Microsoft Teams Governance and Security Best Practices - Joel Oleson

Governance Best Practices
Microsoft Teams Security and Governance:
Recommendations and Best Practices for the Real World.

Goals for
today:
Getting started with labels: retention and sensitivity
Industry practices in setting archiving policies
Data backup & recovery with relevant policy settings
When to use a suffix or prefix? Which is better?
Best practices for auditing security and settings
Maximizing Teams Security
Best practices for global administration
Best practices for Teams administration

Agenda
Why Governance and Security
Retention and Sensitivity Labels
Information Architecture
Recovery & Archiving
Provisioning & Lifecycle
Auditing and Change Management
Licensing
Admin Best Practices
Q&A, Wrap Up & Offer
Teams Governance & Security Workshop
TeamsHUB.io Partner
https://TeamsHUB.io

Can’t you just tell us the answers?

Control governance before day one
Who can
create
Create site
(SharePoint)
Create team
(Teams)
Create shared
library (OneDrive)
Create group
(Outlook)
Naming
conventions
Prefix-suffix
naming policies,
fixed strings or
user attributes
Custom blocked
words
Configure
guest access
Manage who can
add guest users
Turn sharing
option on or off
Turn on or off
guest access to
group files and
OneNote
Configure external
sharing for
SharePoint
Configure
expiry
Set expiration
duration
Choose which
Groups policy will
apply to
Set policies
Retention
eDiscovery
Data Loss
Prevention
Use of
templates
Teams templates
SharePoint site
designs
Themes
Monitoring
Teams Admin
Center
SharePoint Admin
Center
Office 365 admin
center
Office 365
adoption content
pack
Groups report

Governance Quick Start
Who can create Groups?
Naming
Conventions?
Guest
Access?
Settings &
Policies?
Approved
Apps?
Meeting
Capabilities?
Data
Security?
https://docs.microsoft.com/en-us/MicrosoftTeams/teams-adoption-governance-quick-start

Retention and Sensitivity Labelling

Sample Labels
—
Example: Replace with your labels

All Enterprise Teams
Communities
Public Internal
Teams
(Anyone Internal
can join)
Teams
Private Internal
Teams
(Self Service)
Extranet Teams
Private Shared
Internal & External
Teams with Guests
Secure
Teams
Private locked down
Internal Teams
(Invite only)
No external guests
Pinned
Teams or
Apps

Getting started with labels:
classification, retention, and sensitivity

Sensitivity Labels
• General – Designed for Internal or
Customer Use (Default)
• Public – Data designed to be shared
• Internal Only – Not to be shared
externally includes contractors and FTE
• Employees Only – Employee only
• Specific People – Confidential
communication

Classification or Sensitivity Labels?
What's the difference between sensitivity labels and Teams
classification labels?
• Sensitivity labels are different from classification labels, also
known as Azure AD group classification. Classification labels are
text strings that can be associated with a Microsoft 365 group.
• The benefit of using sensitivity labels is that their policies are
automatically enforced end-to-end through a combination of
the Microsoft 365 Groups platform, the compliance center, and
Teams services. Sensitivity labels provide powerful infrastructure
support for securing your organization's sensitive data and
ensuring compliance with your internal policies or regulations.

Security and Label Enforcement

Teams Privacy
• Public – anyone can join
• Private - request membership

Data Retention
• General Business Data – Non Critical Business Communication. 1 year
• HR – 2 years: Consider GDPR and CCPA Guidelines
• Finance –6 years: IRS recommendation of six years. Keeping business
records takes time and space, but the benefits are worth the sacrifices.
Having peace of mind as a business owner is invaluable.)
• Legal/LCA – 7 years
• Business Records: Keep documents related to a business, including assets,
employment taxes, expense reports, invoices, accounts payable/receivable
ledgers for seven years before shredding.
• Research & Development: Permanent. Patent and R&D should also be kept
permanently.
• Keep profit and loss statements, annual reports, financial statements, meeting minutes,
corporate bylaws and business formation documents permanently.
How long should you keep business records? (microsoft.com)

• Classic Azure AD group classification
• Microsoft 365 no longer supports the old classifications for new
Microsoft 365 groups and SharePoint sites after you enable
sensitivity labels for containers. However, existing groups and
sites that support sensitivity labels still display the old
classification values until you convert them to use sensitivity
labels.

My Tasks, My Projects, My Plans, OneDrive
Teams and Groups
Departmental & Location
Based Info “Hubs”
Central HUB
Root Web
(Viva
Connections)

Information Architecture
Central HUB
(Viva)
HR Finance IT Product Facilities
Vendors
Extranet
M365 Group

Data loss protection (DLP)
Automatic detection and protection
• Detect and prevent oversharing
• Block sharing based on patterns in file
• Manage DLP policies across Office
365 workloads
• O365 Only
Protect content
Azure Information Protection (AIP)
End users label or autolabeling
• Apply protection to a file based on
its label
• Prevent external people not in
protection policy from opening a file
• Part of the document
Protecting the group
• Run jobs to change Team
settings based on Team labels
• Unified labels will bring this to
Office 365 groups
Detect Classify Protect Monitor
Information protection life cycle

Microsoft Shared Responsibility Model

Don’t Forget Your Side of the SLA
• "While Office 365 is fast becoming the center of
business productivity, a backup and recovery
strategy is an afterthought. Relying on
Microsoft's native backup capabilities and
infrastructure-level uptime features is a risky…"
• "Without an enterprise-grade backup strategy…
enterprises are exposing themselves to risks
such as ransomware, accidental loss of data, lack
of data control, compliance exposures, and
threats to business continuity.“
-Archana Venkatraman IDC
Reference: “Why a Backup Strategy for Microsoft Office 365 is
Essential for Security, Compliance, and Business”

By 2022...70% of organizations
will have suffered a business
disruption due to
unrecoverable data loss in a
SaaS application.
Source: Gartner 2019 "Assuming SaaS Applications Don't Require Backups
is Dangerous."

How many times does the Microsoft Service
Agreement say you should plan a Regular Backup?
Three!
• 4 a iv – “You should have a regular backup plan
as Microsoft won’t be able to retrieve Your
Content or Data once your account is closed.”
• 4 f – “You should have a regular backup plan.”
• 6 b – “We recommend that you regularly backup
Your Content and Data…”
“Microsoft is not liable for any disruption or loss you may
Reference: Microsoft Services Agreement

Issues to consider: When not IF
Accidental deletion Ransomware attacks Retention regulations
30-90 day retention period might
result in loss of data
Attacks target email, SharePoint
OneDrive
Default retention might not satisfy
organizational policy or regulation
• The average time to identify a data breach inside an organization is 206 days
• 21% of all folders in a typical company are open to everyone.

Group expiration policy
Benefits
Guidance
Documentation: Office 365 Group Expiration Policy | Configure Office 365 groups expiration

M365 Single File Deletion Story in Visual
User Deletes
File or Item
User
Creates
File in
Library/T
eam
SharePoint, OneDrive
Recycle bin
User Empties
Recycle bin
User Deletes File
From Recycle Bin
2nd Stage
Recycle bin
Admin Empties
2nd stage Recycle bin
Admin Purge File
Site Over Recycle Bin Quota (200%)
(oldest items auto deleted first)
Wait for 93 Days
14
Days
of
Potential
Recovery
with
MSFT
Support
Ticket
Permanently
Deleted
No
Recovery
Move-PnPListItemToRecycleBin
Microsoft 365 SharePoint Online Data Deletion -
Microsoft Service Assurance | Microsoft Docs
Restore deleted items from the site collection recycle
bin - SharePoint (microsoft.com)
0-93
30 Day Exchange Recoverable Items Delete
Admin Purges Recoverable items or Auto Purge Over Quota
Recoverable Items
Purges
Folder
(hidden)
In-Place Hold and Litigation Hold | Microsoft Docs
References:

M365 Site Collection Deletion/Recovery
Site Admin
Deletes Site
Collection
Site
Creation
SharePoint
admin center
Recovery
Remove-SPODeletedSite cmdlet
Permanently deleted site. (NO RECOVERY)
Recover up to 93 Days Admin Center
14
Days
of
Potential
Recovery
with
MSFT
Support
Ticket
Permanently
Deleted
No
Recovery
Microsoft 365 SharePoint Online Data Deletion -
Microsoft Service Assurance | Microsoft Docs
Restore deleted items from the site collection
recycle bin - SharePoint (microsoft.com)
Hard delete (permanently deletes, or purges) content from
SharePoint Online, all encryption keys for the deleted
chunks are also deleted. The blocks on the disks that
previously stored the deleted chunks are marked as unused
and available for re-use.

File or Item Recovery
SharePoint, OneDrive, Teams
User Self Service
Files Restore or Recycle bin Restore
Owner Self Service
SharePoint, OneDrive
Recycle bin
2nd Stage
Site Collection
Recycle bin
Support Ticket Recovery
14 day recovery
Site Collection Restore
Purged Item Restore
Hard Delete Restore
Restore deleted items from the site collection recycle bin - SharePoint (microsoft.com)
Permanent
Unrecoverable

Anatomy of Teams & Exchange
“Recoverable Items”
• Contains soft-deleted items whose deleted item retention period has not expired. Users can recover soft-deleted items from this
subfolder using the Recover Deleted Items tool in Outlook.
•Deletions
• Contains hard-deleted items whose deleted item retention period has expired. Users can also hard-delete items by purging items
from their Recoverable Items folder. If the mailbox is on hold, hard-deleted items are preserved. This subfolder isn't visible to end-
users.
•Purges
• Contains hard-deleted items that have been preserved by an eDiscovery hold or a retention policy. This subfolder isn't visible to
end-users.
•DiscoveryHolds
• Contains hard-deleted items from Teams and other cloud-based apps that have been preserved by a retention policy or other type
of hold. This subfolder isn't visible to end-users.
•SubstrateHolds
Clean up or delete items from the Recoverable Items folder in Exchange Online | Microsoft Docs

