SOLVED

Monitor traffic Teams to outbound Teams site

Copper Contributor

Good Day,

 

We are being audited by a Data Leak Prevention teams and the came up with a major leak situation regarding TEAMS.

 

The screnario is ... On my personnal account at home I create my self a personnal Tenant where I setup my TEAMS. I invite my business account to join my PERSONNAL Teams by sending me an Email invite.

My exchange server lets me receive this invitation on my Businnes email account. From there I join my personnal TEAMS. where I start transfering large chucks of DATA. (CC+Customer information and soon).

 

What are my tools available by Microsoft that let's me monitor and audit the outbound Traffic. Can I use DLP policies to enforce my protection. Can I use eDiscovery to audit the traffic ?

 

Their must be something that I miss on something this simple. I know I can monitor and protect what being shared on my TEAMS. But what about monitoring the external TEAMS ?

 

Thank you.

21 Replies

@StephaneSmithLowes   I think you re talking about inviting Guests into Teams channel?  By default Azure AD guest feature is disabled unlike the test tenants.

 

Can you elaborate more on this.

 

There are things like Windows Information protection to safeguard document download and also teams can be configured to be able access only via intune managed or compliant devices with conditional access. Which will eiliminate a lot of external actors.

How Do we monitor outgoing files outside my organisation to another TEAMS
There isn’t anything that’s going to monitor what your users can do to other services as part of office 365. You would have to have some kind of 3rd party too if it exists to do it.

You could use conditional access to prevent downloading of documents where they cannot then be uploaded externally but that will add quite a bit of complexity to your setup.

Do you block your users from access all cloud storage and all other places anyone can upload files to? If you don’t the you are over complicating the scenario since if you could block uploading to external teams they will only go somewhere else to send those files in the end.

You can search audit logs for file views and downloads and prevent download but nothing in to monitor external teams activity.

@Chris Webb 

So if I use my domain account wich is under O365 subsribtion to log on to a TEAMS outside of my organisation I can use the Audit log to see what I have shared via my O365 account. Can I apply DLP policies to content leaving my organisation ?

@StephaneSmithLowes https://docs.microsoft.com/en-us/microsoft-365/compliance/supervision-policies

Will this help me achieve my goals into supervising communication done from my internal users ?

No, Supervision is really just for someone to monitor someone actively doing something. When it comes to guests, you really don't have much options because when you login to a guest tenant, it now becomes that tenants responsibility since you have no visibility into the actions that happen there. The only actions you really have on your data is access (view) logs and download logs, but you can't see if someone uploads something elsewhere. The only thing you can really see is if someone is using the account to login to another tenant, that's about it.

@Chris WebbI am stunned that Microsoft is unable to track activities going outside my Tenants. This put Teams and Our Compagny at Risk.

 

Anyone can Data Leak information to  his personnel account without anyone knowing about it. This will put a end to the use of TEAMS in organisation.

Is there a way to prevent my Organisation user from Accepting TEAMS chat from outside our Organisation ?

 

If we are unable to track Communication going outside of our Tenants with our businness account I think it will be the end of this product life even if it's the best collaboration tool. If Data Leak prevention team are unable to track they will not let us use this product.

 

 

@StephaneSmithLowes 

It's no different than your users using any other cloud tool to send data, you can't track that either. All you can do is prevent access.

 

As for preventing people from joining other tenants I don't think there is a way to do that, the only thing you can prevent is external chat, and people from inviting guests to your tenant, but unless you remove their Teams access all together you cannot prevent them from accessing other tenants Teams.

 

There may be something I'm not aware of, but to best of my knowledge you cannot do that currently. But again, unless you block basically the entire internet from your employee's you can't keep them from doing the same thing elsewhere.

 

@Tony Redmond is a governance guru, he might have some insights, but to my knowledge you can only really control what users do on your tenant. You can't really keep them from taking local files and sharing them outside resources, especially somewhere you can't block because you use it (Teams services).  Since who's to say even if you could keep your users from connecting to other tenants, they don't just use another Office 365 account to join that tenant and do the same thing? 

 

 

 

best response confirmed by StephaneSmithLowes (Copper Contributor)
Solution

@Chris Webb I don't know of any way to trace access for users from a tenant to Teams in other tenants. The general rule is that compliance data is controlled by the tenant that owns the data. Audit data is kept in the tenant where it is generated. In this case, that data includes audit records for guest users signing into Teams, access documents, and so on. I'm unaware of any audit record captured for outbound access by a tenant user to a resource in another tenant.

 

But this is surely similar to access to other cloud applications, like someone connecting to their personal Gmail or Dropbox account. Office 365 doesn't gather that data either and no one complains. As to using Teams to transfer data out of a tenant, well, that's like people emailing confidential messages and documents to Gmail or Yahoo! mail, or cutting and pasting information from a document into a personal document. Although you could trace the transmission of email to Gmail or Yahoo! mail, you couldn't say what data is sent.

