Ravikumar Sathyamurthy @shakthiravi
Microsoft MVP | Office Apps & Services
Understanding Microsoft Teams Security &
Compliance features and Plan for Governance
09/02/2019 www.anywherexchange.com

• Microsoft Teams Overview
• Understanding Security and Compliance for Teams
• Planning for Microsoft Teams Governance
• Learning Resources
• Demo
• Q&A

DIGITAL
TRANSFORMATION

The Modern
Workplace
The Classic
Workplace

work-life
blur
more
mobile
tech
savvy
multiple
devices
digital
generation
fast
paced

A complete, intelligent solution that empowers
everyone to be creative and work together, securely
Unlock
creativity
Built for
teamwork
Integrated
for simplicity
Intelligent
security
Microsoft 365
Office 365 + Windows 10 + Enterprise Mobility + Security

Microsoft 365: Universal Toolkit for Teamwork
Hub for TeamworkCo-AuthorConnect Across
the Organization
Intranets &
Content Management
Email & Calendar
TeamsOffice AppsYammerSharePointOutlook
Office 365 Groups
Single team membership
across apps and services
Microsoft Graph
Suite-wide intelligence
connecting people and content
Security and Compliance
Centralized policy management

Office 365 Groups
Microsoft 365 Teamwork: Where to start a
conversation
Outer LoopInner Loop
Files
Sites
Content
SharePoint
Email

Chat for today’s
teams
Communicate in the moment and
keep everyone in the know
Customizable for
each team
Tailor your workspace to include
content and capabilities your team
needs every day.
A hub for
teamwork
Give your team quick access to
information they need right in
Office 365
Security teams
trust
Get the enterprise-level security
and compliance features you
expect from Office 365.

Communicate
through chat, meetings & calls
Collaborate
with deeply integrated Office 365 apps
Customize& extend
with Office 365 apps, 3rd party apps,
processes, and devices
Work withconfidence
enterprise level security, compliance,
and manageability

Teams clients
Teams Services Skype Infrastructure
Office 365 platform
and services
Azure
Teams and Skype for Business
Admin Tools
Controls for managing
communications and Teams specific
features
M365 and Azure AD Admin
Tools
Controls for Groups,
Identity, Licenses, Access
Security & Compliance
Admin Tools
Controls for managing
Security & Compliance
across M365

https://admin.teams.microsoft.com/

PrivacySecurity
Security by design
• Data Encryption at rest and in transit
• Dedicated security professionals
• Threat models, Security Reviews, Automated
Security Tools
• Penetration testing with regular rotation of
3rd party penetration testers
• All keys stored in Azure Key Vault
• Admin: Screening, training, access control
• Host: Access control, anti-malware, patch
management, AAD Modern Authentication
• Network: Firewalls, edge routers
• Facility: Physical controls, video surveillance,
access control
• Bug Bounty Program (We pay friends, hackers
and researchers to find security bugs)
Privacy by design
• Data stored in-region based on tenant affinity
• No customer content accessible in logs or
telemetry
• Grant least privilege required to complete task
• Dedicated Privacy professionals
• Adhere to Office 365 data classification and
data handling standards
• Access to Production environments is locked
down
• GDPR

How compliant is Microsoft Teams? http://aka.ms/STP is where you can
download the audit reports
https://aka.ms/MicrosoftComplianceStan
dards for Microsoft Compliance
Standards Download
More than 950 Office 365 controls
• Access control
• Auditing and logging
• Identification and authorization
• Awareness and training
• Continuity planning
• Incident response
• Risk assessment
• Communication protection
• Information integrity
• Deployment Approvals and management
Ongoing compliance processes
• Recurring audits like SOC, FEDRAMP, ISO+
independent verification
Microsoft Teams Certification
Microsoft Cloud Services Verified with
International, Regional and Industry
specific standards and terms
Strong Privacy and Security Commitments
• ISO 27001
• ISO 27018
• EU Model Clauses (EUMC)
• GDPR
• HIPAA Business Associated Agreement
• SSAE 16 SOC 1 & SOC 2 Reports
• FedRAMP Moderate and High
• IRS 1075, UK Official (IL2)
• Health Information Trust Alliance
(HITRUST)
Contractual commitment to meet US and EU
data residency requirements
Controls

