Microsoft Ignite Live Blog: Learn about enterprise security & compliance with Microsoft Teams

Published Sep 27 2017 09:32 PM 3,265 Views

When any organization is considering a move to the cloud - application, platform, telephony infrastructure - there are a great many considerations. Enterprise security and compliance is a topic that has the potential to stop a potential cloud move in its tracks. With all the recent announcements regarding Microsoft Teams at Ignite, many are wondering where exactly security and compliance fit into this incredible tool built around teamwork, especially with all the PSTN capabilities that are in Teams' near future.


In the Microsoft Ignite session BRK4000: Learning about enterprise security and compliance with Microsoft Teams, Mark Longton (Principal Program Manager, Microsoft) and Ansuman Acharya (Program Manager 2, Microsoft) spelled out the many ways that this area has been accounted for in Microsoft Teams.




Right out the gate, Mark walked us through a comprehensive list ways that Security is baked into the infrastructure and operational processes that Microsoft Teams is built upon. The very top item in the Security list is "Data Encryption at rest and in transit", to answer the age-old question, "Is my data encrypted?"


Two more items that I want to call out (you can read the rest in the image) are "Penetration testing with regular rotation of 3rd-party penetration testers" and the "Bug Bounty Program". These points are important, as they demonstrate that Microsoft takes security so serious, that they rely on sources outside the company (on a rotating basis, even) to validate the integrity of the Microsoft Teams environment.




Switching gears from Security, Privacy is the other half of this topic. In the list above, we see a number of bullet points that show us the various ways that Teams has been designed with Privacy in mind. Note that the last item in the Privacy list calls out that Microsoft is working toward supporting the General Data Protection Regulation prior to its May 2018 deadline.


Compliance Controls & Certification


Microsoft Teams has currently achieved Tier C Certification, as per the image below, with Tier D certification in their sites for the near future.




What does this mean? Well first off, there are over 950 Office 365 controls in place, and recurring audits take place, like SOC, FEDRAMP, and ISO+. This is very important, and brings the element of independent verification to compliance in Teams. Beyond that, Teams is currently verified by a wide range of regional and International standards, including ISO 27001, ISO 27018, EU Model Clauses, HIPAA Business Associate Agreement. SSAE 16 SOC 1 and SOC 2 Reports. This list will grow within the first half of CY 2018.


Roadmap - What is available today?


So, what security & compliance features are currently available today for Microsoft Teams? Well, there is actually a pretty large list:


  • Archive
  • Compliance Content Search
  • eDiscovery
  • Legal Hold
  • Auditing and Reporting
  • Exchange Online Protection
  • Conditional Access and Intune MAM
  • Moderator Support
  • Allowed List of Apps
  • Windows Information Protection


Roadmap - What is coming?


And what about the future? The above list is great, but what if we need more? The below list is on the roadmap as of today:

  • Tenant-specific Retention Policy
  • eDiscovery - Calling/Meetings
  • Data Loss Prevention (DLP)
  • Advanced Threat Protection

The below graphic has a very good description of each of these items, and even shows which ones are currently available, and what is yet to come:








After Mark Longton's overview of the current feature set and roadmap security and compliance features, Ansuman Acharya took the stage to deliver a few key demonstrations. The first demonstration included an overview of a Content Search for IM content. In the below image, we see a chat conversation that took place, and a cat (giphy, not static image) was included in the chat:




Within the Content Search tool, this conversation can be searched for. However, searching for the keywords in the body of the chat yield much richer results than just the text. ALL parts of the conversation are capture and yielded in the search results:




During the demo, Ansuman also showed a bit on the Audit Log Search functionality. While there are no pictures to show of that portion, he did make an important note to call out: Audit Log Search is not turned on by default, so this is something to ensure that your Admins enable BEFORE you need to search.


Control over 3rd Party Applications via policy was also showcased. This feature was announced a few weeks back, so it was not news as of Ignite. However, it is an important component in demonstrating the control that admins have over the various aspects of the Teams environments that they manage.


I found the demo of some of the Security features for the Teams mobile client to be quite interesting. Based on mobile policies, we saw how sensitive information in a Teams chat could be prevented from being copied out of the app. The experience was that the user is faced with a message that pretty much states that the content cannot be copied out due to these policies, protecting the integrity of the data:




 One other security feature for the mobile client that I particularly intrigued with was the ability to obfuscate the data in the Teams app when it was being viewed as one of the open apps on the phone. For instance, when you click your mobile client's button to see all your mobile apps, the Teams app whil show in the list, but the preview of the screen is blurred out. This prevents any unintentional sharing of data with those around you:




Finally, Retention Policies were demo'd. Now, the first couple steps of setting up a Retention Policy were pretty standard. However, when it came to the "Set your locations" step, you have the option to choose Teams. Once Teams is chosen, you can choose whether you are retaining Chat messages, Channel messages, or both:




 Once you click Next, you are given a choice to choose to enable Preservation Lock or not. Ansuman described this setting as "Locking the policy, and throwing away the key". As a matter of fact, the wording in the below slide actually says this, too! In other words, by enabling Preservation Lock, you are ensuring that the policy cannot be modified or disabled at all, prior to the expiration that is built into the policy:






This was an excellent session, really helping to demistify some of those burning questions about what sorts of Security & Compliance mechanisms are really available in Teams (or which ones will be available very soon). It provided us with a solid current state of these features, and gave us a healthy glimpse into the future roadmap. I strongly recommend going back and watching the playback of BRK4000, if you were not able to catch the session live:


If you are looking to keep up with the latest releases on these features, or any other news as it is announced with Teams or Skype for Business, I invite you to follow me on Twitter (@GetCsJosh), and Subscribe to my YouTube channel ( I hope this content was useful, and serves to guide your organization as you begin your journey into Microsoft Teams!


1 Comment
Version history
Last update:
‎Oct 01 2017 07:45 PM
Updated by: