Protect your Teams work across Office 365: Security and compliance in Microsoft Teams

With Microsoft Teams and modern SharePoint team sites being created at a record pace, how can you keep all of that content secured, protected, and retained? Microsoft MVP Joanne Klein (@JoanneCKlein) explains.

The integrated nature of Office 365's productivity suite means you need to think about setting rules that apply to multiple products at once—to protect your Teams work across Office 365, you need to create a cross-product governance strategy that keeps your content secure across platforms and devices.

In her recent ShareGate webinar, Microsoft MVP Joanne Klein explains how Office 365 features working together can help you breathe a little easier.

Watch the webinar recording, or read through our recap of Joanne's key points.

Download a copy of Joanne’s slides


Discovering and managing data is challenging

Now that our data lives in the cloud, it's important to remember that a lot of sensitive data does too. According to McAfee's 2019 Cloud Adoption and Risk Report, nearly a quarter of all files in the cloud contain sensitive data that requires protection in order to reduce security risks.

But it's hard to protect something if you don’t know where it is. And a vast amount of data, estimated to be about 80%, is unstructured and fragmented—making it harder for IT to locate and protect.

Nearly a quarter of all files in the cloud contain sensitive data that requires protection in order to reduce security risks.

McAfee's 2019 Cloud Adoption and Risk ReportTweet this

The root of the problem in Office 365 comes down to:

  • Sprawl: It's easy for users unfamiliar with Office 365 to provision resources accidentally—resulting in confusion, lack of governance, and guests having access to things they shouldn't.
  • Shadow IT: If IT-approved systems aren't meeting their needs, users aren't afraid to turn to something that will—tools without IT oversight that make your organization especially vulnerable to sensitive data leaks.

The stats above demonstrate how widespread this concern is—these are real problems, and they can't be dealt with using manual means.

So how do you keep up with all of this? Two key points:

  1. We need to leverage AI and automation in order to address this project at scale.
  2. We need to approach this as "proactive compliance"—have an information protection and governance strategy for security.

Both of these points require integrated solutions coming together in a cohesive way. Luckily, a lot of Office 365 tools are already approaching security in a proactive rather than reactive manner.

A shared responsibility model

The fact of the matter is: not all teams are created equal (and not all data within them is the same).

Teams-work governance shouldn't be one broad brush-stroke across all of your teams. At times, effective Teams governance requires targeted application.

Not all teams are created equal.
Not all teams are created equal.

Within an organization, there are several roles—each with different perspectives and needs when it comes to Teams work and all of that unstructured content.

  • The business: Accomplish business goals as simply as possible—if it's too hard, find an easier way. Allow collaboration but still implement governance controls.
  • Employees: Get work done efficiently with minimal amount of friction. Keep things simple or they'll find another way.
  • IT admins: Manage the increasing volume of data, keep up with changing services and threats, and make sure all other roles happy and productive.
  • Legal: Ensure compliance with retention and eDiscovery.
  • Security officers: Prevent data leaks and breaches and protect high value information.

One way to address these competing demands and requirements is to leverage a shared responsibility model—a cloud security framework that defines security obligations to ensure accountability.

Teams-work governance shouldn't be one broad brush-stroke across all of your teams. At times, effective Teams governance requires targeted application.

Microsoft's shared responsibility models says that you as an organization are responsible for protecting your data and identifying all devices with access. And Microsoft is responsible for protecting the Office 365 services. Together, you can protect your sensitive data from security threats.

To get your electronic house in order, so to speak, a coordinated effort is required and involves three key groups:

  1. Business information workers: These are the people creating the content, sharing with external parties, and some of them are working with sensitive information. This group really needs to know how to work safely and securely in the modern workplace today—if they don't then IT needs to teach them.
  2. IT teams: They control the resources that implement the technical controls involved as well as some of the training and configuration.
  3. Legal, risk, compliance, governance teams: These are the regulatory teams you need to help you define a classification system across your tenant. They're in a unique position to understand what you need to do to protect data and remain compliant—lean into them, and bring them in from the start.

Types of governance

The best way to approach data security and compliance is from the perspective of governance.

There are many different kinds of governance.

There are many different kinds of governance, all of which work together to ensure a governed and compliant environment end-to-end. But for now, we're going to focus on three specific types:

  1. Container and content governance
  2. Security governance
  3. Discovery governance

Container and content governance

When we talk about container and content governance, we're talking about what controls you can manage in Office 365 and what level they're applied to.

