In this session we will focus on the recommendations from the field - what we have learned in the trenches along with recommended best practices related to Teams management, provisioning, OneDrive and SharePoint sharing, as well as retention and sensitivity labelling strategies and common industry considerations for financial data, healthcare and legal holds.
Agenda:
We will walk through these key points:
1. Getting started with classifications, retention, and sensitivity.
2. Best practices in setting retention policy durations
3. Industry practices in setting archiving policies
4. When to use a suffix or prefix? Which is better?
5. Data backup and its importance with relevant policy settings
6. Best practices for auditing security and settings
7. Maximizing Teams Security
8. Best practices for global administration
9. Best practices for Teams administration
Register Now
I'm looking forward to seeing everyone on the webinar.
Joel Oleson
Microsoft MVP and Regional Director
3. Goals for
today:
Getting started with labels: retention and sensitivity
Industry practices in setting archiving policies
Data backup & recovery with relevant policy settings
When to use a suffix or prefix? Which is better?
Best practices for auditing security and settings
Maximizing Teams Security
Best practices for global administration
Best practices for Teams administration
4. Agenda
Why Governance and Security
Retention and Sensitivity Labels
Information Architecture
Recovery & Archiving
Provisioning & Lifecycle
Auditing and Change Management
Licensing
Admin Best Practices
Q&A, Wrap Up & Offer
Teams Governance & Security Workshop
TeamsHUB.io Partner
https://TeamsHUB.io
7. Control governance before day one
Who can
create
Create site
(SharePoint)
Create team
(Teams)
Create shared
library (OneDrive)
Create group
(Outlook)
Naming
conventions
Prefix-suffix
naming policies,
fixed strings or
user attributes
Custom blocked
words
Configure
guest access
Manage who can
add guest users
Turn sharing
option on or off
Turn on or off
guest access to
group files and
OneNote
Configure external
sharing for
SharePoint
Configure
expiry
Set expiration
duration
Choose which
Groups policy will
apply to
Set policies
Retention
eDiscovery
Data Loss
Prevention
Use of
templates
Teams templates
SharePoint site
designs
Themes
Monitoring
Teams Admin
Center
SharePoint Admin
Center
Office 365 admin
center
Office 365
adoption content
pack
Groups report
8. Governance Quick Start
Who can create Groups?
Naming
Conventions?
Guest
Access?
Settings &
Policies?
Approved
Apps?
Meeting
Capabilities?
Data
Security?
https://docs.microsoft.com/en-us/MicrosoftTeams/teams-adoption-governance-quick-start
13. All Enterprise Teams
Communities
Public Internal
Teams
(Anyone Internal
can join)
Teams
Private Internal
Teams
(Self Service)
Extranet Teams
Private Shared
Internal & External
Teams with Guests
Secure
Teams
Private locked down
Internal Teams
(Invite only)
No external guests
Pinned
Teams or
Apps
15. Sensitivity Labels
• General – Designed for Internal or
Customer Use (Default)
• Public – Data designed to be shared
• Internal Only – Not to be shared
externally includes contractors and FTE
• Employees Only – Employee only
• Specific People – Confidential
communication
16. Classification or Sensitivity Labels?
What's the difference between sensitivity labels and Teams
classification labels?
• Sensitivity labels are different from classification labels, also
known as Azure AD group classification. Classification labels are
text strings that can be associated with a Microsoft 365 group.
• The benefit of using sensitivity labels is that their policies are
automatically enforced end-to-end through a combination of
the Microsoft 365 Groups platform, the compliance center, and
Teams services. Sensitivity labels provide powerful infrastructure
support for securing your organization's sensitive data and
ensuring compliance with your internal policies or regulations.
19. Data Retention
• General Business Data – Non Critical Business Communication. 1 year
• HR – 2 years: Consider GDPR and CCPA Guidelines
• Finance –6 years: IRS recommendation of six years. Keeping business
records takes time and space, but the benefits are worth the sacrifices.
Having peace of mind as a business owner is invaluable.)
• Legal/LCA – 7 years
• Business Records: Keep documents related to a business, including assets,
employment taxes, expense reports, invoices, accounts payable/receivable
ledgers for seven years before shredding.
• Research & Development: Permanent. Patent and R&D should also be kept
permanently.
• Keep profit and loss statements, annual reports, financial statements, meeting minutes,
corporate bylaws and business formation documents permanently.
How long should you keep business records? (microsoft.com)
20. • Classic Azure AD group classification
• Microsoft 365 no longer supports the old classifications for new
Microsoft 365 groups and SharePoint sites after you enable
sensitivity labels for containers. However, existing groups and
sites that support sensitivity labels still display the old
classification values until you convert them to use sensitivity
labels.
