Delivered a session focusing on Microsoft Teams at SharePoint Saturday @ Chennai,
Link: http://www.spsevents.org/city/Chennai/Chennai2019/speakers#
This session Provides an Overview of Microsoft Teams and Primarily focus on the Security and Compliance features available with Microsoft Teams, and also show how you can plan for Governance in Teams.
Understanding Microsoft Teams Security & Compliance features and plan for Governance
1. Ravikumar Sathyamurthy @shakthiravi
Microsoft MVP | Office Apps & Services
Understanding Microsoft Teams Security &
Compliance features and Plan for Governance
09/02/2019 www.anywherexchange.com
2. • Microsoft Teams Overview
• Understanding Security and Compliance for Teams
• Planning for Microsoft Teams Governance
• Learning Resources
• Demo
• Q&A
10. A complete, intelligent solution that empowers
everyone to be creative and work together, securely
Unlock
creativity
Built for
teamwork
Integrated
for simplicity
Intelligent
security
Microsoft 365
Office 365 + Windows 10 + Enterprise Mobility + Security
11. Microsoft 365: Universal Toolkit for Teamwork
Hub for TeamworkCo-AuthorConnect Across
the Organization
Intranets &
Content Management
Email & Calendar
TeamsOffice AppsYammerSharePointOutlook
Office 365 Groups
Single team membership
across apps and services
Microsoft Graph
Suite-wide intelligence
connecting people and content
Security and Compliance
Centralized policy management
12. Office 365 Groups
Microsoft 365 Teamwork: Where to start a
conversation
Outer LoopInner Loop
Files
Sites
Content
SharePoint
Email
13.
14. Chat for today’s
teams
Communicate in the moment and
keep everyone in the know
Customizable for
each team
Tailor your workspace to include
content and capabilities your team
needs every day.
A hub for
teamwork
Give your team quick access to
information they need right in
Office 365
Security teams
trust
Get the enterprise-level security
and compliance features you
expect from Office 365.
15. Communicate
through chat, meetings & calls
Collaborate
with deeply integrated Office 365 apps
Customize& extend
with Office 365 apps, 3rd party apps,
processes, and devices
Work withconfidence
enterprise level security, compliance,
and manageability
16.
17. Teams clients
Teams Services Skype Infrastructure
Office 365 platform
and services
Azure
Teams and Skype for Business
Admin Tools
Controls for managing
communications and Teams specific
features
M365 and Azure AD Admin
Tools
Controls for Groups,
Identity, Licenses, Access
Security & Compliance
Admin Tools
Controls for managing
Security & Compliance
across M365
20. PrivacySecurity
Security by design
• Data Encryption at rest and in transit
• Dedicated security professionals
• Threat models, Security Reviews, Automated
Security Tools
• Penetration testing with regular rotation of
3rd party penetration testers
• All keys stored in Azure Key Vault
• Admin: Screening, training, access control
• Host: Access control, anti-malware, patch
management, AAD Modern Authentication
• Network: Firewalls, edge routers
• Facility: Physical controls, video surveillance,
access control
• Bug Bounty Program (We pay friends, hackers
and researchers to find security bugs)
Privacy by design
• Data stored in-region based on tenant affinity
• No customer content accessible in logs or
telemetry
• Grant least privilege required to complete task
• Dedicated Privacy professionals
• Adhere to Office 365 data classification and
data handling standards
• Access to Production environments is locked
down
• GDPR
21. How compliant is Microsoft Teams? http://aka.ms/STP is where you can
download the audit reports
https://aka.ms/MicrosoftComplianceStan
dards for Microsoft Compliance
Standards Download
More than 950 Office 365 controls
• Access control
• Auditing and logging
• Identification and authorization
• Awareness and training
• Continuity planning
• Incident response
• Risk assessment
• Communication protection
• Information integrity
• Deployment Approvals and management
Ongoing compliance processes
• Recurring audits like SOC, FEDRAMP, ISO+
independent verification
Microsoft Teams Certification
Microsoft Cloud Services Verified with
International, Regional and Industry
specific standards and terms
Strong Privacy and Security Commitments
• ISO 27001
• ISO 27018
• EU Model Clauses (EUMC)
• GDPR
• HIPAA Business Associated Agreement
• SSAE 16 SOC 1 & SOC 2 Reports
• FedRAMP Moderate and High
• IRS 1075, UK Official (IL2)
• Health Information Trust Alliance
(HITRUST)
Contractual commitment to meet US and EU
data residency requirements
Controls
22. Capability Description
Archive Any content stored in any Teams related workload needs to be preserved immutably
Compliance Content search
Any content stored in any workload can be search through rich filtering capabilities and be exported to a specific container for
compliance and litigation support.
eDiscovery – Messaging/Files
Rich in-place eDiscovery capabilities including case management, preservation, search, analysis and export to help our customers
simplify the eDiscovery process to quickly identify relevant data while decreasing cost and risk.
Legal hold
When any team or individual is put on In-Place Hold or litigation hold, the hold is placed on both the primary and the archive messages
(No edits or deletes).
Auditing and reporting All Team activities and business events must be captured and available for customer search and export.
Conditional Access and Intune MAM
Ensure that access to Microsoft Teams is restricted to devices that are compliant with IT Admin or Corporate Organization set policies
and security rules both for the Teams Apps and the services it uses under the hood. Includes MAC Support for Conditional Access as well.
Moderator support
The ability to have a moderator (owner of team) of a Team delete data from any user in the team that is inappropriate and mute users in
a team/channel.
Windows Information Protection
Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data
leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps like MS Teams.
Allowed List of Apps An Admin can control the list of 3P apps (bots, connectors, tabs) that can be used by end users within a tenant.
Retention / Preservation
Help organizations reduce the liabilities associated with messaging. The Customer can configure their tenant to retain data for a fixed
period of time or retain it with unlimited storage for different Teams workloads.
eDiscovery – Calling/Meetings
Rich in-place eDiscovery capabilities including case management, preservation, search, analysis and export to help our customers
simplify the eDiscovery process to quickly identify relevant data while decreasing cost and risk.
Data loss prevention (DLP)
Identify any sensitive data stored being transferred within or outside of Customer Organization in Teams to intercept and prevent
leakage for Files and Chat/Channel Messages.
Advanced Threat Protection
Support for safe files and safe links in Microsoft Teams to protect your organization from malicious attacks with the power of Office 365
Advanced threat protection
Business information Barriers Prevent exchanges or communication that could lead to conflicts of interest. (a.k.a. Ethical walls)
VDI Virtual Desktop support for Teams to serve requirements of regulated industries and users with virtual desktops
AvailableToday
23. Data Residency
Our Promise
If Customer provisions its tenant
in Australia, Canada, the
European Union, India, Japan,
the United Kingdom, or the
United States, Microsoft Teams
will store the following Customer
Data at rest only within that geo:
• Microsoft Teams chats,
channel messages, images,
voicemail, and contacts
• SharePoint Online site
content and the files stored
within that site
• Files uploaded to OneDrive
for Business
Canada east
North Central US
Dublin
East Asia
Southeast Asia
Amsterdam
UK West
AMERICAS EMEA APAC
181 countries | 40 languages
(NOTE: Hebrew and Arabic RTL languages now supported)
East USUS Gov Arizona
US Gov Texas
Canada central
UK South
West India
Central India
Japan East
Japan West
Australia East
Australia Southeast
In region In country US Gov
24. The compliance boundary is where Microsoft can manage the security and privacy of customer data
User Browser,
Desktop ,Mobile
compliance boundary
Microsoft
Teams
Guest user
Anonymous join to a
meeting
Federation
communication
Email a channel
Connectors
Apps/Bots
Tabs
Calling Plan (PSTN)
Push Notifications
(Mobile
Other Cloud
storage (3rd party)
Graph API
Giphy
2-way communication Inbound data Outbound data
Data posted to a channel
Data posted to a channel
Query to Giphy
Push notifications to Apple or Google to
notify mobile client
Optional Box, Dropbox, Google drive, Citrix
Fileshare
Any third-party tab is hosted outside the
compliance boundary
Any third-party App/bot or line of business app is
hosted outside the compliance boundary
Graph APIs can be exposed to line of
business apps or 3rd party apps
Enables inbound/outbound calling outside
the organization
Standard Teams
user
Guest added
via AAD B2B
Anonymous user
joining a meeting
Communication between
multiple tenants
Key
URL Preview
Get a preview of a URL that is posted to a
message
25. Image
Files
Voicemail
Message
Recording
Calendar
meeting
Contacts
Media service on Azure (using Blob storage)
Team files SharePoint
Chat files OneDrive for Business
Individual mailbox in Exchange
Chat service table storage (moving to Cosmos DB)
Media service on Azure (using Blob storage) (<24
hours)
Individual mailbox in Exchange
Exchange
Ingested to Exchange to enable compliance
Ingested to Exchange to enable compliance
Encoded to Stream
Telemetry Microsoft Data warehouse (No customer content)
Entity Storage Storage
Key data entities and location where data is stored at rest
26. How Teams Enables Information Protection
Ingestion flow of Teams data to both Exchange and SharePoint for Teams Files and Messages
Ingestion flow of Teams Meetings and calling data to Exchange
27. For the full Microsoft Teams experience, every user should be enabled for Exchange Online,
SharePoint Online, OneDrive for Business and Office 365 Group creation.
https://docs.microsoft.com/en-us/microsoftteams/exchange-teams-interact
Exchange Online
✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Exchange Online
Dedicated vNext
✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Exchange Online
Dedicated –
Legacy
Yes (must
be on
allowed
list)
✕ ✕
Yes (must
be on
allowed
list)
✓ ✕ ✕ ✓ ✓ ✕
Yes
(Exchange
2013+)*
✕ ✓ ✓
Exchange on-
premises
Yes (must
be on
allowed
list)
✕ ✕
Yes (must
be on
allowed
list)
✓
Exchange
2016 CU3
or later
✕ ✓ ✓ ✕
Yes
(Exchange
2013+)*
✕ ✓ ✓
28. Retention Policies for Microsoft Teams
Features Available
Retention Policies for
Teams Chat and Channel
Messages
Note: includes ability to target specific
Teams for channel messages and Users
for 1xN chat
Now
Support for retention
policies for Teams Files
Now
Support for Preservation
and Deletion policies >
30 days
Now
Support for Deletion
Policies under 30 days
Coming soon …
Support for Advanced
Retention settings
Future
29. DLP Mode
- Passive
- Intercept
Sharing of data
- Internal
- External
DLP Provider
- Microsoft
- 3rd Party
Protection
- Messaging
- Files
Top Scenarios:
Files Protected through Onedrive and SharePoint DLP
Support for Office 365 DLP (80 sensitive types supported)
Support for 3rd Party DLP providers through:
Graph Webhook (an event API) to listen to all Teams
messages via admin approved 3rd Party app
Graph API to update message with DLP Violation
30. Information barriers are designed
to properly control the flow of
information from one part of the
organization (IB group) to another
(IB group) to avoid conflicts of
interest
Workloads involved:
• Teams
• OD4B, SPO
• Exchange
Proposed Scope
Scenarios
Group A cannot communicate with Group B
Group C cannot communicate outside of its group
Events that require IB policy evaluation
Add member to a Team (or underlying group)
New 1xN Chats
Join team meeting/call/screen sharing
Retroactive scenarios for IB Policy changes
Existing chat threads
Membership in a Team
31.
32.
33.
34.
35.
36. • RBAC ( Role Based Access
Control)
• Teams Settings
• Messaging Policies
• Meeting Settings
• Live Event Policies
• External Access
• Guest Access
• Ability to create teams
• Naming of teams
• Classification of teams
• Retention Policies
• Expiration Policies
37.
38.