Container and content governance best practices can be broken down into the following tactics:

  • Empower employees: Enable self-service site creation and lifecycle management so they don't turn to shadow IT.
  • Identify valuable content: Require classification for containers and scan with Data Loss Prevention (DLP).
  • Protect valuable assets: Use retention/deletion, conditional access, and Information Rights Management (IRM).
  • Ensure accountability: Manage group/site ownership and review external membership.

Within the scope of this blog post, we're going to focus on the middle two points: protecting and retaining your potentially sensitive Teams work—things that people in those legal and compliance areas will definitely be focused on.


Identify valuable content

Follow these steps to protect your sensitive Teams work wherever it lives:

  1. Get ready: Define your classification scheme.
  2. Know your data: Understand where your sensitive data lives, what users are doing with it, and why it may be a risk.
  3. Sensitivity labels: Use sensitivity labels to identify and protect your data (Teams work).
  4. Data Loss Prevention (DLP): Use DLP to govern your sensitive data (Teams work).

Define your classification scheme

Requiring classifications for your containers is the underpinning for absolutely everything else.

This is where you should work with the business and compliance areas of your organization to clearly define a classification scheme.

Microsoft's classification scheme is impressive because they've managed to pare it down to just four categories:

Microsoft's classification scheme.
Microsoft's classification scheme.

You don't have to make yours the same as Microsoft's, but there are some good takeaways to consider: namely, how clear and easy to understand the classifications are. There's no ambiguity between one term and the next.

It's absolutely critical that your end users understand your classification scheme. They're the ones actually sitting in front of the keyboard having
to make the call on whether something is "confidential" or "highly confidential"—they really need to understand what the difference is.
So make sure your classification scheme is in terms that everyone can understand.

Use sensitivity labels to identify and protect your data (team work)

Once you have your classification scheme, there are many things you
can implement building on top of it. And one of the most effective is sensitivity labels.

Sensitivity labels let you classify and help you protect your sensitive content wherever it goes—without hindering your users' productivity and ability to collaborate.

Tweet this

With people in your organization collaborating both internally and externally, and doing so across multiple devices, that content roams everywhere, too. Sensitivity labels let you classify and help you protect your sensitive content wherever it goes—without hindering your users' productivity and ability to collaborate.

Sensitivity labels can be used to:

  • Enforce protection settings like encryption or watermarks on labelled content.
  • Protect Office 365 content across platforms and devices.
  • Extend sensitivity labels to protect content in third-party apps and services.

Sensitivity labels can be applied down to different levels. And you can now also apply it at a higher container label—at the level of an entire Microsoft Team or SharePoint site. The beauty of that is that everything in that container inherits the same sensitivity setting by default.

Site and group settings for sensitivity labels

Announced at Ignite and currently in public preview, you can now apply even more controls with Site and group settings. These settings are unified across Office 365 Groups, teams, or sites and let you configure:

  • Privacy of Office 365 Group-connected team sites: Determine privacy settings (i.e. public or private) for that sensitivity label.
  • External users access: Will you allow external users by default? You can choose to disable external user access for anything labelled confidential—in which case Office 365 Group owners won't be allowed to add external users.
  • Unmanaged devices: If you have a confidential site, will you allow unmanaged devices to have access? You can choose to limit it so users on unmanaged devices have to use online versions of the Office products instead.
Configure site and group settings.
Site and group settings, recently announced at Ignite.

There are also two new (extremely useful) sensitivity label features:

  1. Encrypted (protected) files. Encrypted files are now treated like first class citizens. You can open and edit directly in Office offline, co-authoring is allowed, and they are searchable (allowing for DLP and eDiscovery)—improving that collaboration experience for end users.
  2. Auto-labeling files at rest in SharePoint. If you have some docs that aren't labeled, there will soon be an auto-labeling feature so they're labeled automatically. Based on sensitive information types, you'll be able to see that value in a sensitivity column in SharePoint. This is extremely useful for if users forget to set a label.

The end-user experience with sensitivity labels is available in:

  • Office apps
  • Outlook on the web
  • iOS (mobile)

The user will see the same sensitivity label options across all three platforms. This is derived from the data classification of your organization—a perfect example of why they need to be very clearly understood.

Office for the web will soon have these same options, as Microsoft is currently in the process of rolling this feature out. You can find more details in the official Microsoft documentation.

Data Loss Prevention (DLP) to govern your sensitive data (Teams work)

This is another way of preventing accidental or unwanted exposure of your sensitive info.