Provisioning and Life Cycle Best
Practices

Provisioning
Self Service
Limited to a subset of users
Gather Key Business Data
Common
Change management
Reporting & monitoring
Analytics

Group naming policy
Benefits
Guidance
Documentation: Office 365 Groups Naming Policy

Prefix or Suffix?
• Prefix is very visible, but gets in the way with name and label size
limitations
• Suffix Preferred over prefix – consider department, location
• Metadata or additional data in description preferred. Store the
location and department in additional provisioning fields. Site
property bag

Auditing and Change Management

Auditing
1.Set up Advanced Audit for users.
1. Verifying license or add-on license for Advanced Audit.
2. Turning on the Advanced Audit app/service plan must be for those users.
3. Enabling auditing of crucial events and Advanced Auditing app/service plan
2.Enable crucial events to be logged in Exchange Online and SharePoint Online.
3.Set up audit log retention policies. In additional to the default policy that retains Exchange,
SharePoint, and Azure AD audit records for one year, you can create additional audit log retention
policies to meet the requirements of your organization's security operations, IT, and compliance teams.
4.Search for crucial events and other activities when conducting forensic investigations. After
completing step 1 and step 2, you can search the audit log for crucial events during forensic
investigations of compromised accounts and other types of security or compliance

Auditing Recommendations
• Track admin and end-user activity in your tenant and save Office
365 audit logs. Detect unauthorized changes, track suspicious
sharing.
• Audit Office 365 user access – Validate permissions, added user or
group member, and broken inheritance.
• Audit external sharing – track all external sharing. Monitor guest
user activity and see how they interact with your Office 365
• Audit Microsoft Teams, Microsoft 365 Groups, Exchange Online,
and OneDrive – check each configuration and access update,
content interaction, and security changes.
• Change management for Errors and issues – Pinpoint the exact time
and place of the issue and who was responsible for it.
• Receive alerts – act proactively upon any suspicious action and
avoid serious security breaches.

Security & Compliance
Admin Tools
Teams & Skype
Admin Tools
Microsoft 365 & Azure AD
Admin Tools
Teams Governance
Teams administrators
Reporting &
analytics
Customization
apps, bots, etc.
Calling
policies
App
policies
Meeting
policies
Migration
planning
Retention
policies
Messaging
policies
Live event
policies

Security & Compliance
Admin Tools
Teams & Office 365
Admin Tools
Microsoft 365 & Azure AD
Admin Tools
Microsoft Teams Governance
Security & Governance Licensing Considerations
Reporting &
analytics
Customization
apps, bots, etc.
Calling
policies
App
policies
Meeting
policies
Migration
planning
Retention
policies
Messaging
policies
Live event
policies
E5 EMS
AAD
P2
P1
OneDrive
Retention

Admins can create a policy where only
users with the “Guest Inviter” role
can invite guests. This can be
configured using Active Directory
properties on the user object such as
Title, Job Description, etc.
Admins can create an allow/deny list of
external partner domains from which
guests can be added.
Guest Access can be enabled or
disabled at the group level.
Best practices for Guest Access
Reach

Teams Security
Considerations
• Microsoft 365 Groups (Azure AD)
• Who can provision (Group)
• Device considerations
• Location considerations
• Storage considerations
• Information Boundaries
• DLP Chat vs. DLP files

Global Admin Best Practices
• Teams First Approach
• Teams Home Site App - Viva Connections
• Enterprise search
• MFA for all admins (preferred for all users especially any elevated
accounts)
• Service accounts should have app passwords (specially assigned MFA)
• Few global admins. If possible no permanent Global admins. Check
out process. Config admin.

Teams Admin Best Practices
• Recognize defaults are not best practices
• Use visuals and encourage color
• Templates
• Archive! Enable Lifecycle Policies
• App policies – Microsoft, Third Party, Enterprise
• Don’t go crazy with policies that hurt UX. Many mobile security
policies make it difficult to use apps on your phone.
• Listen to your users and champions!

Poll: How would you like us to follow up with
you? (Multi select)
• 90 Minute Private Teams Governance and Security Workshop
with your organization.
• Deep dive 1 hour TeamsHUB Demo for your company
• Interested in the TeamsHub Partner Reseller Program

Questions?
Connect with Us!
http://teamshub.io
Tech Blog - collabshow.com
Travel Blog - travelingepic.com
Linkedin.com/in/joeloleson
Twitter, Pinterest, YouTube – joeloleson
Joel.Oleson@cyclotron.com

Microsoft Teams Governance and Security Best Practices - Joel Oleson

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Microsoft Teams Governance and Security Best Practices - Joel Oleson

Ähnlich wie Microsoft Teams Governance and Security Best Practices - Joel Oleson (20)

Mehr von Joel Oleson

Mehr von Joel Oleson (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Microsoft Teams Governance and Security Best Practices - Joel Oleson

Hinweis der Redaktion