39. Feature Set Controls Where to find them New roles
Meeting TeamsMeetingPolicy
TeamsMeetingConfiguration
TeamsGuestMeetingConfiguration
TeamsMeetingBroadcastPolicy
TeamsMeetingBroadcastConfiguration
MS Teams & Skype for Business Admin Center/Skype for Business
PowerShell Module
TSA/TCA
Messaging TeamsMessagingPolicy
TeamsGuestMessagingConfiguration
ExternalAccess (Federation configuration)
MS Teams & Skype for Business Admin Center/Skype for Business
PowerShell Module
TSA
Calling TeamsCallingPolicy
TeamsGuestCallingConfiguration
MS Teams & Skype for Business Admin Center/Skype for Business
PowerShell Module
TSA/TCA (TCA no guest config)
Teams core
configuration
TeamsClientConfiguration
TeamsUpgradePolicy
Skype for Business PowerShell Module TSA
Team Collab GuestAccess
ExternalSharing
Naming Policy
Expiry Policy
Classification
Who can create groups
Azure Active Directory Admin Center/Azure Active Directory Preview
PowerShell Module
n/a
Security &
Compliance
Conditional Access Policies
Safe Attachments
eDiscovery
Content Search
Retention Policy
AAD Admin Center
O365 Security & Compliance Center
n/a
40. Feature Set Tools Where to find
Meeting/Calling Call analytics
Conference bridge/telephone number
management/voice routing
configurations*
Call quality dashboard (linked)
Manage users – audio conferencing, policy
assignment
Microsoft Teams & Skype for Business Admin
Center/Skype for Business PowerShell Module
Team Collab Manage teams (preview) Microsoft Teams & Skype for Business Admin
Center and Microsoft Teams PowerShell Module
Security &
Compliance
Content search
Audit log
Office 365 Security and Compliance Center
41.
42.
43.
44. BRK2159: What's new in Microsoft Teams,
BRK3118: Microsoft Teams Architecture Update
BRK3135: Learn more about security and compliance for Teams
BRK3140: Microsoft Teams in the Government Cloud
BRK3170: Driving Teams Adoption: Enabling the modern workplace
with O365 & Microsoft Teams
BRK4012: How to manage Microsoft Teams effectively
Admin training for Microsoft Teams
Coffee in the Cloud Series
Foundations - Core Components of Microsoft Teams
Governance, management and lifecycle in Microsoft Teams
Microsoft Service Adoption Specialist Course and Certification
http://aka.ms/teamscommunity
https://aka.ms/Teamsblog
Microsoft Ignite Sessions
Learning / Training
Official Documentation
Microsoft Tech Community
Microsoft Teams technical documentation
Plan for governance in Teams
Governance quick start for Microsoft Teams
Overview of security and compliance in Microsoft Teams
Roadmap
Microsoft 365 Roadmap
Skype for Business to Microsoft Teams Capabilities Roadmap
Recently Microsoft introduced Microsoft 365 to help foster a new culture of work. It’s a complete, intelligent solution that empowers everyone to be creative and work together, securely. It brings together the best of Microsoft with Office 365, Windows 10 and Enterprise Mobility + Security. We think this is an offering that can truly help you transform customer’s business.
Microsoft 365 delivers on 4 key promises:
• Unlocks creativity by enabling people to work naturally with ink, voice and touch, all backed by tools that utilize AI and machine learning.
• Provides the broadest and deepest set of apps and services with a universal toolkit for teamwork, giving people flexibility and choice in how they connect, share and communicate.
• Simplifies IT by unifying management across users, devices, apps and services.
• Helps safeguard customer data, company data and intellectual property with built-in, intelligent security.
Objective: Reinforce our teamwork position - Microsoft 365 meets the diverse needs of teams with an integrated solution that is secure
We’ve designed Microsoft 365 to meet the unique needs of every group.
For each of those categories of teamwork, Microsoft 365 includes a purpose-built application.
Teams as the hub for teamwork where groups that actively engage and are working on core projects can connect and collaborate
Yammer for people to connect across their company, sharing ideas on common topics of interest
Outlook where teams can communicate in a familiar place, and can easily create modern distribution list with groups in Outlook
SharePoint for keeping content at the center of teamwork, making files, sites and all types of content easily shareable and accessible across teams
Office Apps – enabling co-authoring in familiar apps like Word, Excel, and PowerPoint
With these tools coming together in Microsoft 365 – teams get a holistic solution.
What’s unique about teamwork in Microsoft 365 is that all of these applications are built on an intelligent fabric - suite-wide membership service with O365 Groups; suite-wide discovery and intelligence with Microsoft Graph, and suite-wide security and compliance.
