Regulated Teams Deployment

%3CLINGO-SUB%20id%3D%22lingo-sub-1242956%22%20slang%3D%22en-US%22%3ERegulated%20Teams%20Deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1242956%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20Teams%20is%20the%20fastest%20growing%20enterprise%20app%3B%20it%20helped%20millions%20to%20collaborate%20better%20%26amp%3B%20its%20trending%20right%20now%20for%20its%20ability%20to%20work%20efficiently%20from%20home.%20in%20my%20opinion%20it%20could%20cover%20all%20your%20internal%20communications.%20However%2C%20some%20companies%20have%20regulations%20that%20restrict%20them%20from%20having%20their%20documents%20in%20data%20centers%20outside%20their%20country.%20and%20even%20if%20they%20own%20Teams%20license%20they%20are%20not%20willing%20to%20try%20it.%20what%20if%20we%20could%20have%20a%20regulated%20deployment%20in%20such%20no%20document%20is%20allowed%20to%20be%20uploaded%20into%20teams.%20or%20w%2F%20maximum%20security%20options.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBelow%20list%20is%20governance%20recommendation%20which%20are%20subject%20to%20change%2Fapproval%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAssumption%201%3A%20O365%20tenant%20is%20ready%20with%20proper%20license.%3C%2FP%3E%3CP%3EAssumption%202%3A%20Identity%20sign%20in%20is%20enabled%20(weather%20ADFS%2C%20PTA%2C%20or%20password%20hash)%20or%20cloud%20user%3C%2FP%3E%3CP%3EAssumption%203%3A%20you%20want%20to%20regulate%20Teams%20and%20enable%20it%20for%20its%20audio%2Fvideo%2Fchatting%20features%20only.%3C%2FP%3E%3CP%3EUsers%20should%20be%20licensed%20for%20Teams%20only%20(%20No%20SharePoint%20online%2F%20no%20Overdrive%20for%20business)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E1)%20Sign%20In%20(MFA)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ETeams%20sign%20in%2C%20could%20be%20done%20from%203%20places.%20Mobile%20App%2C%20Client%20Machines%20app%2C%20Web%20based%20(Teams.microsoft.com%20or%20office.com).%3C%2FP%3E%3CP%3EProtecting%20all%20sign%20in%20with%20multi-factor%20authentication.%20more%20info%20on%20%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fmfa%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Eaka.ms%2Fmfa%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E2)%20Teams%20(Groups)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EYou%20could%20limit%20the%20users%20who%20are%20able%20to%20create%20Teams%2C%20by%20limiting%20the%20users%20who%20could%20create%20Groups.%20by%20running%20below%20script%20will%20create%20a%20security%20group%20that%20only%20users%20within%20this%20security%20group%20will%20be%20able%20to%20create%20Groups%2FTeams.%3C%2FP%3E%3CP%3ENote%20this%20will%20limit%20adoption%20and%20may%20cause%20overhead%20for%20the%20IT%20admins%20to%20control%20this.%20but%20it%20is%20IT%20Governance%20best%20practice.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Feur01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fmicrosoft-365%252Fadmin%252Fcreate-groups%252Fmanage-creation-of-groups%253Fview%253Do365-worldwide%26amp%3Bdata%3D02%257C01%257C%257Cb03f214fa28846159db708d7c966c766%257C25910ab6caa749ca87c0fda693bcebf7%257C1%257C0%257C637199315636671707%26amp%3Bsdata%3DshOTSnN%252Fnnh5MqbEVbrPkkneErMhqu3CCSXOmtvLOsM%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Fcreate-groups%2Fmanage-creation-of-groups%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E3)%20Teams%20Storage%20Architecture%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EUnderstanding%20where%20our%20files%20are%20being%20uploaded%20is%20the%20first%20control%20we%20should%20pay%20attention%20to.%3C%2FP%3E%3CP%3Ebelow%20figure%20shows%20us%20what%20services%20we%20should%20control.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Teams-storage.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F178576i9185D537987E4071%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Teams-storage.png%22%20alt%3D%22Teams-storage.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E4)%20OneDrive%20For%20Business%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20disable%20sharing%20of%20files%20between%20users%2C%20you%20should%20not%20give%20them%20OneDrive%20For%20Business%20License.%20Each%20time%20they%20try%20to%20upload%20a%20document.%20They%20will%20receive%20this%20message%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Teams-ODFB.png%22%20style%3D%22width%3A%20998px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F178577i6E273DABFCCFFC99%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Teams-ODFB.png%22%20alt%3D%22Teams-ODFB.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIf%20customer%20would%20like%20to%20give%20access%20for%20users%20to%20SharePoint%20Online%20but%20without%20giving%20them%20OneDrive%20for%20Business%2C%20or%20the%20user%20has%20the%20OneDrive%20already%20provisioned%2C%20then%20disable%20the%20MySite%20create%20and%20access%3C%2FP%3E%3COL%3E%3COL%3E%3CLI%3EDisable%20MySite%20access%20and%20creation%20(SharePoint%20Admin%20Center%20%26gt%3B%20Classic%20Features%20%26gt%3B%20User%20Profiles%20%26gt%3B%20Manage%20User%20Permissions%20%26gt%3B%20Uncheck%20the%20Create%20Personal%20Site%20permission)%3C%2FLI%3E%3CLI%3EDelete%20the%20OneDrive%20from%20SharePoint%20admin%20portal%3C%2FLI%3E%3C%2FOL%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E5)%20SharePoint%20Online%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EFor%20SharePoint%20Online%2C%20this%20is%20by%20default%20enabled%20and%20there%E2%80%99s%20a%20place%20for%20files%20for%20each%20channel%20in%20Teams.