 

DLP isn't perfect either, nor is encryption. Users can get around technology if they want to. For example, I can spell out a credit card number in letters (six four one three, etc.) and DLP won't catch that pattern. For this reason, technical blocks exist to catch the most obvious cases of data misuse, but the technology must be backed up with employee training and sanctions (where necessary).

Yeah, that's pretty much what I thought, Thanks for the look. Bring up a good point thou. Encryption would be the way here with IRM in place probably would be the route to take if you want files only to be available in your tenant only. I'm not an expert in that area and if you can cover all of your SharePoint files (Teams files) with IRM, and then enforce around that. Then files could only be opened via your IRM service. But that would be the only option if doable to keep files on lock down and only available to users in your tenant.

@Chris Webb Right. This is the value of Office 365 sensitivity labels (for Office files anyway). Now available in Office click to run apps and soon in Office Online, you can apply labels that invoke encryption that restricts access to people within the tenant. The label metadata travels with the documents no matter where they go, so if they are sent outside the tenant, external users won't be able to access the content. Sensitivity labels are also in preview to apply settings to teams, groups, and sites (containers, not content) and will also be supported better by the SharePoint browser interface, so there's a lot going on in this area. If you're serious about protecting information in such a way that you can guarantee it cannot be accessed outside your tenant, use rights-management based encryption like the type used by sensitivity labels.

@StephaneSmithLowes 

You can look into IRM https://docs.microsoft.com/en-us/microsoft-365/compliance/set-up-irm-in-sp-admin-center 

 

 But keep in mind this will only work for Office files and PDF's etc. as listed in the article. This is the only way that you can make sure to keep file access restricted to your tenant. You can also look into sensitivity labels as Tony mentioned which is still early in development stages to help label sensitive data / sites automatically with rules for encryption etc.  Hopefully this will help a little bit but when you talk about restricting your users from abusing your content, it makes your landscape much more difficult with any product you choose out there and not many have options for it. 

@Chris Webb I wouldn't bother with that article or using IRM in that way to protect content. Documents are only encrypted when they are downloaded from the library. You want full rights-management based encryption that is fully understood by all of Office 365 instead of a mechanism created for SharePoint on-premises. Sensitivity labels are the way forward. Use them. They are becoming increasingly mature and you can absolutely use them today to protect documents stored in SharePoint. It's been 18 months since I wrote this: https://www.petri.com/protecting-office-365-document-libraries-guest-users

What ^ he said :). I thought one ran off the other. I need to catch up on the new labels setup.

@Chris Webb All covered in Chapter 24 of Office 365 for IT Pros... Just saying...

@StephaneSmithLowes  You can turn off the external federation & Guest access for your Tenant.   Simply turning Teams on does not help any org.   The teams governance is critical for any teams successful implementations.

 

You have to make these decisions before you enable teams for everyone.

* External sharing

* Teams creation

* private channels

* live events

* recording

* DLP and actions

* App lockers and Windows information protection to prevent documents access outside of your organization

 

feel free to reach out to me if you need any help....

Turning off external federation and guest access won’t tell a tenant admin what their users do in other tenants...

This is a really interesting question! I think one key point versus "it's just like any other cloud tool" is that many organisations (try to) block those other tools altogether. In this case by allowing the use of Teams in general, it creates this loophole. IRM would seem to be the only answer, but always bear in mind that bad actors have lots of ways - taking a photo of a SSN or credit card number on the pc screen, with a phone, and WhatsApping it, can't be prevented by any of these tools. IRM at least protects the wholesale download/extraction of one or more entire documents.

@Tony Redmond  I was explaining his about what can be used on each tenant secure data.   As you detailed earlier, what happens on each tenant is down to whats configured on the tenant.

 

Essentially, someone invited him to access the tenant data in their TEAMS as external user, if the tenant had Guest access turned off on Sharepoint, groups and Azure AD, there wont be this scenarios.

 

 

 

 

1 best response

Accepted Solutions
best response confirmed by StephaneSmithLowes (Copper Contributor)
Solution

@Chris Webb I don't know of any way to trace access for users from a tenant to Teams in other tenants. The general rule is that compliance data is controlled by the tenant that owns the data. Audit data is kept in the tenant where it is generated. In this case, that data includes audit records for guest users signing into Teams, access documents, and so on. I'm unaware of any audit record captured for outbound access by a tenant user to a resource in another tenant.

 

But this is surely similar to access to other cloud applications, like someone connecting to their personal Gmail or Dropbox account. Office 365 doesn't gather that data either and no one complains. As to using Teams to transfer data out of a tenant, well, that's like people emailing confidential messages and documents to Gmail or Yahoo! mail, or cutting and pasting information from a document into a personal document. Although you could trace the transmission of email to Gmail or Yahoo! mail, you couldn't say what data is sent.

 

DLP isn't perfect either, nor is encryption. Users can get around technology if they want to. For example, I can spell out a credit card number in letters (six four one three, etc.) and DLP won't catch that pattern. For this reason, technical blocks exist to catch the most obvious cases of data misuse, but the technology must be backed up with employee training and sanctions (where necessary).

View solution in original post