SOLVED
Home

Teams Document Security

%3CLINGO-SUB%20id%3D%22lingo-sub-352255%22%20slang%3D%22en-US%22%3ETeams%20Document%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352255%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20Client%20Team%20set%20up%20and%20underneath%20a%20range%20of%20folders%20in%20SharePoint%5COnedrive.%26nbsp%3B%20One%20folder%20in%20the%20group%20is%20secured%20to%20managers%20only%20using%20sharepoint%20sharing%20security%20and%20this%20works%20great%20-%20the%20folders%20do%20not%20appear%20in%20Teams%20for%20those%20who%20do%20not%20have%20access%20so%20all%20is%20well.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20there%20seems%20to%20be%20a%20hole%20in%20the%20security.%26nbsp%3B%20I%20have%20access%20to%20the%20secure%20folder%20and%20so%20can%20open%20the%20documents%20there%20in%20teams%20and%20'start%20a%20conversation'.%26nbsp%3B%20I%20host%20a%20meeting%20with%20a%20group%20of%20managers%20and%20we%20use%20this%20feature%20to%20record%20our%20discussion.%26nbsp%3B%20This%20all%20works.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%20though%20this%20discussion%20is%20then%20broadcast%20on%20the%20Teams%20channel%20chat%20to%20everyone%2C%20including%20people%20who%20do%20not%20have%20access%20to%20this%20document.%26nbsp%3B%20If%20those%20users%20click%20on%20the%20document%20link%20they%20can't%20open%20the%20document%2C%20but%20they%20can%20see%20the%20document%20name%20and%20the%20comments%20that%20were%20added%20during%20the%20meeting.%20I%20want%20this%20conversation%20recorded%20in%20the%20channel%20but%20it%20should%20not%20be%20visible%20to%20anyone%20but%20those%20with%20access%20to%20the%20document!!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20a%20known%20bug%20with%20a%20fix%20date%3F%26nbsp%3B%20%3CSTRONG%3EMASSIVE%3C%2FSTRONG%3E%20hole%20in%20Teams%20security%20that%20needs%20addressing%20urgently%20-%20I'm%20able%20to%20expose%20a%20secured%20document%20to%20unauthorized%20users!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-352255%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ETeams%20security%20flaw%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352503%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Document%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352503%22%20slang%3D%22en-US%22%3EA%20massive%20and%20critical%20security%20flaw%20that%20is%20by%20design...%20%3A(%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352487%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Document%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352487%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%2C%20I%20get%20what%20you%20mean%2C%20but%20secured%20document%20is%20the%20mail%20thing%20here!%20By%20using%20teams%20it's%20well%20known%20that%20all%20members%20have%20default%20read%2Fwrite%20access!%3C%2FP%3E%3CP%3EOne%20of%20the%20features%20of%20Teams%20is%20being%20able%20to%20start%20a%20conversation%20around%20files%2C%20ending%20up%20in%20the%20channel%20conversation!%20Same%20with%20meetings!%20They%20are%20called%20channel%20meetings%26nbsp%3B%20-%20so%20the%20conversations%20will%20end%20up%20in%20a%20channel!%20And%20everyone%20can%20access%20the%20channel.%3C%2FP%3E%3CP%3E%3CSPAN%3EAnd%20because%20Teams%20don't%20look%20at%20the%20permissions%20set%20in%20SP%20this%20will%20happen%20no%20matter%20what!%20So%20it's%20by%20design!%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAs%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%20said%2C%20create%20a%20external%20meeting%20and%20conversations%20will%20end%20up%20as%20a%20private%20group%20chat!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdam%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352474%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Document%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352474%22%20slang%3D%22en-US%22%3EYes%2C%20I%20hope%20they%20fix%20it%20soon.%20Just%20to%20clarify%20though%2C%20Teams%20private%20channels%20won't%20solve%20this%20problem.%20The%20problem%20is%20Teams%20exposing%20secured%20documents%20to%20unauthorized%20users.%20This%20is%20a%20major%20security%20issue%2C%20and%20it's%20very%20concerning%20that%20Microsoft%20aren't%20aware%20of%20this.%20What%20if%20the%20document%20name%20that%20I%20shared%2C%20or%20the%20comments%20surrounding%20it%20contained%20sensitive%20financial%20or%20personal%20information%3F%20Saying%20%22well%2C%20that's%20OK%20Teams%20doesn't%20know%20about%20that%20security%20in%20SP%20yet%22%20won't%20save%20you%20when%20your%20client%20sues%20you%20%2410M%20for%20breach%20of%20confidentiality.%20Right%20now%20the%20solution%20as%20it%20stands%20allows%20this%20to%20happen.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352363%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Document%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352363%22%20slang%3D%22en-US%22%3ENo%20problem%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20issue%20here%20is%20that%20when%20you%20set%20the%20security%20in%20SP%20it%20is%20safe%20in%20the%20context%20of%20SP!%20And%20as%20I%20said%20Teams%20currently%20don%E2%80%99t%20support%20%E2%80%9Cprivate%20channels%E2%80%9D%20Teams%20have%20no%20clue%20about%20the%20permissions%20of%20the%20folders%20themselves..once%20a%20solution%20is%20released%20and%20supported%20this%20will%20work%20out%20in%20some%20way%2C%20with%20teams%20knowing%20the%20relation%20between%20the%20many%20services%20around%20teams%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352297%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Document%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352297%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Chris%2C%20appreciate%20both%20you%20and%20Adam%20responding%20so%20quickly%2C%20really%20helped%20me%20out%20here!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20the%20answer%20I%20was%20hoping%20for%2C%20but%20an%20answer%20none%20the%20less.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20still%20adamant%20about%20one%20thing%20though%20-%20using%20the%20standard%20tools%20available%20I%20was%20able%20to%20post%20information%20about%20a%20secure%20document%20to%20an%20unsecure%20channel.%26nbsp%3B%20I%20should%20not%20be%20allowed%20to%20do%20that.%26nbsp%3B%20As%20someone%20who%20builds%20software%2C%20one%20thing%20I%20know%20for%20certain%3A%20If%20there's%20an%20allowed%20configuration%20in%20your%20app%20that%20can%20break%20security%2C%20users%20will%20trip%20over%20it%20sooner%20rather%20than%20later%20and%20then%20they'll%20blame%20you!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20this%20instance%26nbsp%3B%20it%20look%20me%20a%20day%20of%20testing%20different%20configurations%20in%20the%20hope%20of%20finding%20the%20solution%20I%20wanted.%26nbsp%3B%20I%20thought%20I%20had%20until%20I%20had%20that%20'aha'%20moment.%26nbsp%3B%20Glad%20I%20had%20that%20moment%20before%20I%20made%20the%20recommendation%20to%20the%20business%20to%20use%20this%20method%20of%20document%20collaboration!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352295%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Document%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352295%22%20slang%3D%22en-US%22%3EThis%20is%20because%20your%20having%20a%20meeting%20in%20an%20area%20that%20isn%E2%80%99t%20secure%20and%20posting%20the%20files%20into%20that%20meeting%20in%20the%20team%20umbrella.%20%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20want%20to%20not%20have%20files%20you%20share%20show%20up%20to%20the%20entire%20team%20then%20you%20need%20to%20have%20the%20meeting%20between%20the%20private%20individuals%20and%20not%20in%20the%20channel.%20Then%20you%20can%20reference%20that%20meeting%20later%20if%20you%20want.%20%3CBR%20%2F%3E%3CBR%20%2F%3EPrivate%20channels%20will%20come%20out%20eventually%20at%20least%20it%20seems%20that%20was%20and%20you%E2%80%99ll%20be%20able%20to%20keep%20a%20meeting%20in%20the%20channel%20presumably%20and%20secure%20to%20the%20defined%20people%20that%20have%20access%20to%20it.%20But%20until%20then%20it%E2%80%99s%20private%20meetings%20or%20a%20private%20team%20all%20together%20if%20you%20want%20to%20keep%20your%20content%20posts%20%2F%20conversations%20secure.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352257%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Document%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352257%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20reply%20Adam.%26nbsp%3B%20I'm%20not%20sure%20how%20it%20cannot%20be%20a%20bug%20though%20-%20I'm%20exposing%20data%20that%20is%20secured%20to%20unauthorized%20users.%26nbsp%3B%20If%20that's%20a%20product%20feature%20I'm%20amazed!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20do%20this%20I%20went%20into%20sharepoint%20and%20edited%20the%20permissions%20on%20one%20of%20the%20folders%20I%20have%20stored%20against%20the%20channel%20in%20SharePoint%5COneDrive.%26nbsp%3B%20It%20works%20flawlessly%20-%20users%20can't%20see%20the%20folder%20without%20permission.%26nbsp%3B%20But%20when%20I%20chat%20on%20the%20document%20it%20is%20published%20to%20the%20whole%20channel.%20Very%20bad.%26nbsp%3B%20Having%20private%20channel%20security%20won't%20fix%20this%20unless%20this%20specific%20issue%20is%20addressed.%26nbsp%3B%20It's%20really%20not%20acceptable%20in%20today's%20world%20that%20a%20secured%20document%20can%20be%20presented%20in%20this%20way%20through%20a%20Microsoft%20interface.%26nbsp%3B%20It's%20not%20like%20I%20used%20a%20hack%20or%20some%20funky%20work-around%2C%20this%20is%20done%20using%20standard%20features%20available%20within%20the%20platform%20and%20is%20a%20security%20breach.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352256%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Document%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352256%22%20slang%3D%22en-US%22%3EHi!%20This%20is%20not%20s%20bug!%20Teams%20does%20not%20currently%20support%20any%20levels%20of%20permissions%20within%20a%20team%20except%20the%20default%20read%2Fwrite!%20It%20does%20honor%20the%20files%20permissions%20when%20you%20set%20them%20manually%20in%20SharePoint%2C%20but%20as%20you%20know%20teams%20is%20much%20more%20than%20just%20Sharepoint!%3CBR%20%2F%3EI%20would%20suggest%20using%20a%20group%20chat%20for%20the%20managers%20maybe%20and%20share%20the%20files%20there%20instead!%3CBR%20%2F%3EMicrosoft%20is%20currently%20developing%20some%20sort%20of%20private%20channel%20feature%2C%20so%20keep%20your%20eyes%20open%20for%20this%20ahead!%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%2C%20what%20folder%20did%20you%20edit%20the%20permissions%20for%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FLINGO-BODY%3E
Highlighted
LG40000
Occasional Contributor

