Joanne Klein delves into Microsoft Teams to give a glimpse of its features, its underlying architecture, and what’s in it for the modern worker and the data protection, data retention, and legal/compliance teams across your organization.
2. SYNOPSIS
Organizations today need to embrace the modern workplace to stay competitive, decrease their
time to market, decrease their time to problem resolution, increase the speed and have better
quality decision-making, and to attract and retain staff. How we work in our personal lives is
starting to transcend the workplace, however we still need to ensure our corporate data is
secured, protected and meeting our regulatory obligations while doing so. Microsoft Teams is the
Hub for Teamwork in Office 365 and its use is exploding across the globe as organizations
embrace the modern way of getting work done.
Join Joanne Klein, a 3-time Microsoft MVP, as she delves into Microsoft Teams to give a glimpse
of its features, its underlying architecture, and what’s in it for the modern worker and the data
protection, data retention, and legal/compliance teams across your organization.
4. Agenda for today
THE MODERN
WORKPLACE
MICROSOFT
TEAMS
ARCHITECTU
RE
PROTECTING
YOUR SENSITIVE
INFORMATION
RETAINING YOUR
TEAM WORK
EDISCOVERY
AND YOUR TEAM
WORK
TAKEAWAY
S
5. “IN ORDER TO FUTUREPROOF OUR COMPANIES… AND THE
ECONOMY… WE MUST FUTUREPROOF OUR PEOPLE.”
Reference: Linda Yaccarino from the World Economic Forum, January 28, 2020
6. MYTH 1
It’s (just) a collection of business tools
MYTH 2
We use Email and Slack so we’re already a digital
workplace
MYTH 3
We’re too big (or too small) so we don’t need a digital
workplace
1
2
3
3 MYTHS ABOUT A MODERN
WORKPLACE
https://www.aithority.com/guest-authors/what-digital-workplace-is-not-about-the-3-common-misconceptions-busted/
7. WHAT IS A MODERN WORKPLACE?
Collective name for the virtual tools businesses use to enhance productivity
of staff and efficiency of processes to make time and space for continuous
innovation by staff.
8. FOCUS ON 4 KEY AREAS IN YOUR MODERN
WORKPLACE
FOCUS ON YOUR DEVICES
FOCUS ON YOUR APPS
FOCUS ON THE DATA
FOCUS ON THE MODERN WORKER
9. BE “CYBER-SECURITY”
AWARE
SHIFT FROM AN “IN-PERSON”
TO AN “ONLINE” MINDSET
EFFECTIVELY USE MODERN
COLLABORATION TOOLS
COLLABORATE SECURELY
ACROSS ALL NETWORKS
A DIGITAL MIND-SHIFT IS REQUIRED
#WFH
10. SKILLING | RESKILLING | UPSKILLING
• Shortage of skilled workers
• Hire employees with the
potential to be skilled in what
you need
• Enthusiasm
• Capacity to learn
• Personal development for the
modern worker
• Evolve talent we have into
talent we need
• Talented employees whose area
of expertise is becoming less
relevant
• Retrain to put their talent to use
elsewhere
SKILLING RESKILLING UPSKILLING
• Training people ‘up’
• Keep them in the same roles
• Develop trained employees as
company leaders
ORGANIZATIONS CAN HELP BY…
12. MICROSOFT TEAMS IS A PERSISTENT CHAT
AND VIRTUAL MEETING PLATFORM
1:1 CHAT GROUP CHAT MEETINGS CALLS AND PHONE
SYSTEMS
13. MICROSOFT
TEAMS IS ALSO A
“HUB FOR
TEAMWORK”
SHAREPOINT SITE STANDARD CHANNELS
PRIVATE CHANNELS MICROSOFT PLANNER
ABILITY TO COLLABORATE
WITH EXTERNAL PARTIES
APPS AND BOTS
14. OFFICE 365 WORKLOADS INVOLVED
MICROSOFT
PLANNER
MICROSOFT
STREAM
ONEDRIVE FOR
BUSINESS
SHAREPOINTEXCHANGEMICROSOFT
TEAMS
16. “Employ smart governance to control
sprawl while enabling a friction-free
collaboration experience.”
