Today, Microsoft Teams is more than just a tool for productivity and collaboration in the modern workforce. Rapidly, it’s becoming a comprehensive solution for the future of hybrid work, bringing teams together around the world. However, before you can rely on Teams as your ultimate “work hub”, you’ll first need to ensure it’s secure enough to meet your business standards.
Microsoft Teams is built on the enterprise-grade cloud environments of Microsoft and Office 365. It also promises comprehensive control and management of all data shared within channels and conversations to the owner of the Microsoft Teams instance. Messages are not scanned or retained by Microsoft, and data-saving policies can be established by individual users.
But how deep does the security of Teams really go?
The Security Standards of Microsoft Teams
First and foremost, Microsoft Teams enforces organisation and team-wide two-factor authentication methods and single sign-on via Active Directory. You can also rest assured your data will always be encrypted both at rest and in transit within Teams.
Files shared within a Teams instance are stored in SharePoint, and backed by SharePoint encryption, while Notes in OneNote are backed by OneNote encryption. Wiki tab content is also backed by SharePoint security. To enhance internal security policies, Microsoft users can leverage a range of defensive features within Teams.
Microsoft Defender, for instance, is available for Microsoft Teams to determine if the content shared within channels is malicious in nature at a glance. If the content is deemed malicious, you can set policies for how it’s managed and removed from the ecosystem.
Defender also enables access to “safe links” within Teams, to help define which links users can reliably click on when shared by other users. The “Safe Attachments” feature works in a similar way, scanning attachments for malicious attachments. You can turn this feature on in your Teams admin portal, and define policies for dealing with dangerous attachments.
As a bonus, “Secure Store” within Microsoft 365’s security centre allows users to access a centralized dashboard for monitoring the security of apps, devices, and identities. Recommendations are available from Secure Score for Microsoft Teams administrators.
Conditional Access Policies and Compliance
Microsoft Teams aligns with other tools in the Microsoft ecosystem for core productivity scenarios, like calendars, meetings, and file sharing. Conditional access policies can be set for these cloud applications which also apply to Microsoft Teams. Teams is supported separately as a cloud app in Azure Active Directory, but without SharePoint, Exchange, and Skype policies in place, it may be possible for users to access resources they shouldn’t have permission to.
Microsoft Teams has a range of “compliance” features to assist with access management and employee usage too. The “compliance centre” is brimming with tools for communication compliance (such as flagging inappropriate messages), eDiscovery, and audit log searches.
Communication compliance offered by Microsoft’s Purview Communication centre allows companies to add users to policies which examine conversations for sensitive information and data related to regulatory standards, as well as offensive language.
Purview Information barriers can also be implemented by Teams administrators to prevent certain people from communicating with eachother, or implement policies relating to eDiscovery and lookups. The “Barrier” feature rolled out in January 2021.
For additional compliance purposes, companies can add “sensitivity labels” in Teams to regulate access to sensitive content created during a Teams collaboration session.
Policy Management within Teams
To provide companies with the most control possible over their data shared within Teams, Microsoft offers a range of policy solutions. Data Loss Prevention solutions are available to safely preserve critical information. Companies can also access:
- Purview customer keys: Customer keys encrypt various kinds of customer information within Teams at the application level. This also encrypts the files stored within SharePoint online. You can set policies for the information to encrypt in each conversation.
- Retention policies: Users can set which data needs to be retained for regulatory, business, and legal standards. You can also set data to be retained for a specific period of time.
- eDiscovery: The eDiscovery features within Teams allow you to search through call summaries, files, and messages, to find potential privacy and security issues. You can also control who in your team has access to content search and discovery features.
- Legal hold: Throughout a litigation process, you may need all data associated with a certain Team or user to be preserved. You can place your Teams data on “in-place hold”, or “litigation hold”, depending on the case. When holds are in place, even if users delete or edit messages in a group chat, immutable copies will still be available.
- Auditing: The Audit log search within Teams connects with Microsoft’s Purview compliance portal and allows users to set alerts and report on audit events. This allows the export of various specific or generic event sets for administrator use and investigation.
Data Management within Teams
As mentioned above, Microsoft is committed to keeping the data of users and teams secure and compliant according to their needs. Any data produced within Teams will reside in the geographic location associated with your Microsoft 365 organisation.
Administrators can set track which regions hold the data for their tenant within the “Organization Profile” section of the Microsoft 365 Admin centre by scrolling down to “Data location”.
Notably, Microsoft Teams also follows the privacy and security guidelines implemented by major policy creators and groups worldwide. Teams is compliant with:
- SOC 1 and SOC 2
- ISO 27001, ISO 27018
- HIPAA
- SSAE18
- EU Model Clauses
Further information is available about Microsoft’s Data Protection Resources on the Microsoft website. Teams is also compliant with the guidelines of the Cloud Security Alliance.
Any partners working with Microsoft Teams and approved to deliver UCaaS and compliance recording functionalities must also be tested according to Teams’ standards. However, you’ll need to check the encryption and compliance policies provided by these vendors for additional insights.
