Forum Discussion
Monitor traffic Teams to outbound Teams site
Good Day,
We are being audited by a Data Leak Prevention teams and the came up with a major leak situation regarding TEAMS.
The screnario is ... On my personnal account at home I create my self a personnal Tenant where I setup my TEAMS. I invite my business account to join my PERSONNAL Teams by sending me an Email invite.
My exchange server lets me receive this invitation on my Businnes email account. From there I join my personnal TEAMS. where I start transfering large chucks of DATA. (CC+Customer information and soon).
What are my tools available by Microsoft that let's me monitor and audit the outbound Traffic. Can I use DLP policies to enforce my protection. Can I use eDiscovery to audit the traffic ?
Their must be something that I miss on something this simple. I know I can monitor and protect what being shared on my TEAMS. But what about monitoring the external TEAMS ?
Thank you.
ChrisWebbTech I don't know of any way to trace access for users from a tenant to Teams in other tenants. The general rule is that compliance data is controlled by the tenant that owns the data. Audit data is kept in the tenant where it is generated. In this case, that data includes audit records for guest users signing into Teams, access documents, and so on. I'm unaware of any audit record captured for outbound access by a tenant user to a resource in another tenant.
But this is surely similar to access to other cloud applications, like someone connecting to their personal Gmail or Dropbox account. Office 365 doesn't gather that data either and no one complains. As to using Teams to transfer data out of a tenant, well, that's like people emailing confidential messages and documents to Gmail or Yahoo! mail, or cutting and pasting information from a document into a personal document. Although you could trace the transmission of email to Gmail or Yahoo! mail, you couldn't say what data is sent.
DLP isn't perfect either, nor is encryption. Users can get around technology if they want to. For example, I can spell out a credit card number in letters (six four one three, etc.) and DLP won't catch that pattern. For this reason, technical blocks exist to catch the most obvious cases of data misuse, but the technology must be backed up with employee training and sanctions (where necessary).
21 Replies
You can look into IRM https://docs.microsoft.com/en-us/microsoft-365/compliance/set-up-irm-in-sp-admin-center
But keep in mind this will only work for Office files and PDF's etc. as listed in the article. This is the only way that you can make sure to keep file access restricted to your tenant. You can also look into sensitivity labels as Tony mentioned which is still early in development stages to help label sensitive data / sites automatically with rules for encryption etc. Hopefully this will help a little bit but when you talk about restricting your users from abusing your content, it makes your landscape much more difficult with any product you choose out there and not many have options for it.
ChrisWebbTech I wouldn't bother with that article or using IRM in that way to protect content. Documents are only encrypted when they are downloaded from the library. You want full rights-management based encryption that is fully understood by all of Office 365 instead of a mechanism created for SharePoint on-premises. Sensitivity labels are the way forward. Use them. They are becoming increasingly mature and you can absolutely use them today to protect documents stored in SharePoint. It's been 18 months since I wrote this: https://www.petri.com/protecting-office-365-document-libraries-guest-users
- What ^ he said :). I thought one ran off the other. I need to catch up on the new labels setup.
- There isn’t anything that’s going to monitor what your users can do to other services as part of office 365. You would have to have some kind of 3rd party too if it exists to do it.
You could use conditional access to prevent downloading of documents where they cannot then be uploaded externally but that will add quite a bit of complexity to your setup.
Do you block your users from access all cloud storage and all other places anyone can upload files to? If you don’t the you are over complicating the scenario since if you could block uploading to external teams they will only go somewhere else to send those files in the end.
You can search audit logs for file views and downloads and prevent download but nothing in to monitor external teams activity.So if I use my domain account wich is under O365 subsribtion to log on to a TEAMS outside of my organisation I can use the Audit log to see what I have shared via my O365 account. Can I apply DLP policies to content leaving my organisation ?
StephaneSmithLowes https://docs.microsoft.com/en-us/microsoft-365/compliance/supervision-policies
Will this help me achieve my goals into supervising communication done from my internal users ?
StephaneSmithLowes I think you re talking about inviting Guests into Teams channel? By default Azure AD guest feature is disabled unlike the test tenants.
Can you elaborate more on this.
There are things like Windows Information protection to safeguard document download and also teams can be configured to be able access only via intune managed or compliant devices with conditional access. Which will eiliminate a lot of external actors.
- How Do we monitor outgoing files outside my organisation to another TEAMS