-Karuana Gatimu*
* Customer Advocacy Group lead in Microsoft Teams at
Microsoft
17. DISCOVERING AND MANAGING DATA IS CHALLENGING
of corporate data is “dark” –
it’s not classified, protected
nor governed2
>80%
Protecting and governing
sensitive data is the biggest
concern in complying with
regulations3
#1
of organizations no longer
have confidence to detect
and prevent loss of
sensitive data1
88%
1. Forrester. Security Concerns, Approaches and Technology Adoption, December
2018
2. IBM. Future of Cognitive Computing, November 2015
3. Microsoft GDPR research, 2017
18. NOT ALL TEAMS ARE CREATED EQUAL
Company
Department/Division
Workgroups
Authoritative curated content
1:many broad conversations
Functional units
Few:many specific conversations
Transient groups
Microsoft Teams, Yammer,
SharePoint
Cross-collaboration
19. ROLES AND THEIR NEEDS
IT
Business
Employee
IT AdminLegal/Compliance
Security officer
20. A SHARED
RESPONSIBILITY
MODEL
220+ updates per day from 1000 regulatory bodies¹
Get your digital house in order!
¹ Thomson Reuters, "Cost of Compliance 2018 Report: Your biggest challenges
• Leverage the shared responsibility model
• Coordinated effort of 3 groups
21. INFORMATION GOVERNANCE HAS 3 STAKEHOLDER
GROUPS!
Business information workers IT Teams Legal, Risk, Compliance,
Governance Teams
24. SCENARIO-BASED GOVERNANCE AND CONTROLS
John works in the IT
department of
Woodgrove bank.
They usually use
restrictive settings.
Kate works in the IT
department of Contoso.
They always try to find
the best balance
between user freedom
and IT control.
Chad works in the IT
department of Tailspin Toys.
They want to drive
productivity by removing
as many barriers as possible.
25. SCENARIO: SELF-SERVE SITE CREATION
We control site provisioning with a strict
approval process and automation to control
external access, naming conventions, and
protection.
We leverage consistent site designs for our
users and allow them to provision sites
without approval. We follow-up after-the-fact
for additional guidance and controls.
We use out-of-the-box provisioning features
in our tenant. End-users know what they want
and we don’t want to get in their way.
John
Kate
Cha
d
26. Container and Content Governance
Protecting your (sensitive) team work
Retaining your team work
27. Container and Content Governance
IDENTIFY
VALUABLE
CONTENT
Require classification for
containers
Scan with Data Loss
Prevention (DLP)
PROTECT
ASSETS
Retention/Deletion
Use Conditional Access
Use Rights Management
ENSURE
ACCOUNTABILITY
Manage group/site ownership
Review external membership
EMPOWER
EMPLOYEES
Self-service site creation
Life-cycle management
28. DATA LOSS PREVENTION (DLP)
Use DLP to govern your sensitive data (team work)
SENSITIVITY LABELS
Use sensitivity labels to identify and protect your data (team
work)
KNOW YOUR DATA
Understand where your sensitive data lives, what
users are doing with it and why it may be at risk
GET READY
Define your classification scheme
Protect your sensitive team work wherever it lives!
29. DEFINE YOUR OWN CLASSIFICATION SCHEME
Highly confidential
This is the most critical data for Microsoft. Share it only with named
recipients.
Confidential
This content is key to achieving our goals. Limited distribution – on
a need-to-know basis.
General
Product used and shared throughout Microsoft, like personal
settings and zip codes. Share it throughout Microsoft internally.
Public
Non-restricted data meant for public consumption like publicly
released source code and announced financials. Share it freely.
30. SENSITIVITY LABELS
Content markings
Protection (encryption)
Rights management
Automatic/Recommended based on
sensitive information type
31. END-USER EXPERIENCE WITH SENSITIVITY LABELS
Office apps:
Outlook on the web:
iOS Outlook app:
Office for the
web rolling out
now!
