Forum Discussion
Monitor traffic Teams to outbound Teams site
ChrisWebbTech I don't know of any way to trace access for users from a tenant to Teams in other tenants. The general rule is that compliance data is controlled by the tenant that owns the data. Audit data is kept in the tenant where it is generated. In this case, that data includes audit records for guest users signing into Teams, access documents, and so on. I'm unaware of any audit record captured for outbound access by a tenant user to a resource in another tenant.
But this is surely similar to access to other cloud applications, like someone connecting to their personal Gmail or Dropbox account. Office 365 doesn't gather that data either and no one complains. As to using Teams to transfer data out of a tenant, well, that's like people emailing confidential messages and documents to Gmail or Yahoo! mail, or cutting and pasting information from a document into a personal document. Although you could trace the transmission of email to Gmail or Yahoo! mail, you couldn't say what data is sent.
DLP isn't perfect either, nor is encryption. Users can get around technology if they want to. For example, I can spell out a credit card number in letters (six four one three, etc.) and DLP won't catch that pattern. For this reason, technical blocks exist to catch the most obvious cases of data misuse, but the technology must be backed up with employee training and sanctions (where necessary).
It's no different than your users using any other cloud tool to send data, you can't track that either. All you can do is prevent access.
As for preventing people from joining other tenants I don't think there is a way to do that, the only thing you can prevent is external chat, and people from inviting guests to your tenant, but unless you remove their Teams access all together you cannot prevent them from accessing other tenants Teams.
There may be something I'm not aware of, but to best of my knowledge you cannot do that currently. But again, unless you block basically the entire internet from your employee's you can't keep them from doing the same thing elsewhere.
TonyRedmond is a governance guru, he might have some insights, but to my knowledge you can only really control what users do on your tenant. You can't really keep them from taking local files and sharing them outside resources, especially somewhere you can't block because you use it (Teams services). Since who's to say even if you could keep your users from connecting to other tenants, they don't just use another Office 365 account to join that tenant and do the same thing?
ChrisWebbTech I don't know of any way to trace access for users from a tenant to Teams in other tenants. The general rule is that compliance data is controlled by the tenant that owns the data. Audit data is kept in the tenant where it is generated. In this case, that data includes audit records for guest users signing into Teams, access documents, and so on. I'm unaware of any audit record captured for outbound access by a tenant user to a resource in another tenant.
But this is surely similar to access to other cloud applications, like someone connecting to their personal Gmail or Dropbox account. Office 365 doesn't gather that data either and no one complains. As to using Teams to transfer data out of a tenant, well, that's like people emailing confidential messages and documents to Gmail or Yahoo! mail, or cutting and pasting information from a document into a personal document. Although you could trace the transmission of email to Gmail or Yahoo! mail, you couldn't say what data is sent.
DLP isn't perfect either, nor is encryption. Users can get around technology if they want to. For example, I can spell out a credit card number in letters (six four one three, etc.) and DLP won't catch that pattern. For this reason, technical blocks exist to catch the most obvious cases of data misuse, but the technology must be backed up with employee training and sanctions (where necessary).
ChrisWebbTech Right. This is the value of Office 365 sensitivity labels (for Office files anyway). Now available in Office click to run apps and soon in Office Online, you can apply labels that invoke encryption that restricts access to people within the tenant. The label metadata travels with the documents no matter where they go, so if they are sent outside the tenant, external users won't be able to access the content. Sensitivity labels are also in preview to apply settings to teams, groups, and sites (containers, not content) and will also be supported better by the SharePoint browser interface, so there's a lot going on in this area. If you're serious about protecting information in such a way that you can guarantee it cannot be accessed outside your tenant, use rights-management based encryption like the type used by sensitivity labels.
- Yeah, that's pretty much what I thought, Thanks for the look. Bring up a good point thou. Encryption would be the way here with IRM in place probably would be the route to take if you want files only to be available in your tenant only. I'm not an expert in that area and if you can cover all of your SharePoint files (Teams files) with IRM, and then enforce around that. Then files could only be opened via your IRM service. But that would be the only option if doable to keep files on lock down and only available to users in your tenant.