25. Data loss protection (DLP)
Automatic detection and protection
• Detect and prevent oversharing
• Block sharing based on patterns in file
• Manage DLP policies across Office
365 workloads
• O365 Only
Protect content
Azure Information Protection (AIP)
End users label or autolabeling
• Apply protection to a file based on
its label
• Prevent external people not in
protection policy from opening a file
• Part of the document
Protecting the group
• Run jobs to change Team
settings based on Team labels
• Unified labels will bring this to
Office 365 groups
Detect Classify Protect Monitor
Information protection life cycle
30. Don’t Forget Your Side of the SLA
• "While Office 365 is fast becoming the center of
business productivity, a backup and recovery
strategy is an afterthought. Relying on
Microsoft's native backup capabilities and
infrastructure-level uptime features is a risky…"
• "Without an enterprise-grade backup strategy…
enterprises are exposing themselves to risks
such as ransomware, accidental loss of data, lack
of data control, compliance exposures, and
threats to business continuity.“
-Archana Venkatraman IDC
Reference: “Why a Backup Strategy for Microsoft Office 365 is
Essential for Security, Compliance, and Business”
31. By 2022...70% of organizations
will have suffered a business
disruption due to
unrecoverable data loss in a
SaaS application.
Source: Gartner 2019 "Assuming SaaS Applications Don't Require Backups
is Dangerous."
32. How many times does the Microsoft Service
Agreement say you should plan a Regular Backup?
Three!
• 4 a iv – “You should have a regular backup plan
as Microsoft won’t be able to retrieve Your
Content or Data once your account is closed.”
• 4 f – “You should have a regular backup plan.”
• 6 b – “We recommend that you regularly backup
Your Content and Data…”
“Microsoft is not liable for any disruption or loss you may
Reference: Microsoft Services Agreement
33. Issues to consider: When not IF
Accidental deletion Ransomware attacks Retention regulations
30-90 day retention period might
result in loss of data
Attacks target email, SharePoint
OneDrive
Default retention might not satisfy
organizational policy or regulation
• The average time to identify a data breach inside an organization is 206 days
• 21% of all folders in a typical company are open to everyone.
35. M365 Single File Deletion Story in Visual
User Deletes
File or Item
User
Creates
File in
Library/T
eam
SharePoint, OneDrive
Recycle bin
User Empties
Recycle bin
User Deletes File
From Recycle Bin
2nd Stage
Recycle bin
Admin Empties
2nd stage Recycle bin
Admin Purge File
Site Over Recycle Bin Quota (200%)
(oldest items auto deleted first)
Wait for 93 Days
14
Days
of
Potential
Recovery
with
MSFT
Support
Ticket
Permanently
Deleted
No
Recovery
Move-PnPListItemToRecycleBin
Microsoft 365 SharePoint Online Data Deletion -
Microsoft Service Assurance | Microsoft Docs
Restore deleted items from the site collection recycle
bin - SharePoint (microsoft.com)
0-93
30 Day Exchange Recoverable Items Delete
Admin Purges Recoverable items or Auto Purge Over Quota
Recoverable Items
Purges
Folder
(hidden)
In-Place Hold and Litigation Hold | Microsoft Docs
References:
36. M365 Site Collection Deletion/Recovery
Site Admin
Deletes Site
Collection
Site
Creation
SharePoint
admin center
Recovery
Remove-SPODeletedSite cmdlet
Permanently deleted site. (NO RECOVERY)
Recover up to 93 Days Admin Center
14
Days
of
Potential
Recovery
with
MSFT
Support
Ticket
Permanently
Deleted
No
Recovery
Microsoft 365 SharePoint Online Data Deletion -
Microsoft Service Assurance | Microsoft Docs
Restore deleted items from the site collection
recycle bin - SharePoint (microsoft.com)
Hard delete (permanently deletes, or purges) content from
SharePoint Online, all encryption keys for the deleted
chunks are also deleted. The blocks on the disks that
previously stored the deleted chunks are marked as unused
and available for re-use.
37. File or Item Recovery
SharePoint, OneDrive, Teams
User Self Service
Files Restore or Recycle bin Restore
Owner Self Service
SharePoint, OneDrive
Recycle bin
2nd Stage
Site Collection
Recycle bin
Support Ticket Recovery
14 day recovery
Site Collection Restore
Purged Item Restore
Hard Delete Restore
Restore deleted items from the site collection recycle bin - SharePoint (microsoft.com)
Permanent
Unrecoverable
38. Anatomy of Teams & Exchange
“Recoverable Items”
• Contains soft-deleted items whose deleted item retention period has not expired. Users can recover soft-deleted items from this
subfolder using the Recover Deleted Items tool in Outlook.
