Now that your organization has started thinking about using Microsoft Teams after reading Shelly Avery’s blog post, let’s talk about how you can secure your Teams environment. We can focus this conversation in 3 main areas; ensuring your users’ identities are secure to access Teams, protecting the Teams application and securing the data in and out of Teams.
Microsoft Teams uses Azure Active Directory as the identity and access management platform so you can take advantage of many security features to secure access to Teams. The first step is to plan a good Conditional Access strategy. Since Teams is accessible from anywhere, you want to ensure that you can verify your user’s identity using Azure Multifactor Authentication (MFA).
You can also use Hybrid Azure Active Directory Domain Join in order to define corporate owned PCs . By defining a device identity, you will be able develop rules around the device types that people are using; corporate, personal or mobile. Many customers take advantage of the Intune integration to look at device compliance as well. So you can create a rule that states not only should access to Teams be on a corporate managed PC, but the PC must meet your compliance standards. If the device isn't compliant, like BitLocker is disabled, the end user would not be able to access Teams until BitLocker ins enabled.
We also recommend using Risk Based Conditional Access that looks at multiple data points to determine the risk of the user and the session. If that user or session is risky, like a user accessing Teams from an anonymous IP to hide their identity, you can prompt the user for a MFA challenge. I wrote a blog about this topic which you can review here.
Another important aspect about Conditional Access is that you can require your end users to use a protected application. The Teams app can be protected using Intune Application Protection Polices to ensure that data cannot be moved to untrusted locations. These application protection policies can be applied to the mobile apps on iOS and Android. This allows you to combine the protection policy of Intune with the access policy of Azure Active Directory to ensure the app and the user are protected during the sign in process.
A lot of customers ask “What about Windows? I don’t want my users to copy files from Teams and place it in their personal cloud storage like OneDrive.” This where Windows Information Protection (WIP) comes in. WIP can ensure that data from corporate locations like Teams cannot be moved to unsanctioned locations on users’ PC’s. If a user tries to move or copy data from Teams to their personal OneDrive, they will be presented with a message preventing them from making that copy. This can work on corporate owned PC’s or a personal device that is managed via an Intune Application Protection policy that enables WIP.
Data Protection at the Document Level
Data protection begins with securing the apps as I stated above but you can also use Azure Information Protection (AIP) to secure documents. AIP applies labels to documents based on the sensitive information that is in that document. AIP can also encrypt documents based on the label. This is important because not all documents that are labeled need to be protected. The example I always use is the holiday cards you are sending to your partners probably doesn’t need to be encrypted, but the Excel file with Protected Health Information (PHI) does. The end result is that if I have a social security number or other PHI in a document that I am editing on my PC, AIP will detect the sensitive information, apply a label and encrypt the document. I can then share that document in Teams either via a chat or uploading it to a channel. The best part of this is that the encryption is tied to the document and no matter where it goes, users will need to authenticate to access the document. You can even apply Azure Active Directory Conditional Access rules!
Since Teams file storage uses the SharePoint platform, the same rules and tools that apply to SharePoint can apply to Teams. For example, Microsoft Cloud App Security can apply governance rules to SharePoint documents based on AIP labels. This can enable scenarios like the ability to restrict sharing of certain documents to certain organizations or users. Microsoft Cloud App Security can also apply labels to documents that are uploaded to SharePoint that don’t have any labels that are applied from the Office client. This integration between the two platforms provides your organization a set of powerful tools to control data.
Azure Information Protection is one piece of the Information Protection tools that are part of Microsoft 365. Shelly referenced Office 365 DLP in her blog post and that is an important piece that I don’t want to gloss over. Office 365 DLP rules integrate with Azure Information Protection to provide a unique set of tools to control and protect data.
To sum this all up, going to Teams can provide your users a great platform to collaborate more efficiently. I use Teams everyday and it has become a major part of how I communicate with my teammates and my customers. Securing Teams can take some time, but once you look at all of the controls that Microsoft provides, you can ensure your users can have a secure environment to communicate and collaborate.
If you have any questions, use the comment section below and I will reply as soon as I can.