Teams uses multiple services across Microsoft 365 and we must know where our data is located, how can we secure it, how to prevent information from leaking, and how to securely share our data. We often focus on fancy features and functions (what we can see and touch) but we also MUST keep in mind that all data we store must be SECURED.
Microsoft Teams is the hub for teamwork. What does it mean?
We can, and we definitely should use Teams as our digital workplace or desktop. We can store files and information in Teams, build business applications, automate tasks, embed external applications/data, and use it for communications. That’s a lot of information and DATA.
We often focus on fancy features and functions (what we can see and touch), but we also MUST keep in mind that all data we store must be SECURED.
Teams use multiple services across Microsoft 365, and we must know where our data is located, how we can secure it, how to prevent information from leaking, and how to securely share our data.
In this eBook, we are going to consider security features available for Teams as a service and for related objects. Specifically, we will look at:
- Where our data is located (logically and physically), and what does it mean?
- What are labels, when to use them, and how?
- Deletion is part of the data lifecycle, and we take a look at that process
- Data Loss Preventions – what’s that, and why do I need it?
- Sharing information with external people
There is no one single place where Teams stores its data. In fact, there are many different services across Microsoft 365 and Azure where data is saved. This knowledge is important to understand many Teams mechanisms and properly secure our information.
This diagram describes where each portion of data is saved. It may look complicated, but we can easily show it in a more logical way.
As you can see, Exchange Online plays the main role in this puzzle. It stores:
- Messages (sent using private chats or channel chats)
- Calendar meetings
If we work with a file, then they will be stored as follows:
- Chat files (sent using private chats) are saved in our OneDrive for Business
- Teams files (sent on channels or uploaded to file tab) are save in dedicated SharePoint site collection. Each team creates a dedicated SharePoint Online site collection. Each private channel also creates a dedicated site collection!
- Meeting recordings are saved in Microsoft Stream, so each recording will be available from Stream and will inherit Stream security settings.
Note: The information above applies to data at rest – when a file or message is saved.
Logical data locations are only one part of the equation. The physical location of each file is also important because we live in a world full of regulations and laws. Each country can provide regulations and obligations for data storage. There are also global regulations (e.g., EU). That’s why Microsoft provides information about Data residency for the main services across Microsoft 365.
For Teams, main data residencies are displayed on the following map.
Microsoft invests a lot of effort to provide more residencies, and for actual data, you should go to this page
You can also check manually where is your tenant data located. To do that, you must have administrator rights on Microsoft 365.
- Go to Microsoft 365 admin center (https://portal.office.com/adminportal/home)
- Go to Settings in the left-hand menu
- Go to Organization profile sections and select Data location option
- You will get detailed information about each main service. In this example, all data (for Exchange Online, SharePoint Online, Skype for Business, and Microsoft Teams) are located in the European Union.
There are two types of labels:
- Classifications labels
- Sensitivity labels
Classification labels are text labels associated with some portion of data (e.g., list item, document, team, etc.). You can create such labels and use them as metadata. Classification labels won’t let you assign any policy or rule based on them.
Sensitivity labels are settings that allow you to assign policies and rules automatically based on those labels. Sensitivity labels are not limited to Teams – we can use them in SharePoint sites and Microsoft 365 groups.
To enable sensitivity labels, we must go through the following steps:
Enable labels support in Powershell
- Start PowerShell window and run the cmdlets (you will have to sign in to your account)
- Get current settings
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting
where -Property DisplayName -Value “Group.Unified” -EQ).id
- Enable labels
$Setting[“EnableMIPLabels”] = “True”
- Save the changes
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
- To quickly check configuration, you can navigate to Azure AD admin center (https://aad.portal.azure.com/), select Groups, and then New group. Change Group type to Office 365, and you should be able to select Sensitivity labels
In this example, I can select Confidential – Project Unicorn label to my Microsoft 365 group.
- Synchronize labels to Azure AD, Start PowerShell window and run the cmdlets
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
When it’s done, we can go to the Microsoft 365 Security and Compliance center (https://protection.office.com/) and create our first label.
- Go to Classifications section and open Sensitivity labels page
- Click Create a label and a new form will display
- Fill the required fields on each page
- On the Site and group settings page, you can select security options for Microsoft 365 group or SharePoint site
- On the last page review the information and Create a label
Now we can create a new Label policy and publish it.
- Go to Label policies tab and click Publish labels
- First, we must select our brand new label, then provide name other information and the Submit policy
Our Sensitivity label is ready to use!..To check how it works, we can try to create a new Team.
As you can see, Sensitivity dropdown is available (1), and we can only select Private teams (2). That’s because of our label settings.
For a full list of sensitivity labels feature and options, please go to the page https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide#what-label-policies-can-do.
Each object in Teams can be deleted – file, item, message, channel, team, etc. (we need proper permissions and configuration to be able to delete all objects). If we delete an object accidentally or we need to restore that object – it is possible, but we must go back to the data location section! Options available for restoring removed objects are strictly correlated to the place where that object is saved (file in SharePoint, etc.).
For a basic Teams object we can:
Restore deleted channel
To restore a channel, we must go to Manage team section, select Channels, and then select removed Channel in the Deleted area(1). Then we can easily click Restore button (files and conversations will be restored).
Restore deleted team
We can restore the removed team using PowerShell or by Azure AD portal site.
Go to Azure AD Portal, select Groups, and then Deleted groups (1). You will get a list of all deleted Microsoft 365 groups in the last 30 days. To restore a group, simply select the correct group that needs to be restored (2) and click Restore group (3). Deleted groups that are not restored, will be automatically removed permanently after 30 days!