I have a Client Team set up and underneath a range of folders in SharePoint\Onedrive.  One folder in the group is secured to managers only using sharepoint sharing security and this works great - the folders do not appear in Teams for those who do not have access so all is well. 

 

However, there seems to be a hole in the security.  I have access to the secure folder and so can open the documents there in teams and 'start a conversation'.  I host a meeting with a group of managers and we use this feature to record our discussion.  This all works.

 

Unfortunately though this discussion is then broadcast on the Teams channel chat to everyone, including people who do not have access to this document.  If those users click on the document link they can't open the document, but they can see the document name and the comments that were added during the meeting. I want this conversation recorded in the channel but it should not be visible to anyone but those with access to the document!!

 

Is this a known bug with a fix date?  MASSIVE hole in Teams security that needs addressing urgently - I'm able to expose a secured document to unauthorized users!!

8 Replies
Highlighted
Hi! This is not s bug! Teams does not currently support any levels of permissions within a team except the default read/write! It does honor the files permissions when you set them manually in SharePoint, but as you know teams is much more than just Sharepoint!
I would suggest using a group chat for the managers maybe and share the files there instead!
Microsoft is currently developing some sort of private channel feature, so keep your eyes open for this ahead!

Also, what folder did you edit the permissions for?

Adam
Highlighted

Thanks for the reply Adam.  I'm not sure how it cannot be a bug though - I'm exposing data that is secured to unauthorized users.  If that's a product feature I'm amazed!

 

To do this I went into sharepoint and edited the permissions on one of the folders I have stored against the channel in SharePoint\OneDrive.  It works flawlessly - users can't see the folder without permission.  But when I chat on the document it is published to the whole channel. Very bad.  Having private channel security won't fix this unless this specific issue is addressed.  It's really not acceptable in today's world that a secured document can be presented in this way through a Microsoft interface.  It's not like I used a hack or some funky work-around, this is done using standard features available within the platform and is a security breach.

Highlighted
Solution
This is because your having a meeting in an area that isn’t secure and posting the files into that meeting in the team umbrella.

If you want to not have files you share show up to the entire team then you need to have the meeting between the private individuals and not in the channel. Then you can reference that meeting later if you want.

Private channels will come out eventually at least it seems that was and you’ll be able to keep a meeting in the channel presumably and secure to the defined people that have access to it. But until then it’s private meetings or a private team all together if you want to keep your content posts / conversations secure.
Highlighted

Thanks Chris, appreciate both you and Adam responding so quickly, really helped me out here!

 

Not the answer I was hoping for, but an answer none the less. :)

 

I am still adamant about one thing though - using the standard tools available I was able to post information about a secure document to an unsecure channel.  I should not be allowed to do that.  As someone who builds software, one thing I know for certain: If there's an allowed configuration in your app that can break security, users will trip over it sooner rather than later and then they'll blame you! :)

 

In this instance  it look me a day of testing different configurations in the hope of finding the solution I wanted.  I thought I had until I had that 'aha' moment.  Glad I had that moment before I made the recommendation to the business to use this method of document collaboration!

Highlighted
No problem :)

The issue here is that when you set the security in SP it is safe in the context of SP! And as I said Teams currently don’t support “private channels” Teams have no clue about the permissions of the folders themselves..once a solution is released and supported this will work out in some way, with teams knowing the relation between the many services around teams
Highlighted
Yes, I hope they fix it soon. Just to clarify though, Teams private channels won't solve this problem. The problem is Teams exposing secured documents to unauthorized users. This is a major security issue, and it's very concerning that Microsoft aren't aware of this. What if the document name that I shared, or the comments surrounding it contained sensitive financial or personal information? Saying "well, that's OK Teams doesn't know about that security in SP yet" won't save you when your client sues you $10M for breach of confidentiality. Right now the solution as it stands allows this to happen.
Highlighted

Yeah, I get what you mean, but secured document is the mail thing here! By using teams it's well known that all members have default read/write access!

One of the features of Teams is being able to start a conversation around files, ending up in the channel conversation! Same with meetings! They are called channel meetings  - so the conversations will end up in a channel! And everyone can access the channel.

And because Teams don't look at the permissions set in SP this will happen no matter what! So it's by design! 

As @Chris Webb said, create a external meeting and conversations will end up as a private group chat!

 

Adam

 

Highlighted
A massive and critical security flaw that is by design... :(