How to ensure compliance with Microsoft Teams?
Updated: Sep 6, 2020
Many business have become virtual businesses overnight (due to COVID-19 effect), and this creates new challenges for ensuring information governance and legally defensible compliance. As you collaborate both internally and externally (guests), we enable your Team's configuration to protect and govern all data and demonstrate increased levels of compliance. In this post, I will outline key Teams features and information governance approach for data stored in various components of Teams.
What is Microsoft Teams?
Microsoft Teams is a single interface to work and communicate together with others participating in a team/project activity. It's a modern collaboration app (mobile, web, and desktop) built to bring the features of popular mobile communication applications to a work environment.
When you download the Microsoft Teams app, it enables you to work together securely using a 1:1 or group chat instead of emails from any location or device. However Microsoft Teams is so much more than just chats and messages, it brings all other Microsoft Office 365 features to a single Teams application interface.
Downloading a Teams client is not the same as creating a Team for collaboration.
A Teams client instantly enables you to chat and call (subject to activation by your organization policy), but when you (or Teams administrator) creates a Team instance, these additional features (services) light up in your Teams client.
A new Office 365 group is created, which provides a SharePoint Online site collection to store your team files and all the richness of SharePoint in your Team collaboration
The Office 365 group also provides an exchange online shared mailbox to manage your Team emails (integrated with outlook desktop, web and mobile), messages posted in your Team channels and your Team meetings calendar
New integrated experiences with other Office 365 services. E.g. Microsoft planner, Stream Yammer, Power BI, etc.
As organizations are getting started with Teams activation, Microsoft enables all the integrated experiences 'behind the scenes', but it is still important for organizations to invest in security, governance, and adoption of each experience (SharePoint, chats, etc.).
How do I protect and govern information with Microsoft Teams?
Here are the key considerations for your Team's architects to 'kick-start' your Team's adoption with the right set up and behaviors.
Protection in Microsoft Teams - Teams has multiple components described in the previous section, and it allows a single place for managing various available membership options. In addition, Team administrators can now configure various security policies (via sensitivity labels) to drive access management rules as users request or create new Teams. E.g. Configure a 'Confidential' sensitivity label for Teams to restrict any Teams created with this label cannot be accessible to Guest users.
We recommend that you consider integrating sensitivity labels with your Teams provisioning especially if your users will collaborate with people outside of the organization. Read more about sensitivity labels in Teams in this Microsoft blog post.
Teams Pro Tip: Sensitivity labels replace Teams classification labels. Integrate Teams security and sensitivity policies with Intune device management to provide mobility to your users collboration in a controlled and secure manner.
Governance in Team chats - Team chats and channel posts are persistent (big shift from skype chats) and you can collect a lot of information which also requires governance and is subject to audits and discovery. I have in a previous post explained how retention labels and policies work for Office 365, and with retention policies for Teams, you can:
Retain Teams chats and/or channel messages for a specified duration and then do nothing.
Retain Teams chats and/or channel messages for a specified duration and then delete the data.
Delete Teams chats and/or channel messages after a specified duration.
We recommend that you activate default retention/deletion policies in Team chats and channels integrated with your eDiscovery process to ensure you are not creating an 'information lake' which will require a project for clean up. You may also need to review your Information standards and guidelines to reflect the principles for information sharing and record keeping in these new methods of collaboration.
Can users make binding decisions in Teams chats?
How would you communicate and educate users on such governance principles?
How would you monitor and prevent compliance issues without disrupting employee productivity? E.g. GIFS , stickers are fun but can also create compliance headaches
Teams Pro Tip: Microsoft Compliance Centre admins can configure separate retention policies for Chats and channel messages.
Governance in Team files – Some of the files shared in Teams will be recorded that needs to be retained and protected. We often set this up one of the following ways for large clients:
Teams provisioning service - users will have to request new Teams with channels that are created by a central team, and the team publishes the relevant record labels to the SharePoint site created for the Teams (see option 3 in this previous blog post). Users do not see the labels in Teams, which means the Teams owner is required to manually label records in the corresponding SharePoint site. Users are required to share files in Teams channels, not private chats.
Self-service Team creation and site configuration - Users are empowered to create Teams with channels, and the setup process requires the Teams creator to set default metadata on the corresponding SharePoint site (see below image and option 4 in this previous blog post). Users can now see SharePoint metadata directly in Teams client and can manage the document lifecycle status by changing associated metadata, e.g. set document type (e.g. HR file) and change document status (draft vs final) to auto-apply the correct record label for automating records management with SharePoint Online.
We recommend planning for Teams instance and classification to enable users to collaborate and share information in a shared space instead of sharing information in private chats.
Teams Pro Tip: Deploying retention labels to Teams files is different from SharePoint online. Compliance admins deploy retention (or Record) labels by deploying to Office365 groups. As described in the Teams architecture, by deploying to O365 groups, the retention labels are published to both Team SharePoint site and exchange mailbox.
Demonstrating compliance with Teams -
Microsoft has made significant investments in making Teams a secure platform, and like its user experience, compliance administration integrates with advanced eDiscovery, Content search, and audit logs to provide defensibility. This does require a configuration effort and in-depth technical expertise to gain valuable insights in a timely and cost-effective manner.
We recommend that you partner with your IT organizations to build technical skills for compliance insights and set up a robust eDiscovery process.
Teams Pro Tip: Set up policies based on specific Teams audit events to inform / alert administrators of any protection or governance changes to your high value teams or individuals.
Microsoft Teams combines all the user experience richness and power of Microsoft tools through a highly simple and user-friendly interface. However, in the absence of planning and investment in appropriate architecture and governance, this could also become a considerable headache for organizations to demonstrate compliance to regulators.
Feel free to contact us if you need help establishing governance for Teams. Many engagements start with a proof of concept, which is a way for you to test Office 365 Compliance features configured to meet your use cases.