Forum Discussion
Solved
Disable images in Teams or force to act like files.
So apparently a new security hole has been introduced into teams. I am not sure quite when. We use Team in the GCCH environment and this is new functionality and is very bad.
Images are no longer treated as files shared from OneDrive or SharePoint as they once were. They are now embedded in teams chats bypassing the security set on the sharing of said image files. Not only is this new, but also seems to have been done retroactively pulling images from the past.
So here is the scenario we allowed our users to use Team on their phones, Which is ok, files, images etc shared in team was either shared from a users one drive specifically OneDrive > screenshots or wherever it was uploaded from. Setting a conditional access policy that only allowed files on OneDrive and SharePoint from compliant devices therefore let people use teams, join meetings from mobile etc, however no files which may contain sensitive data, especially screenshots would show in teams on phone and mobile devices. A user contacted me the other day and said "Hey I see images in teams on my phone." So I signed into teams on my phone, and sure enough, there were images. Files such as documents or PDF are not accessible but Images suddenly are. Not only new images but all images in all past teams chats are now suddenly there. So what ever they did applied retroactively. So we suddenly lost all security setting on files that are images. Hence this could potentially allow CUI data to be exposed on non CUI devices.
I have set up a conditional access policy to block teams now from all non compliance devices. Users have been told to purge all data from phones etc. This seems to be working fine, unfortunately frustrating a lot of users. Unfortunately this has all blocked the use of teams through a browser even on compliant devices. I had to chose block from a browser as well unfortunately it is blocking from compliant windows devices as well on a browser. I have been looking all over for a way to revert this and treat images as files, but I have yet to find a way. I mean I can understand why Microsoft would want to share images, I imagine it is highly used. However, I can not understand them retroactively pulling all the old ones, and not giving us a way to say no keep images as files. Any help appreciated. I do have multiple tickets in, one to the O365 group and one to the Azure group both high priority but have yet to hear anything in 8 hours.
- So I got an engineer call finally, they are swamped right now. In case anyone else need to block teams
Conditional Access Policy, However you have to block more than just teams, You have to block all services in the chain for Teams to work
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/service-dependencies
Then under access controls check to completely block everyone. The trick to getting what you want is under Conditions and filter for devices. Exclude the devices you want. You can get as details as you want, Hybrid joined devices, Azure AD joined devices only Azure AD Registered devices, Compliant devices. Device Ownership set in Intune, To a group or heck right down to a list of device names if you want. This will exclude these devices from the compliance policy.
This works better than grand access on a few things.
I don't think anything has changed here. There have always been two ways to include an image in a chat message: paste it in, or upload it as an attachment. If you paste it in, it forms part of the message itself and end users can view it whether or not they have OneDrive/SharePoint access.
Regarding the issue with blocking access to Teams in the browser, which browser are you using? If it is Google Chrome, I believe you need to deploy the Windows Accounts extension: Windows Accounts - Chrome Web Store (google.com)
Edit: I just remembered that as of Chrome version 111, you no longer need the extension as this functionality is built-in; you just need to enable the "Automatic sign-in to Microsoft cloud identity providers" policy: Chrome Enterprise policy list and management | Documentation
- Thanks, will look into the Chrome settings, I did try it with Edge and Chrome, The only 2 browsers we allow.
As far as teams change, yes this is something new. We are in the GCCH environment we get updates much later. We even have a different Teams Client installer. We can not use commercial teams or Teams that comes installed on Windows. However, you are correct I can copy and paste or upload mages, However, when you tried to copied and pastes Images which I know as much as 2 weeks ago, if the images were not from your one drive you got an error message that the image was outside of your boundary. You needed to save the image to one drive before it could be put into teams. This was standard procedure. And yes, It was extra work however this allowed the labeling and file security on images the same as files. When you get send on teams with a copied and pasted image one drive would inform you that you shared the file abcd.jpg with Username of person you sent it to. So Images were treated as files with the same security. I know I did this to my boss 2 weeks ago, Found a meme on internet forgot out of habit copied and pasted and got the error, I has to actually save the meme to my one drive then attach it in teams. This is the functionality we had. Everythign was shared like that. And when a user left the company and the one drive was purged so were the images.JeffsRealm Interesting, I didn't realize that Teams in the GCCH environment handled this differently. Thanks for the correction.
If Conditional Access is not working with Microsoft Edge, there must be something else going on, since Edge natively supports it: Microsoft Edge and Conditional Access | Microsoft Learn. (Perhaps this is another GCCH limitation.)