%20Creation%20of%20multiple%20channels%20is%20a%20decision%20that%20may%20be%20influenced%20by%20the%20type%20of%20files%20for%20each%20channel.%20this%20helps%20collaboration%20and%20makes%20sense%20out%20of%20channels.%20(Example%2C%20private%20channel%20for%20budgets%20with%20limited%20number%20of%20users%2C%20or%20weekly%20channels%20for%20a%20teacher%E2%80%99s%20business%20class)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20in%20a%20governance%20perspective%3B%20you%20could%20set%20a%20read%20permission%20for%20users%20so%20they%20will%20not%20upload%20documents.%20Below%20are%20steps%20on%20how%20to%20do%20that.%3C%2FP%3E%3CP%3ENote%3A%20Owners%2FAdmins%20will%20have%20full%20control%20permission.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22teams-spo1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F178579i0850FB5C940AA20F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22teams-spo1.png%22%20alt%3D%22teams-spo1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22spo2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F178581iC988DDC9CEF0BB2D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22spo2.png%22%20alt%3D%22spo2.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22spo3.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F178582iB03746C96DE3992C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22spo3.png%22%20alt%3D%22spo3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22spo4.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F178583iA5E4AAF6E9BC9907%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22spo4.png%22%20alt%3D%22spo4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScreenshot%20below%20shows%20how%20Teams%20files%20look%20like%20from%20a%20member%20device.%20(no%20option%20to%20upload%20or%20create)%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MicrosoftTeams-image%20(3).png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F178584i115FADC4950B90E8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22MicrosoftTeams-image%20(3).png%22%20alt%3D%22MicrosoftTeams-image%20(3).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20way%20your%20organization%20shouldn't%20have%20a%20way%20to%20upload%20documents%20into%20teams%2C%20and%20you%20will%20be%20able%20to%20use%20the%20app%20as%20your%20chat%2Fvideo%2Fvoice%2Fdesktop%20sharing%20which%20is%20our%20objective%20here.%3C%2FP%3E%3CP%3EExtra%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3EDisable%20Other%20Cloud%20storage%20integrations%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EFrom%20Teams%20Admin%20Center%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Teams-cloudstorage1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F178585iA63208EB209C3FF5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Teams-cloudstorage1.png%22%20alt%3D%22Teams-cloudstorage1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EDisable%20APP%E2%80%99s%20%3C%2FSTRONG%3E%3CSTRONG%3Eintegrations%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EAlso%20From%20Teams%20Admin%20center%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22appper.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F178586i96DB28EF43C2F7B0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22appper.png%22%20alt%3D%22appper.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EDisable%20External%20communications%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EYou%20Could%20disable%20external%20users%20or%20guest%20users%20from%20communicating%20with%20your%20organization%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22externalacc.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F178587i03DAADE1A6B84EED%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22externalacc.png%22%20alt%3D%22externalacc.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3ETurn%20off%20Cloud%20Recording%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fcloud-recording%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fcloud-recording%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn-case%20you%20wanted%20to%20allow%20documents%20sharing%20but%20with%20different%20regulations.%20the%20best%20practices%20security%20offerings%20would%20be%20using%20AIP%2F%20Office%20ATP%20%2F%20DLP%20%2F%20Cloud%20App%20security%20to%20auto%20label%2F%20and%20the%20new%20Communication%20Compliance%20Center%20to%20verify%20all%20above%20and%20more%2C%20its%20a%20new%20offering.%3C%2FP%3E%3CP%3Emore%20info%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fcommunication-compliance%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fcommunication-compliance%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1242956%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EFiles%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHow-to%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eregulated%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Regular Visitor