34. BASED ON SENSITIVE
INFORMATION TYPES
HELPS IF USER
FORGETS TO SET A
LABEL
WILL SEE IN SENSITIVITY
COLUMN IN SHAREPOINT
LISTS AND LIBRARIES
ENCRYPTED (PROTECTED) FILES
OPEN AND EDIT IN OFFICE ONLINE
CO-AUTHORING ALLOWED
SEARCHABLE
Allows for DLP and eDiscovery
2 new Sensitivity Label Features
AUTO-LABELING FILES AT RES
IN SHAREPOINT
35. DATA LOSS PREVENTION (DLP) TO GOVERN TEAM WORK
Detects when an action conflicts with a DLP policy
They can:
Prevent content from being shared
Allow end-user to override
Can now use sensitivity label as a condition
DLP for Microsoft Teams blocks sensitive content when shared with
Microsoft Teams users who have:
guest access in teams and channels; or
external access in meetings and chat sessions
38. SECURE DATA ENABLE PRODUCTIVITY
Striking a perfect balance
Manually apply sensitivity label consistently
across apps, applications, and endpoints
Show recommendations and tooltips for sensitivity
labels with auto-labeling and DLP
Visual markings to indicate sensitive documents
across apps/services: watermark, lock icon,
sensitivity column
Co-author and collaborate with sensitive
documents
Enable searching and eDiscovery of encrypted
files in SharePoint
Enforce conditional access to sensitive data
DLP actions to block sharing
Encrypt files and emails based on sensitivity label
Prevent data leakage through DLP policies based
on sensitivity label
Business data separation from personal data on
devices
39. SCENARIO: PROTECTING YOUR SENSITIVE CONTENT
We automatically apply sensitivity labels to
our content and will require users to provide a
reason for override if necessary. We use DLP
across all locations.
We allow our users to collaborate freely with
external users, however, we are currently
monitoring when sensitive information is being
shared to build our DLP policies.
We apply a default sensitivity label to all
content and rely on our users to adjust it if
necessary. We allow external sharing on all
sites.
John
Kate
Cha
d
40. DELETE
“Delete all team
collaboration content 8
years after its last modified
date”
RETAIN
“Retain all Access Request
forms for 5 year”
RETAIN and DELETE
“Retain all customer
information for 10 years and
then delete it after review”
APPLYING RETENTION ACROSS YOUR TEAM WORK
Retaining content where
you work (“Built-in”
compliance)
41. Collaboration
Workspace
Retention Policy Retention Label (Label
Policy)
Exchange mailbox Yes Yes
OneDrive for Business site Yes Yes
SharePoint site Yes Yes
Office 365 Group
Yes Yes
Chat and channel
messages
(1-day retention allowed)
Yes No
Meeting recordings No No
APPLYING RETENTION ACROSS YOUR TEAM WORK
42. End-user applies a retention label on a
specific document or email.
MANUALLY APPLIED
Automatically apply retention based on
condition(s).
AUTOMATICALLY
APPLIED
Using machine learning to apply a retention
label based on a trainable classifier.
MACHINE-LEARNING APPLIED **
MANUAL
AUTOMATIC
MACHINE
LEARNING
APPLYING RETENTION ACROSS YOUR TEAM WORK
44. WAYS TO AUTO-APPLY A RETENTION LABEL
#1 – Automatically apply at a document library level
#2 – Automatically apply at a folder or document set level
#3 – Auto-apply based on a sensitive information type
#4 – Auto-apply based on a keyword query
#5 – Auto-apply based on a content type
#6 – Auto-apply based on a metadata value
#7 – Automatically set using Microsoft Flow
#8 – Auto-apply based on a Trainable Classifier (Preview now)
48. SCENARIO: RETAINING YOUR TEAM WORK
We have retention labels published aligning to
our File Plan to retain regulated content with
disposition review. We have retention policies
on Teams chat and channel messages.
We have retention policies published across
collaboration locations including Microsoft
Teams. This is transparent to our end-users but
still allows it to be discoverable.
We have a few retention labels defined for our
most valuable content. We use auto-apply so
end-users don’t have to remember to do it.
John
Kate
Cha
d
52. Configured in the Teams admin center for org
External access users have no access to Teams
or Teams resources
Allows external users in other domains to find,
call, chat, and set up meetings with you
Default: allow all external domains, can add
allowed domains or blocked domains
Gives access permission to an entire domain
Enabled in the Teams admin center for org
Grant external user access to existing Teams and
Channels in Microsoft Teams
Teams administrator can control which features
guests can and can’t use in Microsoft Teams
Anyone not part of your organization can be
added as a guest in Teams
Gives access permission to an individual user
EXTERNAL ACCESS GUEST ACCESS
Collaborating with “externals”
53. ALLOWING IT
Allow all domains (default),
some domains, or block some
domains.
RECOMMENDATIONS
Use allow/deny lists for your
external partner domains.
ALLOWING IT
Can be set at a Teams org-
wide level or a Teams/Group
level.
Can control who can allow
guests to be added (guest
inviter role).
RECOMMENDATIONS
Leverage the “Guest Inviter” role.
Audit what Guest users are doing
via Audit logs.
