In this chapter, we will examine the principles of security and compliance within Microsoft Teams. You will learn about the different Teams admin roles that are available and what they do, gain an understanding of compliance features for Teams, such as retention policies and sensitivity policies, and we will also show you how to set up security- and compliance-related alerting for Microsoft Teams. Additionally, we will introduce you to information barrier policies, which can be used to separate groups of Teams users so that they may not communicate directly, and finally examine some of the security reporting features available for Microsoft Teams. Learning about these principles will help you to manage Microsoft Teams on a day-to-day basis and also help you to pass the MS-700 exam.
In this chapter, we're going to cover the following main topics:
In this chapter, you will need to have access to the Microsoft Teams admin center, which you can reach at https://admin.teams.microsoft.com. You will need to be a Global Administrator in order to carry out most of the steps covered in this chapter. However, the Compliance Administrator role will be enough for many of the activities described.
You will also need to be able to access Windows PowerShell to configure Information Barrier segments and policies.
When configuring Microsoft Teams for your organization, it is necessary to understand and assign the appropriate administrator roles so that only authorized staff may configure user settings and features for Teams. It is important to only grant the access that is needed and no more.
To facilitate only the required level of administrative access, Microsoft Teams comes with five administrator roles, which can be assigned to the appropriate people in your organization who need to manage Teams workloads. These roles range from having full permissions, and subsets of permissions, to the features and settings that may be configured from the Microsoft Teams admin center and Windows PowerShell.
In this section, we will examine each of these roles and explain the tools and features that are available to those assigned to these roles.
The roles available are as follows:
Important note
The Global Administrator role within Microsoft 365 has all the same permissions and capabilities that are assigned to the Teams Service Administrator role.
So, now that you are aware of these available admin roles for Teams, let's look at how you can assign these roles to users in your organization.
To assign a Teams admin role to your users, you will need to connect to the Azure portal as a Global Administrator. In the following example, we will assign the Teams Communications Support Engineer role to a user named Adele Vance. This is achieved by completing the following steps:
It is also possible to add a Teams admin role by using Windows PowerShell. This can be achieved by completing the following steps:
Connect-AzureAD
$userName="[email protected]"
$roleName="Teams Service Administrator"
$role = Get-AzureADDirectoryRole | Where {$_.displayName -eq $roleName}
if ($role -eq $null) {
$roleTemplate = Get-AzureADDirectoryRoleTemplate | Where {$_.displayName -eq $roleName}
Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
$role = Get-AzureADDirectoryRole | Where {$_.displayName -eq $roleName}
}
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId (Get-AzureADUser | Where {$_.UserPrincipalName -eq $userName}).ObjectID
So, to recap what you have learned in this section, we have introduced you to the five Teams admin roles that are available within Azure AD. We showed you how you can assign these roles to your users via the Azure portal, and by using Windows PowerShell.
Next, we will look at configuring retention and sensitivity policies for Microsoft Teams.
In this section, we will show you how to configure retention policies and sensitivity labels for use with your Microsoft Teams deployment. Retention policies ensure that the information stored in your Microsoft 365 locations are appropriately retained or deleted based on industry regulations or internal policies. Sensitivity labels allow you to control access to your company data stored in Microsoft Teams to ensure that only authorized personnel can access this content. We will look at retention policies first.
When you use retention policies with Microsoft Teams, the most important consideration is to determine your industry obligations and any internal policies that your organization has in place. This is to ensure that data is retained as long as required, but also not retained longer than it should be.
Teams retention policies enable you to do the following:
Teams private chat messages are stored in an Azure-powered chat service and ingested to the user's Exchange mailbox for compliance, while Teams group chats are stored in the group mailbox.
When a user makes changes or deletes content within Teams chats or channels that is subject to a retention policy, a copy of the original content is saved to a hidden folder named Substrateholds, while the retention policy remains in effect.
While the retention policy remains in effect, the content may be searched for by compliance admins by using eDiscovery. Once the retention period passes, however, and the content is permanently deleted, it cannot be searched for.
Before you configure retention policies for Teams, it is important to be aware of the following limitations:
To create a retention policy for Microsoft Teams, you will need to complete the following steps:
For this example, we will select both Teams channel messages and Teams chats. These could be selected in separate policies if required. It is also possible to filter the Teams that will be targeted by the policy. However, in this example, we will leave All Teams selected for the policy, as illustrated in Figure 5.13:
So, our policy has now been successfully created, and will retain items within Teams chat and channel messages for 7 years, based on when the items were created. At the end of the retention period, the content will be automatically deleted.
Important note
Any files that are shared in private chats will be stored in OneDrive for the user who shared the file. In addition, if users upload any files to a channel chat, these will be stored in the SharePoint site for that team. To retain such content, you must also create retention policies for OneDrive and SharePoint Online.
Next, we will look at sensitivity labels.
When sensitivity labels are applied to a team, the collaborative content within the team is regulated to ensure that only authorized users may gain access. Sensitivity labels are created from the Microsoft 365 Compliance center. In the following example, we will create and publish a label that will apply to all users in the organization and select the group and site settings so that the label may be applied to a team.
Important note
The following steps include instructions relating to groups and sites in relation to sensitivity labels. Sensitivity labeling for sites and groups is not enabled by default. This must be explicitly enabled in Microsoft 365 tenants. More details on this can be found at the end of this chapter in the Further reading section.