DLP uses a content analysis engine to scan the contents of email messages and files looking for sensitive information. If detected, DLP lets you:

  • Actively block the email or file sharing
  • Display a warning to the user who is sending or sharing the sensitive information
  • Log the event for auditing purposes

DLP is built on sensitive information types, which you can base off retention labels or Azure Information Protection labels (but soon you'll be able to do it through UI as well).

DLP policies can be set and configured in the Office 365 Security & Compliance Center by selecting Policy underneath Data loss prevention. Click on Create a policy to set a new DLP policy.

You can choose to use one of the DLP policy templates provided by Office 365, or customize your own.

Start with a template or create a custom policy.
Start with a DLP policy template or customize your own.

You can also choose where to apply your policy—across Exchange email, OneDrive and SharePoint documents, and/or Teams chat and channel messages.

Choose locations to apply your DLP policy.

DLP is now integrated with Teams to block sensitive content when it's being shared. This includes users with guest access and external access, and works on both the Teams desktop app and web app.

You can even test out your DLP policies ahead of time, before you turn them on live across your environment. That way, you can start to get a feel for the accuracy of your policy and how effective it will be when it's enforced—and fine tune it if you need to.

Some key features to watch out for on the horizon:

  • Block anonymous access for sensitive files in SharePoint Online and OneDrive for Business.
  • Enforce DLP controls based on sensitivity labels.
  • Treat brand new files in SharePoint Online as sensitive by default until scanned by DLP (which works on a scanning mechanism and isn't immediate).

Scenario: Protecting your sensitive content

In our role as IT admins, we need to strike a balance between data security and enabling productivity in our environment.

Let's look at how to customize these controls for three different situations:

JohnKateChad
John works in the IT department of Woodgrove bank. They usually use restrictive settings.Kate works in the IT department of Contoso. They always try to find the best balance between user freedom and IT control. Chad works in the IT department of Tailspin Toys. They want to drive productivity by removing as many barriers as possible.
Scenario: Protecting your sensitive content.

John: Automatically applies sensitivity labels to content and will require users to provide a reason for override if necessary. Uses DLP across all locations.

Kate: Allows users to collaborate freely with external users. However, currently monitoring when sensitive information is being shared in order to build DLP policies.

Chad: Applies a default sensitivity label to all content and relies on users to adjust it if necessary. Allows external sharing on all sites.

In some cases there will be competing priorities, but try to integrate these controls in a way that doesn't impede collaboration more than absolutely necessary.


Protect valuable assets

The information and records management teams in your organization will probably be most concerned with retaining the records of your Microsoft Teams.

Retention in Office 365

The idea behind retention in Office 365 is built-in compliance. It's retaining in place—not moving something outside of Office 365 to an external archive. The advantage to that is that it's still discoverable, and there's also an audit trail.

You have three options when it comes to applying retention across your Teams work:

Retention can be applied manually, automatically, or using machine learning.
  • Manually applied: The end user applies a retention label on a specific document or email.
  • Automatically applied: Retention can be automatically applied based on location, sensitive information type, keyword, content type, or metadata. You can also automatically apply a retention label using a Microsoft Flow.
  • Machine-learning applied: Using machine learning to apply a retention label based on a trainable classifier (coming soon!).

Remember what we said before about using AI and automation to tackle data security at scale? Soon you'll be able to auto-apply a retention label based on a trainable classifier.

Currently in public preview, trainable classifiers are powered by machine-learning and come with six built-in classifiers, plus the ability to build your own custom classifiers.

Scenario: Retaining your Teams work

Let's check back in with John, Kate, and Chad to see how you might customize retention depending on your organization's situation:

Retention situations for John, Kate, and Chad.

Again, it's about striking a good balance depending on the needs of your organization.

Know where your data is

In order to protect your sensitive data, you need to understand where it lives, what users are doing with it, and why it may be at risk.

Once you've created your retention and sensitivity labels, you can track how they're being used across your tenant with label analytics.

Label analytics in the Microsoft 365 Compliance Center.
Label analytics in the Microsoft 365 Compliance Center.

For example, you can see:

  • The total number of retention and sensitivity labels applied to content.
  • Which labels are used most frequently and how many times each label was applied.
  • The locations where labels were applied and the number applied in each location.
  • The number of files and folders that had their retention labels changed or removed.

Understanding how labels are being utilized across your organization can help you better refine your protection and governance policies over time.

For more details on label analytics, check out the official Microsoft documentation.