•Deletions
• Contains hard-deleted items whose deleted item retention period has expired. Users can also hard-delete items by purging items
from their Recoverable Items folder. If the mailbox is on hold, hard-deleted items are preserved. This subfolder isn't visible to end-
users.
•Purges
• Contains hard-deleted items that have been preserved by an eDiscovery hold or a retention policy. This subfolder isn't visible to
end-users.
•DiscoveryHolds
• Contains hard-deleted items from Teams and other cloud-based apps that have been preserved by a retention policy or other type
of hold. This subfolder isn't visible to end-users.
•SubstrateHolds
Clean up or delete items from the Recoverable Items folder in Exchange Online | Microsoft Docs
42. Prefix or Suffix?
• Prefix is very visible, but gets in the way with name and label size
limitations
• Suffix Preferred over prefix – consider department, location
• Metadata or additional data in description preferred. Store the
location and department in additional provisioning fields. Site
property bag
45. Auditing
1.Set up Advanced Audit for users.
1. Verifying license or add-on license for Advanced Audit.
2. Turning on the Advanced Audit app/service plan must be for those users.
3. Enabling auditing of crucial events and Advanced Auditing app/service plan
2.Enable crucial events to be logged in Exchange Online and SharePoint Online.
3.Set up audit log retention policies. In additional to the default policy that retains Exchange,
SharePoint, and Azure AD audit records for one year, you can create additional audit log retention
policies to meet the requirements of your organization's security operations, IT, and compliance teams.
4.Search for crucial events and other activities when conducting forensic investigations. After
completing step 1 and step 2, you can search the audit log for crucial events during forensic
investigations of compromised accounts and other types of security or compliance
46. Auditing Recommendations
• Track admin and end-user activity in your tenant and save Office
365 audit logs. Detect unauthorized changes, track suspicious
sharing.
• Audit Office 365 user access – Validate permissions, added user or
group member, and broken inheritance.
• Audit external sharing – track all external sharing. Monitor guest
user activity and see how they interact with your Office 365
• Audit Microsoft Teams, Microsoft 365 Groups, Exchange Online,
and OneDrive – check each configuration and access update,
content interaction, and security changes.
• Change management for Errors and issues – Pinpoint the exact time
and place of the issue and who was responsible for it.
• Receive alerts – act proactively upon any suspicious action and
avoid serious security breaches.
53. Admins can create a policy where only
users with the “Guest Inviter” role
can invite guests. This can be
configured using Active Directory
properties on the user object such as
Title, Job Description, etc.
Admins can create an allow/deny list of
external partner domains from which
guests can be added.
Guest Access can be enabled or
disabled at the group level.
Best practices for Guest Access
Reach
54. Teams Security
Considerations
• Microsoft 365 Groups (Azure AD)
• Who can provision (Group)
• Device considerations
• Location considerations
• Storage considerations
• Information Boundaries
• DLP Chat vs. DLP files
55. Global Admin Best Practices
• Teams First Approach
• Teams Home Site App - Viva Connections
• Enterprise search
• MFA for all admins (preferred for all users especially any elevated
accounts)
• Service accounts should have app passwords (specially assigned MFA)
• Few global admins. If possible no permanent Global admins. Check
out process. Config admin.
56. Teams Admin Best Practices
• Recognize defaults are not best practices
• Use visuals and encourage color
• Templates
• Archive! Enable Lifecycle Policies
• App policies – Microsoft, Third Party, Enterprise
• Don’t go crazy with policies that hurt UX. Many mobile security
policies make it difficult to use apps on your phone.
• Listen to your users and champions!
59. Poll: How would you like us to follow up with
you? (Multi select)
• 90 Minute Private Teams Governance and Security Workshop
with your organization.
• Deep dive 1 hour TeamsHUB Demo for your company
• Interested in the TeamsHub Partner Reseller Program
Prefix, Block bad words, PowerShell to allow only certain people to create teams, Office 365 admin for guests
James
[Notes: AIP: Azure Information Protection. (UI changed) Employees label the files themselves. In addition, I want to catch patterns of content that may not have been labeled appropriately (DLP) like cc number or ss number and block it. Screenshot is AIP example. When saving to SP, you get prompted about the classification. Screenshot shows that when you save a file to SharePoint, you're prompted to classify it.]
This last slide is built as a leave-behind for after your customer conversation. All of the images/icons above are URL linked to their respective online documentation to allow them to drill in more.
Also, all of these slides include speaker notes for the topics so for you former voice TSs that maybe didn’t have to cover this in the past, hopefully you find this helpful.
Up next: Where can you get this slide deck?
Many of the capabilities discussed are included with Office 365 E3 but many are not. Some require additional subscriptions including…<click>
Azure Active Directory Premium P1 or P2….<click>
Office 365 E5 or Advanced Compliance….<click>
Enterprise Mobility Suite….<click>