To do this, we need to complete the following steps:
Now that we have amended our label, the next step is to apply it to a team. You can do this by creating a new team or editing an existing team. In this example, we will set up a new team by completing the following steps:
In this section, we examined the principles of applying retention policies and sensitivity labels in Microsoft Teams. We created a retention policy and a sensitivity label.
Next, we will look at how you can set up alerts for security and compliance within Microsoft Teams.
As a Microsoft Teams administrator, you will need to regularly monitor your environment to ensure that user activities are in line with the policies and settings that you have put in place. To do this, you can create alert policies from the Microsoft 365 Security & Compliance Center. You can monitor for activities, such as when teams were created or deleted, or when the settings of a team have been modified.
Important note
In the following steps, we will use the security and compliance center. However, the audit log search may now also be carried out from the compliance center at https://compliance.microsoft.com.
This can be achieved by completing the following steps:
The result of this is that when a new team is created by any user in the organization, an alert will be sent to the recipients chosen in the alert policy.
In this section, we have shown you how to set up alert policies for activities related to Microsoft Teams. Next, we will talk about implementing information barrier policies.
Information barriers may be configured in Microsoft 365 if you have departments or individuals who must be prevented from communicating with one another, or even prevented from finding each other in lookups. To configure information barrier policies, we need to use PowerShell commands from the Microsoft 365 compliance center, and you must have one of the following admin roles assigned to you:
In the following example, we will create two information barrier segments called Retail and Marketing. These segments will refer to the department field for all user objects to determine which users will be affected. We will then create an information barrier policy to prevent users in the retail department from communicating with users in the marketing department.
In order to configure information barriers for Microsoft Teams, we need to complete the following steps:
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
New-OrganizationSegment -Name "Retail" -UserGroupFilter "Department -eq 'Retail'"
The preceding command sets up an information barrier segment called Retail. We now have to repeat this process and create another segment called Marketing.
The results of these PowerShell inputs are shown in Figure 5.33:
New-InformationBarrierPolicy -Name "Retail-Marketing" -AssignedSegment "Retail" -SegmentsBlocked "Marketing" -State Inactive
The execution of the preceding command is shown in Figure 5.34:
Start-InformationBarrierPoliciesApplication
The execution of this command is shown in Figure 5.36:
It is also possible to apply multiple segments to an information barrier policy, as well as explicitly allowing just one segment to be able to communicate with another segment.
In this section, we introduced you to the principles of information barriers in Microsoft Teams. We showed you how to create segments based on Azure AD attributes and then create policies that define which segments can communicate with each other.
In the final section of this chapter, we will examine the security reports available within Microsoft Teams.
The Teams admin center includes many reports that you can access from the Analytics & reports menu. In this section, we will show you how to access these reports and explain their functions.
In order to access these reports, you must have one of the following admin roles assigned to you:
We can access these reports by completing the following steps:
Important note
The Live event usage report is not one that can be exported.
The reports available within the Analytics & reports section are described as follows:
The preceding reports will provide invaluable information to Teams administrators about usage and activity within their environment.
In this section, we showed you how to access the available reports for Teams within the Teams admin center. You learned how to access these reports from the Analytics & reports section, and we showed you a description of what each report does.
In this chapter, we have introduced you to the principles of managing the security and compliance settings for Microsoft Teams. You learned that there are several admin roles for Teams that can be assigned to users in your organization depending on their roles. We showed you how to view and assign these roles from the Teams admin center.
You also learned about retention policies and sensitivity labels and how to use the compliance center to configure these for Teams workloads.
In addition, we demonstrated how to configure alert policies for Microsoft Teams activities, and how information barriers can be used to set up segments based on Azure AD attributes to ensure that departments in your organization that should not be allowed to communicate would not be able to search for each other within Teams.
Finally, we explained the available security reports within Microsoft Teams and how to access and run these reports from the Analytics & reports section of the Teams admin center.
In the next chapter, we will show you how to manage devices to use Microsoft Teams. This will include deploying the Teams client to devices such as Windows, virtual desktops, macOS, and mobile devices. You will also learn how to manage the settings, which are deployed to these devices by setting up configuration profiles. Finally, we will examine the subject of Teams Rooms and show how to configure Teams Rooms devices and Collaboration bars.
As we conclude, here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:
a. Teams service administrator
b. Teams device administrator
c. Teams communications administrator
d. Teams device support engineer
a. True
b. False
a. The security center
b. The compliance center
c. The security and compliance center
d. The Microsoft 365 admin center
a. True
b. False
a. They prevent users from communicating with external users.
b. They prevent users from communicating with other users by configuring information barrier segments.
c. They prevent users from using information protection features.
d. They prevent users from using information governance features.
a. Retain, then delete.
b. Retain, then do nothing.
c. Delete after a dynamically determined time period.
d. Delete after a defined time period.
a. True
b. False
a. Download the report and export to Power BI.
b. Download the report and export to Excel.
c. Download the report and export to PDF.
d. Download the report and export to a TXT file.
a. True
b. False
a. Teams service administrator
b. Teams communications administrator
c. Teams communications support engineer
d. Teams communications support specialist
3.145.91.254