The document provides an agenda and details for a Microsoft 365 virtual marathon session on working with security and compliance in Microsoft Teams. The session will cover Teams dependencies, policy controls, data classification tools like sensitivity labels, and features for securing guest access, meetings, files and communications. It also lists many Microsoft compliance and security resources for Teams.
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Working with Security and Compliance in Microsoft Teams
1. April, 26. – 28. 2021
MICROSOFT 365 VIRTUAL MARATHON 2021
m365virtualmarathon.com #M365VM
Working with Security and Compliance in
Microsoft Teams
CHIRAG PATEL MVP, MCT
@techChirag
Microsoft 365 Consultant
April, 27 @ 12pm BST (4am PDT)
3. m365virtualmarathon.com #M365VM
@techChirag
AGENDA
Teams part of Microsoft 365 and its dependencies
Responsibilities (business functions & users) and policy controls
State of your data (activity & content explorer, scores & improvement actions)
Deep dive classifications containers, sensitivity labels, DLPs
7. m365virtualmarathon.com #M365VM
@techChirag
Balancing Security & Compliance Needs
IT
Business
Employee
Security Officer
Legal IT Admin
• Prevent data leaks and
breaches
• Protect high value information
• Accomplish business goals as simply as
possible – if it is too hard find an easier way…
• Limit business disruption
• Get out of my way
• Make it easy for me to get my work done fast
• Share easily but protect my secret stuff
• Manage the increasing volume of data
• Keep up with changing services &
threats
• Make all other roles happy
• Comply with retention
• Support eDiscovery
8. m365virtualmarathon.com #M365VM
@techChirag
Security, compliance and privacy in Teams
1. Meeting options
2. Meeting role designation
3. Recording consent
4. Recording access
5. Channel moderation and controls
6. Apps management
7. Teams Settings and policies
8. Secure guest access
9. Communication compliance
10. Multi-Factor Authentication
11. Conditional access
12. Endpoint Manager
13. External access
14. Encryption
15. Data loss prevention
16. Sensitivity labels
17. Advanced Threat Protection
18. Cloud App Security
19. Information barriers
20. eDiscovery, legal hold, audit log, content search
21. Retention policies
22. Data residency
23. Data management reports
https://www.microsoft.com/en-gb/microsoft-365/microsoft-
teams/security
9. m365virtualmarathon.com #M365VM
@techChirag
Plain English Policies
ID Suggested Policy
1 Enable multi-factor authentication (MFA) for all staff
2 Enable MFA for Admins with assigned administrative rights
3 Enable just-in-time access to complete admin tasks
4 Enforce mobile app protection for phones and tablets
5 Block devices that don’t support modern authentication
6 Require compliant PCs and mobile devices
7 Assign Classification in M365 Groups, Microsoft Teams, SharePoint sites
8 Classify content with sensitivity labels to enable protection
9 Classify information with retention labels
10 Provision data loss prevention (DLP) policies
11 Microsoft cannot access our content to perform service operation without approval
https://docs.microsoft.com/en-us/microsoft-
365/security/microsoft-365-security-for-bdm
11. m365virtualmarathon.com #M365VM
@techChirag
Sensitivity Labels – VALUE of content
Label Scope
Files & emails
Encrypt
Assign
permissions
or let users
decide
User access
to content
expires
Allow offline
access
Content
Marking
Auto-
labelling
Groups & sites
Privacy and external
user access settings
Public,
Private or
None
External
user access
Device access and
external sharing
settings
Control
external
sharing
(labelled
sites)
Access from
unmanaged
devices –
Full access,
web-only,
block access
Label Policy
1 or more labels
Users and Groups
Default label
Mandatory label
Require users to justify
Link to custom help
page (use SharePoint!)
Azure Purview assets (preview)
Apply label to assets in Azure Purview,
including SQL columns, files in Azure
Blob Storage, and more
13. m365virtualmarathon.com #M365VM
@techChirag
Information protection in Microsoft Teams
• Automatically set a Teams to Private to prevent
other users to join without being invited by
team owners.
• Block access from people outside your
organisation to prevent team owners from
inviting external guests.
• Limit access to Teams from unmanaged
devices to prevent data leakage.