COLLABORATING WITH EXTERNAL USERS SECURELY
GUEST ACCESS EXTERNAL ACCESS
AVAILABLE NOW
Disable guest access at a
Teams/Site level based on
sensitivity of Team/Site.
AVAILABLE SOON
Automatic expiration of
external user access
54. COLLABORATION
Enable external
sharing by default.
Disable based on
classification.
DOMAINS
Limit domains as
required.
EDUCATE
Educate your users
on sharing.
ANYONE LINKS
New: Use DLP to
prevent “Anyone
Links” from
SharePoint/ODFB for
sensitive documents.
AUDIT
Make security
audits part of your
governance
process.
01 02 03 04 05
EXTERNAL SHARING
RECOMMENDATIONS
55. SCENARIO: GUEST ACCESS AND EXTERNAL ACCESS
We need to be very selective on who we
collaborate with. We use “allow lists” for external
access to limit collaboration to specific domains.
We allow our users to collaborate with external
users, however, we currently prevent guest users
while we establish our organizational collaboration
culture in Teams.
We allow communication with any external
parties. We do no want to impede our users’
ability to do more.
John
Kate
Cha
d
57. THE ELECTRONIC DISCOVERY
REFERENCE MODEL1
Information
Governance
Identification
Preservation &
Collection
Processing
Review Production Presentation
Analysis
eDiscovery process
Volume Relevance
1Reference: https://www.edrm.net/resources/frameworks-and-standards/edrm-model/
58. DISCOVERY OF YOUR TEAM WORK
Redact sensitive content (Advanced eDiscovery)
Use electronic holds (retention policies) to retain content
Recently added:
Reconstruct Teams conversations in Advanced eDiscovery
Discover a user’s teams automatically (Teams and SharePoint sites)
eDiscovery for Yammer
62. CLASSIFICATIONS 01
Document your organization’s data
classifications (keep it meaningful)
ENFORCEPOLICIES 03
Determine policies to enforce based on the
classification: sensitivity, retention, privacy,
guest access, conditional access
EXTERNALUSER STRATEGY 02
Establish your external user strategy for
collaboration including guest access, external access
and external sharing
EDUCATEUSERS 04
Educate/train information workers across your
organization on “e-safety in the org”
TAKEAWAYS FROM TODAY
63. • Set public vs. private based on
classification
• External sharing limited based on
classification
• Guest membership disallowed with
classification
COMING SOON IN PRODUCT
• Ownership accountability: (1 full-time, 2 people, re-
attestation
• Limit reach based on classification
• Set and validate policies and divisional policies on groups
and SharePoint
• Membership management (org based; profile based)
CUSTOMIZATIONS
• Enable self-service site collection/group creation
• Collect classification for all containers
• User awareness: display classification
• Enforce naming rules
• Usage guideline visibility
• Life cycle: 6-month expiry
• Multi-geo; provision based on user’s region
• Membership life cycle: enforce external renewals
IN PRODUCT
(OFFICE 365/AZURE AD)
HOW MICROSOFT ENFORCES POLICY ON THEIR TEAM WORK
64. LICENSING
Feature discussed today Office 365 E3
Microsoft 365
E3
Office 365 E5
Microsoft 365 E5
Compliance
Office 365
Advanced
Compliance
AIP
Premium
P1
AIP
Premium
P2
Sensitivity labels Yes Yes Yes Yes Yes
Sensitivity label auto-apply (automatic or
recommended)
No Yes Yes No Yes
DLP protection for SPO, EXO, OneDrive
(incl. Microsoft Teams files)
Yes Yes Yes N/A N/A
DLP for Microsoft Teams chat/channel
messages
No Yes Yes N/A N/A
Retention Policies Yes Yes Yes N/A N/A
Retention Labels (Manual) Yes Yes Yes N/A N/A
Retention Labels auto-apply No Yes Yes N/A N/A
Trainable Classifiers TBD TBD TBD N/A N/A
Group Expiration Azure AD Premium P1 Azure AD Premium P1 Azure AD Premium P1 N/A N/A
Core eDiscovery Yes Yes Yes N/A N/A
Advanced eDiscovery No Yes Yes N/A N/A
65. MICROSOFT IGNITE ANNOUNCEMENTS RELATING
TO TODAY
Trainable Classifiers: Public Preview
Sensitivity labels for Teams/Site/Groups: Public Preview
Sensitivity labels with Protection for Files: Public Preview
Sensitivity labels in Office for the web: Private Preview
Threaded Teams conversations for eDiscovery: https://aka.ms/SPOLabels