Capability Description
Archive Any content stored in any Teams related workload needs to be preserved immutably
Compliance Content search
Any content stored in any workload can be search through rich filtering capabilities and be exported to a specific container for
compliance and litigation support​.
eDiscovery – Messaging/Files
Rich in-place eDiscovery capabilities including case management, preservation, search, analysis and export to help our customers
simplify the eDiscovery process to quickly identify relevant data while decreasing cost and risk.
Legal hold
When any team or individual is put on In-Place Hold or litigation hold, the hold is placed on both the primary and the archive messages
(No edits or deletes).
Auditing and reporting All Team activities and business events must be captured and available for customer search and export.
Conditional Access and Intune MAM
Ensure that access to Microsoft Teams is restricted to devices that are compliant with IT Admin or Corporate Organization set policies
and security rules both for the Teams Apps and the services it uses under the hood. Includes MAC Support for Conditional Access as well.
Moderator support
The ability to have a moderator (owner of team) of a Team delete data from any user in the team that is inappropriate and mute users in
a team/channel.
Windows Information Protection
Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data
leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps like MS Teams.
Allowed List of Apps An Admin can control the list of 3P apps (bots, connectors, tabs) that can be used by end users within a tenant.
Retention / Preservation
Help organizations reduce the liabilities associated with messaging. The Customer can configure their tenant to retain data for a fixed
period of time or retain it with unlimited storage for different Teams workloads.
eDiscovery – Calling/Meetings
Rich in-place eDiscovery capabilities including case management, preservation, search, analysis and export to help our customers
simplify the eDiscovery process to quickly identify relevant data while decreasing cost and risk.
Data loss prevention (DLP)
Identify any sensitive data stored being transferred within or outside of Customer Organization in Teams to intercept and prevent
leakage​ for Files and Chat/Channel Messages.
Advanced Threat Protection
Support for safe files and safe links in Microsoft Teams to protect your organization from malicious attacks with the power of Office 365
Advanced threat protection
Business information Barriers Prevent exchanges or communication that could lead to conflicts of interest. (a.k.a. Ethical walls)
VDI Virtual Desktop support for Teams to serve requirements of regulated industries and users with virtual desktops
AvailableToday

Data Residency
Our Promise
If Customer provisions its tenant
in Australia, Canada, the
European Union, India, Japan,
the United Kingdom, or the
United States, Microsoft Teams
will store the following Customer
Data at rest only within that geo:
• Microsoft Teams chats,
channel messages, images,
voicemail, and contacts
• SharePoint Online site
content and the files stored
within that site
• Files uploaded to OneDrive
for Business
Canada east
North Central US
Dublin
East Asia
Southeast Asia
Amsterdam
UK West
AMERICAS EMEA APAC
181 countries | 40 languages
(NOTE: Hebrew and Arabic RTL languages now supported)
East USUS Gov Arizona
US Gov Texas
Canada central
UK South
West India
Central India
Japan East
Japan West
Australia East
Australia Southeast
In region In country US Gov

The compliance boundary is where Microsoft can manage the security and privacy of customer data
User Browser,
Desktop ,Mobile
compliance boundary
Microsoft
Teams
Guest user
Anonymous join to a
meeting
Federation
communication
Email a channel
Connectors
Apps/Bots
Tabs
Calling Plan (PSTN)
Push Notifications
(Mobile
Other Cloud
storage (3rd party)
Graph API
Giphy
2-way communication Inbound data Outbound data
Data posted to a channel
Data posted to a channel
Query to Giphy
Push notifications to Apple or Google to
notify mobile client
Optional Box, Dropbox, Google drive, Citrix
Fileshare
Any third-party tab is hosted outside the
compliance boundary
Any third-party App/bot or line of business app is
hosted outside the compliance boundary
Graph APIs can be exposed to line of
business apps or 3rd party apps
Enables inbound/outbound calling outside
the organization
Standard Teams
user
Guest added
via AAD B2B
Anonymous user
joining a meeting
Communication between
multiple tenants
Key
URL Preview
Get a preview of a URL that is posted to a
message

Image
Files
Voicemail
Message
Recording
Calendar
meeting
Contacts
Media service on Azure (using Blob storage)
Team files  SharePoint
Chat files  OneDrive for Business
Individual mailbox in Exchange
Chat service table storage (moving to Cosmos DB)
Media service on Azure (using Blob storage) (<24
hours)
Individual mailbox in Exchange
Exchange
Ingested to Exchange to enable compliance
Ingested to Exchange to enable compliance
Encoded to Stream
Telemetry Microsoft Data warehouse (No customer content)
Entity Storage Storage
Key data entities and location where data is stored at rest

How Teams Enables Information Protection
Ingestion flow of Teams data to both Exchange and SharePoint for Teams Files and Messages
Ingestion flow of Teams Meetings and calling data to Exchange

For the full Microsoft Teams experience, every user should be enabled for Exchange Online,
SharePoint Online, OneDrive for Business and Office 365 Group creation.
https://docs.microsoft.com/en-us/microsoftteams/exchange-teams-interact
Exchange Online
✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Exchange Online
Dedicated vNext
✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Exchange Online
Dedicated –
Legacy
Yes (must
be on
allowed
list)
✕ ✕
Yes (must
be on
allowed
list)
✓ ✕ ✕ ✓ ✓ ✕
Yes
(Exchange
2013+)*
✕ ✓ ✓
Exchange on-
premises
Yes (must
be on
allowed
list)
✕ ✕
Yes (must
be on
allowed
list)
✓
Exchange
2016 CU3
or later
✕ ✓ ✓ ✕
Yes
(Exchange
2013+)*
✕ ✓ ✓

Retention Policies for Microsoft Teams
Features Available
Retention Policies for
Teams Chat and Channel
Messages
Note: includes ability to target specific
Teams for channel messages and Users
for 1xN chat
Now
Support for retention
policies for Teams Files
Now
Support for Preservation
and Deletion policies >
30 days
Now
Support for Deletion
Policies under 30 days
Coming soon …
Support for Advanced
Retention settings
Future

DLP Mode
- Passive
- Intercept
Sharing of data
- Internal
- External
DLP Provider
- Microsoft
- 3rd Party
Protection
- Messaging
- Files
Top Scenarios:
 Files Protected through Onedrive and SharePoint DLP
 Support for Office 365 DLP (80 sensitive types supported)
 Support for 3rd Party DLP providers through:
 Graph Webhook (an event API) to listen to all Teams
messages via admin approved 3rd Party app
 Graph API to update message with DLP Violation

Information barriers are designed
to properly control the flow of
information from one part of the
organization (IB group) to another
(IB group) to avoid conflicts of
interest
Workloads involved:
• Teams
• OD4B, SPO
• Exchange
Proposed Scope
Scenarios
 Group A cannot communicate with Group B
 Group C cannot communicate outside of its group
Events that require IB policy evaluation
 Add member to a Team (or underlying group)
 New 1xN Chats
 Join team meeting/call/screen sharing
Retroactive scenarios for IB Policy changes
 Existing chat threads
 Membership in a Team

• RBAC ( Role Based Access
Control)
• Teams Settings
• Messaging Policies
• Meeting Settings
• Live Event Policies
• External Access
• Guest Access
• Ability to create teams
• Naming of teams
• Classification of teams
• Retention Policies
• Expiration Policies

Feature Set Controls Where to find them New roles
Meeting TeamsMeetingPolicy
TeamsMeetingConfiguration
TeamsGuestMeetingConfiguration
TeamsMeetingBroadcastPolicy
TeamsMeetingBroadcastConfiguration
MS Teams & Skype for Business Admin Center/Skype for Business
PowerShell Module
TSA/TCA
Messaging TeamsMessagingPolicy
TeamsGuestMessagingConfiguration
ExternalAccess (Federation configuration)
MS Teams & Skype for Business Admin Center/Skype for Business
PowerShell Module
TSA
Calling TeamsCallingPolicy
TeamsGuestCallingConfiguration
MS Teams & Skype for Business Admin Center/Skype for Business
PowerShell Module
TSA/TCA (TCA no guest config)
Teams core
configuration
TeamsClientConfiguration
TeamsUpgradePolicy
Skype for Business PowerShell Module TSA
Team Collab GuestAccess
ExternalSharing
Naming Policy
Expiry Policy
Classification
Who can create groups
Azure Active Directory Admin Center/Azure Active Directory Preview
PowerShell Module
n/a
Security &
Compliance
Conditional Access Policies
Safe Attachments
eDiscovery
Content Search
Retention Policy
AAD Admin Center
O365 Security & Compliance Center
n/a

Feature Set Tools Where to find
Meeting/Calling Call analytics
Conference bridge/telephone number
management/voice routing
configurations*
Call quality dashboard (linked)
Manage users – audio conferencing, policy
assignment
Microsoft Teams & Skype for Business Admin
Center/Skype for Business PowerShell Module
Team Collab Manage teams (preview) Microsoft Teams & Skype for Business Admin
Center and Microsoft Teams PowerShell Module
Security &
Compliance
Content search
Audit log
Office 365 Security and Compliance Center

BRK2159: What's new in Microsoft Teams,
BRK3118: Microsoft Teams Architecture Update
BRK3135: Learn more about security and compliance for Teams
BRK3140: Microsoft Teams in the Government Cloud
BRK3170: Driving Teams Adoption: Enabling the modern workplace
with O365 & Microsoft Teams
BRK4012: How to manage Microsoft Teams effectively
Admin training for Microsoft Teams
Coffee in the Cloud Series
 Foundations - Core Components of Microsoft Teams
 Governance, management and lifecycle in Microsoft Teams
Microsoft Service Adoption Specialist Course and Certification
http://aka.ms/teamscommunity
https://aka.ms/Teamsblog
Microsoft Ignite Sessions
Learning / Training
Official Documentation
Microsoft Tech Community
Microsoft Teams technical documentation
Plan for governance in Teams
Governance quick start for Microsoft Teams
Overview of security and compliance in Microsoft Teams
Roadmap
Microsoft 365 Roadmap
Skype for Business to Microsoft Teams Capabilities Roadmap

Q&A