14. m365virtualmarathon.com #M365VM
@techChirag
Data Loss Prevention for Microsoft Teams
DLP Rules
Conditions
Content
contains
Sensitive
info types
Content is shared from
Microsoft 365
People
inside
organisation
People
outside
organisation
Exceptions
Except if content is shared
from Microsoft 365
People
inside
organisation
People
outside
organisation
Actions
Restrict
access or
encrypt
content in
Microsoft
365
locations
Audit or
restrict
activities n
Windows
devices
Restrict Third
Party Apps
User notifications
Email users
and/or
owners
Policy Tips
User
overrides
Incident reports
Severity
Alerts to
admins
Email
incident
reports
Addition
al option
for
processin
g policies
and rules
• Exchange email
• SharePoint sites
• OneDrive Accounts
• Teams chat and channel messages
• Devices
• Microsoft Cloud App Security
15. m365virtualmarathon.com #M365VM
@techChirag
Data Loss Prevention for Microsoft Teams
• Automatically block messages
which contain sensitive
information
• Prevent sharing sensitive
information in a channel or chat
session
• Educate and guide end-users with
notifications and “policy tips”
• Unified classification engine
supporting 90+ sensitive
information types and custom
sensitive info type creation
19. m365virtualmarathon.com #M365VM
@techChirag
Configure Teams with three tiers of protection
- Baseline (Public) Baseline (Private) Sensitive Highly sensitive
Private or public team Public Private Private Private
Who has access? Everybody in the organisation,
including B2B users.
Only members of the team. Others can
request access to the associated site.
Only members of the team. Only members of the team.
Private channels Owners and members can create
private channels
Owners and members can create private
channels
Only owners can create private channels Only owners can create private channels
Site-level guest access New and existing guests (default). New and existing guests (default). New and existing guests or Only people in
your organization depending on team
needs.
New and existing guests or Only people in your
organization depending on team needs.
Site sharing settings Site owners and members, and
people with Edit permissions can
share files and folders, but only site
owners can share the site.
Site owners and members, and people
with Edit permissions can share files and
folders, but only site owners can share
the site.
Site owners and members, and people
with Edit permissions can share files and
folders, but only site owners can share the
site.
Only site owners can share files, folders, and
the site.
Access requests Off.
Site-level unmanaged
device access
Full access from desktop apps,
mobile apps, and the web (default).
Full access from desktop apps, mobile
apps, and the web (default).
Allow limited, web-only access. Block access.
Default sharing link
type
Only people in your organization Only people in your organization Specific people People with existing access
Sensitivity labels None None Sensitivity label used to classify the team
and control guest sharing and unmanaged
device access.
Sensitivity label used to classify the team and
control guest sharing and unmanaged device
access. Label can also be used on files to
encrypt files.
https://docs.microsoft.com/en-us/microsoft-
365/solutions/configure-teams-three-tiers-protection
20. m365virtualmarathon.com #M365VM
@techChirag
Ignite Mar 2021 Security & Compliance
• End-to-end encryption option for Teams 1:1 VoIP calls (Preview H1 2021)
• Teams Multi-Geo support (April)
• Disable attendee video during meetings (later this year)
• Invite only meeting options (later this month)
• Safe Links for Teams (later this month)
• Co-author on MIP labelled & encrypted files (Available now)
To participate in the private previews, sign up here: https://aka.ms/ODSPSecurityPreviews
What's new in Security and Compliance in SharePoint, OneDrive, and Teams - Microsoft Ignite 2021 - Microsoft Tech Community
What's New in Microsoft Teams | Microsoft Ignite 2021 - Microsoft Tech Community
21. m365virtualmarathon.com #M365VM
@techChirag
Further resources
• Microsoft 365 licensing guidance for security & compliance
• Download the Detailed Microsoft 365 Compliance Licensing Comparison
• Microsoft 365 Roadmap
• Manage information protection and governance – Learning Path
• Microsoft Security and Compliance - Microsoft Tech Community
• Microsoft Teams Blog - Microsoft Tech Community
• Joanne C Klein – SharePoint, Microsoft 365 and Azure Things
Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline.
A control is a requirement of a regulation, standard, or policy. It defines how you assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or policy.
An assessment is grouping of controls from a specific regulation, standard, or policy. Completing the actions within an assessment help you meet the requirements of a standard, regulation, or law
1: Enable Azure AD Multi-Factor Authentication (MFA)
2: Protect against threats
3: Configure Microsoft Defender for Office 365
4: Configure Microsoft Defender for Identity
5: Turn on Microsoft 365 Defender
6: Configure Intune mobile app protection for phones and tablets
7: Configure MFA and conditional access for guests, including Intune mobile app protection
8: Enroll PCs into device management and require compliant PCs
9: Optimise your network for cloud connectivity
10: Train users
11: Get started with Microsoft Cloud App Security
12: Monitor for threats and take action