Security governance

You definitely want to have external sharing enabled. But how can you ensure that external collaboration remains secure? That's where security governance comes in.

External access vs guest access in Microsoft Teams

When collaborating with users external to your organization, it's important to understand that external access and guest access mean two very different things in Teams.

External access gives access permission to an entire domain—allowing Teams users from other domains to find, contact, and set up meetings with you. External users can call you through Teams and send instant messages. But if you want them to be able to access teams and channels, guest access might be the better option.

Guest access is when you invite an external user to be a member of the team—it gives access permission to an individual rather than a domain. Once a team owner has granted someone guest access, they can access that team's resources, share files, and join a group chat with other team members.

External accessGuest access
Configured in the Teams admin center for your organization.Enabled in the Teams admin center for your organization.
No access to Teams or Teams resources.Access can be granted to existing Teams and Channels in Microsoft Teams.
External users in other domains are allowed to find, call, chat, and set up meetings with you.Teams admins can control which features guests can and can’t use in Microsoft Teams.
By default, all external domains are allowed, with the option to add allowed domains or blocked domains.Anyone not part of your organization can be added as a guest in Teams.
Gives access permission to an entire domain.Gives access permission to an individual user.

If you've set up your DLP policy to protect your Teams chats and channel conversations, that applies to conversations with guest access users, too.

This is a huge benefit! If your organization is going to collaborate with external users anyway, you can invite them to become guest access users in Teams.

If you've set up your DLP policy to protect your Teams chats and channel conversations, that applies to conversations with guest access users, too.

That way, the data is kept in your tenant where you can protect it, monitor it, and control it. That's much better than if you don't allow sharing and people simply go around you and your approved tools.

Collaborating with external users securely

To protect your sensitive information, you need to have a strategy for collaborating securely with external users.

These external sharing recommendations can help you get started on the right foot:

  1. Collaboration: Enable external sharing by default, disable based on classification.
  2. Domains: Limit domains as required.
  3. Educate: Educate your users on how to share and what to share.
  4. Anyone links: You can now use DLP to prevent the creation of “Anyone" links for sensitive SharePoint and OneDrive for Business documents.
  5. Audit: Make security audits part of your governance process.

For full details about external sharing and how to ensure it stays secure, check out our Ultimate guide to Office 365 external sharing.

Scenario: Guest access and external access

Let's see how John, Kate, and Chad would tackle guest access and external access in Teams:

Scenario for guest access and external access in Teams.

Notice that even John has some form of external access enabled. The key is to plan for proper governance—not shut down external collaboration completely!


Discovery governance

Discovery governance concerns the discoverability of your Teams work—specifically with regards to eDiscovery.

Electronic discovery, or eDiscovery, is the process of identifying and returning electronic information that can be used as evidence in legal cases. You can use eDiscovery in Office 365 to search against all of your workloads and find content relevant to the case.

Looking at the eDiscovery reference model above, you can see how all the different controls we've talked about up until now are necessary precursors to your content's discoverability.

Office 365 currently provides the following eDiscovery tools:

  • Content Search in the Security & Compliance Center
  • eDiscovery Cases in the Security & Compliance Center
  • Advanced eDiscovery solution in Microsoft 365

With eDiscovery tools, you can do things like redact sensitive content and use electronic holds (retention policies) to retain content.

As of very recently, you can reconstruct a Teams conversation with eDiscovery, too—allowing you to see the context of a conversation—and discover a user's teams automatically. Both of these new features make life a lot easier for your legal team. You can also expect eDiscovery to be available for Yammer by the end of the year.


Key takeaways

If you're just starting out, these four high-level points are a great place to start:

Four high-level security governance points.
  1. Classifications: Document your organization's data classifications.
  2. External user strategy: Establish your external user strategy for collaboration—including guest access, external access, and external sharing.
  3. Enforce policies: Determine policies to enforce based on the classification: sensitivity, retention, privacy, guest access, and conditional access.
  4. Educate users: Educate and train information workers across your organization on "e-safety in the org".

We said it before and we'll say it again: you need to leverage AI and automation to address this project at scale. A third-party governance tool like ShareGate Apricot can help you stay on top of security as you scale. Get full visibility into who's shared what with whom, and automate external sharing reviews so they're performed on an ongoing basis.


Securing content is a whole lot easier when you can see everything that's been shared externally. With ShareGate Apricot's easy-to-use governance platform for Microsoft Teams, you’re sure your data stays secure.

Ensure external users have access to the right things in Teams.

You might also like