We hope you have the chance to join us virtually at Microsoft Ignite to catch all of the latest announcements. Be sure to check out our featured session, Secure and compliant collaboration with Microsoft Teams, to hear from some of our product engineering and community experts! Below is a summary of the latest Microsoft Teams announcements around security and compliance capabilities that enable safe and trustworthy online collaboration.
Microsoft Teams Multi-Geo Support
Microsoft Teams will now support Multi-Geo capabilities, similar to those already being leveraged by customers with Exchange Online, SharePoint Online, and OneDrive Multi-Geo. Microsoft 365 Multi-Geo provides greater control to organizations over the location of specific data centers their data is stored, especially helpful for multi-national organizations. Teams Multi-Geo enables customers to store Teams core customer data at rest for end users and teams in the geo locations of their choice to help meet data residency requirements. IT administrators will utilize an end user or Microsoft 365 Group’s Preferred Data Location (PDL) AAD attribute, already leveraged by existing Microsoft 365 Multi-Geo services, to specify what geo location the data should be stored in.
All existing information protection and compliance capabilities will continue working as is with Microsoft 365 Multi-Geo. For customers who are already using Microsoft 365 Multi-Geo licensing and capabilities, Teams will be included and respect PDLs that have been set by IT automating the migration. If an end user or tenant’s multi-geo license is removed, Teams data will migrate to the tenant default geo location. For customers who have not setup and enabled Microsoft 365 Multi-Geo, there will be no impact. As a reminder, Microsoft 365 Multi-Geo is designed to support data residency requirements and is not designed for performance optimization. Teams Multi-Geo will be available in Q2 2021.
End-to-end encryption option for Microsoft Teams 1:1 Calls
Today, we shared that an end-to-end encryption option for Teams 1:1 ad hoc VoIP calls will be available in preview to commercial customers planned for the first half of this year. Over the last year, we have gathered feedback from global customers, analysts, and the security community around particular industries and specific cases where end-to-end encryption (E2EE) for online collaboration might be important. To help support customer security and compliance obligations, Microsoft is planning to support E2EE for Teams 1:1 calls to provide additional option for conducting sensitive online conversations.
Organizations will have the ability to enable E2EE capabilities for 1:1 ad hoc Teams VoIP calls. In order to maintain compliance and have full discretion of how E2EE is used within the company, customers will have control of who in their organization can use this capability. E2EE for 1:1 Teams ad hoc calls can only be utilized if both the caller and callee are enabled by IT and have both opted in. As we release E2EE for Teams 1:1 calls, we will continue to learn from customers how the scenarios address their needs. We will then work to bring E2EE capabilities to online meetings later. Microsoft remains committed to helping customers address security, compliance, and privacy needs with a broad portfolio of tooling.
Meeting safety controls:
Meeting option: invite-only lobby setting
To help prevent uninvited participants from gaining access to meetings, Microsoft Teams has introduced a new lobby setting available in Teams Meeting Options where only meeting participants who were explicitly invited to the meeting can join it directly. Once this invite-only meeting option is applied by the meeting organizer, any participants who were not invited and are attempting to join the meeting will be directed to the meeting lobby. Meeting organizers can leverage this invite-only meeting option, along with applying a do-not-forward setting to the Teams meeting, to help prevent unauthorized participants from attempting to join their meeting. The Invite-only meeting option will be generally available this month.
Disable attendee video during meetings
We are excited to share that soon meeting organizers will be able to disable the video of an individual or all attendees within a meeting. This meeting safety capability, similar to hard mute, will help those running a meeting or class to have more control and better manage undesired disruptions. Disable video will be rolling out later this spring.
Meeting option: chat moderation controls
Another recent meetings option feature to help meeting organizers maintain control is the ability to moderate the meeting chat. Organizers will have the ability to determine whether meeting chat is enabled, disabled, or only enabled during the meeting. Chat moderation can be especially useful for large lectures and classroom settings where the conversation may need to be limited to during the event only. Chat moderation controls are another meeting safety tool that organizers can leverage to keep the meeting focus where they need it.
Co-authoring enabled in encrypted documents using Office Apps
Co-authoring allows multiple authors to simultaneously edit a document using different OS platforms, as well as the Office desktop apps, Office web apps, and Teams. Today we announced a new ability for multiple users to simultaneously edit an Office document that has been encrypted using Microsoft Information Protection, including auto-save. Sensitive documents will remain protected with the same sensitivity label and protection applied.
Figure 5: Apply encryption protection settings for files and emails with sensitivity labels
By leveraging sensitivity labels integration with Azure Rights Management service, we can protect and encrypt a document to restrict access to that content to only authorized viewers. This helps ensure that the content can only be decrypted by users authorized by the label’s encryption settings and it remains encrypted wherever it travels – inside or outside of the organization. Once a document is protected by a sensitivity label with encryption, the document can be shared as an attachment or by sharing the document link all while remaining encrypted. Note that IT must ensure it has enabled sensitivity labels for Office files to take advantage.
Safe Links for Microsoft Teams
Safe Links is a feature in Microsoft Defender for Office 365 that helps provide URL scanning and time-of-click verification of URLs in links shared through email messages and other locations across Office 365. We are happy to announce that Teams will now leverage the power of Safe Links to help protect end users against potential malicious sites shared through Teams conversations, group chats, and channels. IT administrators will need to create a Safe Links policy in Microsoft Defender for Office 365, and enable Safe Links for Teams to begin taking advantage of these new capabilities. Safe Links for Teams will begin rolling out later this month.
Reinforcing our commitment to secure collaboration
Microsoft remains committed to helping customers protect content and meet compliance obligations by offering a broad portfolio of tooling. We are building on top of our industry standard secure platform, expanding our advanced security capabilities as highlighted by these latest announcements around helping customers meet data residency requirements, adding more meeting safety and moderation controls, and providing an additional option for conducting sensitive online conversations.
Microsoft 365 supports encryption in transit and at rest which provides multiple layers of encryption to work together to secure data. For organizations who may need more control over key arrangement requirements due to compliance obligations, Customer Key allows an organization to provide and control encryption keys – now in public preview for Teams!
Microsoft 365 compliance capabilities for Adaptive Card content
With Teams being the hub for collaboration, it brings together apps and services that we also need to help ensure are protected and handled appropriately. More than 70% of the apps today generate card content in Teams conversations, much of which is business communication that falls under the purview of regulations as is with Teams chat and file content. To help organizations maintain compliance, we happily announced that Microsoft 365 compliance capabilities are available for Adaptive Card content generated through apps in Teams messages! Legal hold, eDiscovery, audit, and retention capabilities are built into the platform and will be available for all apps including first party, third party, and line-of-business apps with no additional work from developers required to enable.
Security monitoring integration with Azure Sentinel and Secure Score
To help IT and secops teams proactively detect intrusions and respond appropriately, Teams integrates with Azure Sentinel to deliver intelligent security analytics and intelligence across the enterprise. Azure Sentinel collects event data across users, devices, apps, and infrastructure for your tenant applying AI to detect threats, investigate what’s going on, and can even automate your response using some simple yet powerful Playbooks. For instance, if Sentinel identifies a user account completing a large amount of suspicious activity - like deleting a lot of channels or adding a new external account to exfiltrate a bunch of data and then quickly removing that user to try to hide what happened - Sentinel can detect these items, automatically open a ticket, post an alert to your Teams security operations channel, and give your secops team ability to take action right away or investigate further. Additionally, we’ve recently included Teams integration with Microsoft Secure Score to provide recommendations on how to strengthen your organization’s security posture. You’ll see us adding more Teams configuration best practices to Microsoft Secure Score over time.