Retention policies help us to keep information that we must keep for a specific period of time or are confident and valuable for use. On the other hand, we can easily and automatically remove useless information or information that’s considered a liability.
A retention policy can be created for many different workloads (not only for Teams) and can be configured in the Microsoft 365 compliance center.
- Microsoft Teams requires a retention policy that’s separate from other workloads. In other words, you have to create specific retention policies for Teams chats and/or channel messages.
- Private channel messages aren’t supported. Retention policies for Teams only apply to standard channel messages.
- Microsoft Teams doesn’t support advanced retention settings, such as the ability to apply a policy to content that contains keywords or sensitive information.
- A Microsoft Teams retention policy will trigger a process to delete chat and channel messages when those messages expire (based on message creation date). However, depending on service load, it may take up to seven days to permanently delete these messages from the backend storage and Teams app.
Create and manage retention policies
To create a retention policy:
- Navigate to Security & Compliance Center (https://protection.office.com/)
- Go to section Information governance and select Retention section
- Select Create
- On Settings page define retention parameters
- On Choose locations page define workloads (we can choose all related to Teams or a specific one like Teams chats).
- An the end, submit the new policy. Retention policies take up to 1 day to activate to selected workloads.
For detailed information about Retention in Teams and policies, please visit Microsoft page – https://docs.microsoft.com/en-us/microsoftteams/retention-policies.
Information or data leaks are very common and can provide significant hurt to an organization. We can divide leaks into two categories – intentional actions and accidental action. For intentional actions we must secure at many different levels, this is outside the scope for this eBook.
Accidental (or semi-accidental) actions can be caused by a lack of procedure knowledge, missing information policies, bad information habits, etc.
In many cases, it is very simple – people don’t know that specific information is confidential, and they send it through open channels or to external people.
To prevent this kind of leak, we can use the Data Loss Prevention mechanism inside Microsoft 365.
In Teams DLP can support us by:
Protecting sensitive information in messages
Suppose an employee tries to send sensitive or confidential information using chat with an external user in Teams. If we set up a DLP policy, we can monitor chats with the external world and block communication that contains specific information (e.g., insurance numbers, credit card numbers, PII, company-specific data).
Protecting sensitive information in documents
Suppose an employee tries to send documents with sensitive information using chat in Teams. DLP policy monitors files and will react if it finds specific information inside a document (e.g., credit card number).
Create and manage DLP policies
- First, we should create Sensitive info type for our DLP policy
- Navigate to Microsoft 365 Security and Compliance center (https://protection.office.com/)
- Go to Classifications section and select Sensitive info types
- Select Create and provide Name and Description
- On Requirement for matching we must create a detailed rule using three types of detection methods
- Keywords (list of keywords that DLP will use for searching content)
- Regular expression (use by DLP to match content by rules)
- Dictionary (large list of keywords)
- Then we can provide Supporting elements and set the Confidence level
- When ready, save and submit the new sensitivity type
- Finally, we can upload a test file for testing purposes or skip it
Now we can go and create a new DLP policy.
- Navigate to the Data loss preventions section and select Policy
- Click Create a policy and select existing template or create a custom one
- On Choose locations, we can specify in which workload our DLP policy will work. We can select Exchange email, SharePoint sites, OneDrive accounts, or Teams chat and channel messages.
- On the Policy settings page, we must select our Sensitive info type. Based on that rule, our DLP policy will try to match the content.
- At the end, we can specify additional parameters (e.g., email notifications, show tips to user, etc.)
- Then we can save and submit our DLP policy.
When a user sends a chat message or document with sensitive information, he will be notified about the incident.
Chat message notification
Sharing information with external employees or partners is a very common behavior. Sharing allows us to quickly send information and get feedback, but we must be aware of the pros and cons.
Guest vs. External user
Microsoft Teams allows us to collaborate with two types of users:
A guest user is someone outside your organization without an account in your organization (e.g., partner, vendor, consultant). The guest user can be invited to a team and can work with you inside that team.
An external user is someone that uses Teams or Skype for Business and is federated with your organization.
Guests and External users have different capabilities when working with you in Teams. The table below summarises their permissions.
|User can chat with someone in another company||Yes||Yes|
|User can call someone in another company||Yes||Yes|
|User can see if someone from another company is available for call or chat||Yes||Yes|
|User can search for users across external tenants||Yes||No|
|User can share files||No||Yes|
|User can access Teams resources||No||Yes|
|User can be added to a group chat||No||Yes|
|User can be added to a meeting||Yes||Yes|
|Additional users can be added to a chat with an external user||No||N/A|
|User is identified as an external party||Yes||Yes|
|Presence is displayed||Yes||Yes|
|Out of office message is shown||No||Yes|
|Individual user can be blocked||No||No|
|@mentions are supported||No||Yes|
|Make private calls||Yes||Yes|
|Allow IP video||Yes||Yes|
|Screen sharing mode||No||Yes|
|Allow meet now||No||Yes|
|Edit sent messages||No||Yes|
|Can delete sent messages||No||Yes|
|Use Giphy in conversation||No||Yes|
|Use memes in conversation||No||Yes|
|Use stickers in conversation||No||Yes|
External users can be configured in Teams admin center in the External access section– https://admin.teams.microsoft.com/company-wide-settings/external-communications
Guest user can be configured in Teams admin center in the Guest access section – https://admin.teams.microsoft.com/company-wide-settings/external-communications