Microsoft Teams is the fastest growing enterprise app; it helped millions to collaborate better & its trending right now for its ability to work efficiently from home. in my opinion it could cover all your internal communications. However, some companies have regulations that restrict them from having their documents in data centers outside their country. and even if they own Teams license they are not willing to try it. what if we could have a regulated deployment in such no document is allowed to be uploaded into teams. or w/ maximum security options.

 

Below list is governance recommendation which are subject to change/approval

 

Assumption 1: O365 tenant is ready with proper license.

Assumption 2: Identity sign in is enabled (weather ADFS, PTA, or password hash) or cloud user

Assumption 3: you want to regulate Teams and enable it for its audio/video/chatting features only.

Users should be licensed for Teams only ( No SharePoint online/ no Overdrive for business)

 

1) Sign In (MFA)

Teams sign in, could be done from 3 places. Mobile App, Client Machines app, Web based (Teams.microsoft.com or office.com).

Protecting all sign in with multi-factor authentication. more info on aka.ms/mfa

 

2) Teams (Groups)

You could limit the users who are able to create Teams, by limiting the users who could create Groups. by running below script will create a security group that only users within this security group will be able to create Groups/Teams.

Note this will limit adoption and may cause overhead for the IT admins to control this. but it is IT Governance best practice.

https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-creation-of-groups?view=o3...

 

3) Teams Storage Architecture

Understanding where our files are being uploaded is the first control we should pay attention to.

below figure shows us what services we should control.

Teams-storage.png

 

4) OneDrive For Business

If you want to disable sharing of files between users, you should not give them OneDrive For Business License. Each time they try to upload a document. They will receive this message

Teams-ODFB.png

If customer would like to give access for users to SharePoint Online but without giving them OneDrive for Business, or the user has the OneDrive already provisioned, then disable the MySite create and access

    1. Disable MySite access and creation (SharePoint Admin Center > Classic Features > User Profiles > Manage User Permissions > Uncheck the Create Personal Site permission)
    2. Delete the OneDrive from SharePoint admin portal

 

5) SharePoint Online

For SharePoint Online, this is by default enabled and there’s a place for files for each channel in Teams. Creation of multiple channels is a decision that may be influenced by the type of files for each channel. this helps collaboration and makes sense out of channels. (Example, private channel for budgets with limited number of users, or weekly channels for a teacher’s business class)

 

However, in a governance perspective; you could set a read permission for users so they will not upload documents. Below are steps on how to do that.

Note: Owners/Admins will have full control permission.

teams-spo1.png

 

spo2.pngspo3.png

spo4.png

 

 

 

Screenshot below shows how Teams files look like from a member device. (no option to upload or create)

MicrosoftTeams-image (3).png

 

This way your organization shouldn't have a way to upload documents into teams, and you will be able to use the app as your chat/video/voice/desktop sharing which is our objective here.

Extra:

Disable Other Cloud storage integrations

From Teams Admin Center

Teams-cloudstorage1.png

Disable APP’s integrations

Also From Teams Admin center

appper.png

 

Disable External communications

You Could disable external users or guest users from communicating with your organization

externalacc.png

Turn off Cloud Recording

https://docs.microsoft.com/en-us/microsoftteams/cloud-recording

 

In-case you wanted to allow documents sharing but with different regulations. the best practices security offerings would be using AIP/ Office ATP / DLP / Cloud App security to auto label/ and the new Communication Compliance Center to verify all above and more, its a new offering.

more info https://docs.microsoft.com/en-us/microsoft-365/compliance/communication-compliance?view=o365-worldwi...

 

0 Replies