Office 365 Groups - A membership service providing a single identity for teams across Office applications and services
Microsoft Graph - Suite-wide intelligence that maps the connection of people and content to surface insights
Security and Compliance - Proactive security that simplifies IT management with intelligence built-in
Talk Track:
When deciding how best to leverage our toolkit for your team needs, think about the type of work that needs to get done and the type of conversations your team needs to have.
The inner loop includes people you work with regularly, actively communicating and working on projects to deliver against important goals and deliverables. For this type of interaction Microsoft Teams is the best tool, allowing you to actively engage with your team in a shared work space where you can work on files, chat, and even host meetings.
Your outer loop includes people across your company who provide valuable information, that you openly connect with on common topics of interest. Yammer is the best tool for your outer loop, letting you openly connect across the company to solicit ideas, and share best practices on broader initiatives.
Outlook remains a tried and true tool for conversations, and is useful for teams that want to quickly share and communicate in a familiar place
Of course content and creativity is at the center of every team – the very reason teams come together to connect, whether it is collaboration on a new product strategy, a sales presentation or a key company initiative. SharePoint is the tool that keeps content at the center of teamwork, making files, sites and content easily shareable and accessible across teams and organizations. SharePoint is tightly integrated with Teams, Yammer and Outlook in order to enable seamless content collaboration across conversation experiences.
And it’s all connected through a suite-wide membership service with O365 Groups
With these tools, and more, in our universal toolkit, the breadth, depth and integration across our portfolio is something that competitors just cannot match!
Speaker notes:
The workshop leader should stop the presentation at this point.
Request a volunteer to share their screen and be the driver for the rest of the audience in the room.
Lead a conversation that walks attendees through the checklist on the following slides. The audience should not see the checklist. They should just participate by actually using Teams.
After the checklist is completed and the audience has had their first experience with Teams, you can return to the workshop to complete a deeper dive.
Note: If the organization is brand new to Office 365 and has not enabled any other Office 365 workloads, some pre-work may be needed. The presenter will know this from the completed pre-engagement questionnaire, and this workshop should have been modified to account for any prerequisites.
Run through the environmental checklist ahead of time, to be sure you understand your environment limitations before you do a live walkthrough.
*****
Alternative workshop order:
If workshop attendees are familiar with Teams, it may be beneficial to hide slides 9-12.
This will allow you as the workshop lead to skip the introduction and engage the attendees in a live working session with the product.
The decision on where to execute this portion of the workshop should be made prior to the workshop starting, if possible.
Slide objective: Introduce Teams as part of the Office 365 collaboration portfolio
Talking points:
Teams fits in the Office 365 collaboration portfolio by giving teams easy access to the information they need in a dedicated hub for teamwork. Here, people find their team chat, content, people and tools living together in Office 365.
There are four key attributes of Teams that help close-knit teams to perform at their best:
The modern-day chat keeps everyone in the know with chat history, whether across the team or in a private chat
It’s a dedicated hub for teamwork, where people have easy access to everyday apps such as Word, Excel, PowerPoint, websites, and OneNote – the apps teams rely on daily for getting work done
Teams is customizable for the way different teams work, including publicly available APIs and bot frameworks
Lastly, Teams is designed to provide a great collaboration experience while upholding our commitments to safeguard customer and user data, to protect their right to make decisions about that data, and to be transparent about what happens to that data
23
Reference Microsoft Ignite session : Learn more about Security and Compliance for Microsoft Teams (BRK-3135)
29
Reference: Microsoft Ignite session - How to manage Microsoft Teams effectively (BRK-4012)
Reference: Microsoft Ignite session - How to manage Microsoft Teams effectively (BRK-4012)
Reference: Microsoft Ignite session - How to manage Microsoft Teams effectively (BRK-4012)
Reference : Governance, management and lifecycle in Microsoft Teams session from Coffee in the Cloud Series
Link: https://www.youtube.com/watch?v=cOCWDYc_HLs
Reference : Governance, management and lifecycle in Microsoft Teams session from Coffee in the Cloud Series
Link: https://www.youtube.com/watch?v=cOCWDYc_HLs