Teams Private Channels Reengineered: Compliance & Data Security Actions Needed by Sept 20, 2025
You may have missed this critical update, as it was published only on the Microsoft Teams blog and flagged as a Teams change in the Message Center under MC1134737. However, it represents a complete reengineering of how private channel data is stored and managed, with direct implications for Microsoft Purview compliance policies, including eDiscovery, Legal Hold, Data Loss Prevention (DLP), and Retention. 🔗 Read the official blog post here New enhancements in Private Channels in Microsoft Teams unlock their full potential | Microsoft Community Hub What’s Changing? A Shift from User to Group Mailboxes Historically, private channel data was stored in individual user mailboxes, requiring compliance and security policies to be scoped at the user level. Starting September 20, 2025, Microsoft is reengineering this model: Private channels will now use dedicated group mailboxes tied to the team’s Microsoft 365 group. Compliance and security policies must be applied to the team’s Microsoft 365 group, not just individual users. Existing user-level policies will not govern new private channel data post-migration. This change aligns private channels with how shared channels are managed, streamlining policy enforcement but requiring manual updates to ensure coverage. Why This Matters for Data Security and Compliance Admins If your organization uses Microsoft Purview for: eDiscovery Legal Hold Data Loss Prevention (DLP) Retention Policies You must review and update your Purview eDiscovery and legal holds, DLP, and retention policies. Without action, new private channel data may fall outside existing policy coverage, especially if your current policies are not already scoped to the team’s group. This could lead to significant data security, governance and legal risks. Action Required by September 20, 2025 Before migration begins: Review all Purview policies related to private channels. Apply policies to the team’s Microsoft 365 group to ensure continuity. Update eDiscovery searches to include both user and group mailboxes. Modify DLP scopes to include the team’s group. Align retention policies with the team’s group settings. Migration will begin in late September and continue through December 2025. A PowerShell command will be released to help track migration progress per tenant. Migration Timeline Migration begins September 20, 2025, and continues through December 2025. Migration timing may vary by tenant. A PowerShell command will be released to help track migration status. I recommend keeping track of any additional announcements in the message center.
DLP for SaaS Apps - Endpoint DLP/MDE + Purview Browser Extension
I need help verifying my understanding of how Purview tools control file upload/download and clipboard copy/paste actions. Here's the situation: Goal: Block file upload/download, copy/paste of sensitive data to/from SaaS apps. Deployment: Rolling out MDE (in Passive mode) or Endpoint DLP (Onboarding device to Purview) and the Purview browser extension for Chrome/Firefox. My Understanding: Copy Control: Handled by Endpoint DLP/MDE on the endpoint. Upload/Download/Paste Control: Requires the Purview browser extension (or native browser support Edge/Safari). Specific Question: The browser extension isn't available for macOS. I've read that MDE on macOS can handle everything (file upload/download and clipboard control). Could someone confirm if the table I've created correctly reflects this? Summary of Clipboard (Copy/Paste) Enforcement Operation Windows (Onboarded) macOS (Onboarded) Note Copy to Clipboard Endpoint Endpoint DLP Sensor Endpoint DLP Sensor Prevents data from reaching the clipboard Paste into SaaS Apps (Chrome/Firefox) Browser Extension Endpoint DLP Sensor Blocks paste into SaaS apps. Paste into SaaS Apps (MS Edge/Safari) Native on Edge Native on Edge/Safari Built-in integration; no extension needed.
Two sensitivity labels on PDF file
Hi everyone, First time poster here. We encountered an interesting issue yesterday where we had a user come to us with a PDF that had two sensitivity labels attached. In Purview activity explorer, we can see the file hit the DLP policy and the two labels, but when trying to replicate the issue cannot do it, or see how this has been done. Has anyone else encountered a similar issue? We were able to remove labels in our PDF editor but in Office suite once a label is applied, I could not see a way to remove it. We tried applying a label to a Doc file, converting to PDF and then seeing if it was there where it was being asked for another label but it was not, it just let us change the original. Many thanks in advance!
Microsoft 365 Copilot not showing up as location in DLP
Hi, I am working on implementing security measures for Microsoft Copilot in a client environment. I want to create a DLP policy to not process data with certain sensitivity labels but when I go into DLP to create the policy, the location for Microsoft 365 Copilot is not an option. I also noticed that the "Fabric and Power BI workspaces: location is also not available. I have checked other similar client M365 tenants, and both of these locations are available by default. Any insight would be appreciated.
Adaptive Scopes
I'm setting up adaptive scopes in MS Purview for data retention testing, focusing on Entra groups. However, when I create a test adaptive scope using the 365 groups scope and add a query with the group's display name, it doesn't populate. Some scopes are over 7 days old, despite MS stating it can take up to 3 days for queries to sync. Does anyone have a better method for creating adaptive scopes for Entra groups?
