Safe Links policy
Safe links policy protects users from accessing the malicious links in emails, documents, and Teams conversations. This policy settings, allow to implement URL scanning and determine how user would interact with the link. For example, if user clicks in a link in teams chat, it shows warning page with malicious link information as indicated in the following screen.
It is a best practice to enable the “Do not allow users to click through to original URL” setting while configuring the Safe links policy as indicated in the following screen to protect users from clicking malicious URLs.
Please find more information on how Safe links policy can be configured and how it works here.
Conditional Access policy
Conditional access policy helps enforcing the desirable access controls such as allow/block access to user based on users, locations, devices, and applications to make organization secure by unexpected app access as indicated in the following screen:
For example, if a conditional access policy includes “Microsoft Teams” as a cloud app, then it will be applicable to specified users based on other criteria such as device/location/client application from where app will be accessed. And, when the specified user in the conditional access policy sign into Microsoft Teams, it would display a message as follows:
For more information about conditional access policy, please find the documentation here explaining overview, deployment and commonly used conditional policies in the organization.
Data Encryption Policy
Data encryption policy is a part of setting up Customer key for encrypting the content at application level that provides additional layer of security to align with organization compliance obligations, for example, leaving Microsoft 365 service. Now, you can have the customer key assigned for Microsoft teams to encrypt new Teams files stored in SharePoint online via single Data encryption policy at tenant level. As a customer you can revoke the access when you decide to leave the Microsoft 365 service, which deletes the cryptography of the data to meet security and compliance regulations.
To achieve encryption for Microsoft Teams using DEP and customer key, upload the keys in Azure Key vault and grant access to SharePoint online service. By doing so, the user’s file will be encrypted and accessible. However, the moment, keys are deleted when you decide to leave the service, users will not be able to access files from SharePoint Online as it will throw a message as follows as service has no information available to encrypt the data.
This layer of security does not allow anyone to access the data even from Microsoft, so as a customer you can be rest assured on the controls of your data. Please find more information about strengthening your data by setting up data encryption policy for Microsoft Teams using customer keys here.
Compliance policies for Teams
Microsoft 365 compliance policies help Microsoft Teams to match organization compliance guidelines through Information Barrier policy, Communication compliance policy, sensitivity label policy, data loss prevention policy and retention policy as described below. To know more compliance features apart from compliance policies, please review “Learn More” section located at bottom.
Information Barrier Policy
To regulate Teams communication between specific users for the compliance reason, an Information Barrier policy comes in handy that blocks/allow access between set of users to communicate by determining communication restrictions. For example, when team owner tries to add user in the teams affected by information barrier restriction, then it will show following message:
This policy can be triggered at 1:1 chat, group chat, meeting invitation, screen sharing, phone calls, adding user as guest. For more information, on IB policy, please click here.
Communication Compliance Policy
Communication Compliance policies in Microsoft 365, help detecting and acting up on unprofessional messages within the Microsoft Teams that may put your organization at risk. This helps regulating internal and external communications as per the organization standards. It also detects unexpected activities such as increasing Teams channel or volume of messaging data. Configuring Communication compliance policies support healthy culture between organization and employees. Behind the scenes, it uses machine learning over signals coming from various channel such as Exchange, Teams, Yammer, and Skype for Business. For example, as a Communication Admin, you can set up the policy for Teams that matches any offensive words defined in the condition as indicated in the following screen and as reviewer, you can get the trigger when that matches. Learn about planning and configuring communication compliance here.
Sensitivity Label Policy
Sensitivity label policy help secure and protect content in Microsoft teams which are created during the collaboration for example, creating or editing team. For instance, as an administrator, you want to allow users to create only private channels. In that case, create and publish sensitivity label called “Confidential” with the “Private” privacy option. Next, when user create a team and apply “Confidential” label to the team, User will only see “Private” as a privacy option as indicated in the following screen. Please find more information on sensitivity labels for Microsoft Teams here.
Data loss prevention policy
Prevent people from sharing sensitive information relevant to your business with internal or external users in Teams chat and channel messages by defining the data loss prevention policy. For example, if user sends a social security number in the Teams channel which is prevented by DLP policy created in Microsoft 365 compliance center, then the DLP policy automatically detects an action and block the message as indicated in the following screen.
You can also configure sending the incident reports to relevant users, when sensitive information is shared with specific instances at one time. Please find more information about DLP policies in the Microsoft Teams here.
Retention policy helps to manage the Teams chats per the organization policies, legal requirements, or industry standards. For example, you can create a retention policy to delete the Teams chat after five years as indicated in the following screen. It also provides configuration settings such as retain chat data, delete it, or retain it for a specific period and then delete it. Please find more information about how retention policy works for Microsoft Teams here.
Dipti Chhatrapati is a passionate and ambitious Microsoft Professional with more than 12 years as a Developer, Consultant, Architect, and Manager for SharePoint (2007, 2010, 2013), Office 365, and Power Platform projects. Learn more at Insightrun with Dipti C.
To write your own blog on a topic of interest as a guest blogger in the Microsoft Teams Community, please submit your idea here: https://aka.ms/TeamsCommunityBlogger
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.