👥

Protecting Microsoft Teams groups and their data

Table of contents

To the rescue: Information Protection
Sensitivity Labels
Recommended use
The user experience
Interesting to know, if you use document classification
Caveats
Licensing

☝

TL;DR - Managing Teams groups and avoid absolut chaos in Microsoft Teams has been a challenge ever since. A lot of responsibility is being put onto the owner(s) of the Teams room. Managing the guest and external sharing can be an absolute pain, since the owner and the members of the Teams room usually have all the rights to invite and share files to external people.

To the rescue: Information Protection

Information Protection, as part of Microsoft Purview, has been around for a long time now. If you want to learn more about Purview, you can find an introduction here:

Getting started with Microsoft 365 Purview

In our case we are using Microsoft Information Protection to offer classification services to Teams groups.

Sensitivity Labels

If you read my other article, you will know about document classification. But have you heard about group classification? You can apply sensitivity labels to Microsoft 365 groups using Microsoft Purview.

☝

You need to activate group labeling before you can create group labels. Follow this article to set it up: https://learn.microsoft.com/en-us/entra/identity/users/groups-assign-sensitivity-labels

This will allow you to control and manage the following Teams settings:

Privacy - If a Teams room is public, private or any of the two
External Access - You can choose to allow guests being invited or not
External Sharing - Allow external sharing at all, or only to specific types of users
Discoverability - Choose if you want this Teams room to get discovered when searching for it specifically in Teams
Shared Channels - Allow only specific other Teams rooms into a shared channel, this does not affect inviting specific people
Labels for channel meetings - Automatically apply a specified label to all channel meetings in that Teams room
Conditional Access - Use conditions, like MFA or compliant devices to either allow or block signing into a classified Teams room as well as controlling the access experience, like allowing to download files

Recommended use

I would recommend creating at least one label for these types of Teams rooms, where guests should not be allowed to be invited. If you have a Teams room concept this would be a good fit for organizational Teams. You can obviously create more than one label for different use cases. I would consider one label the minimum.

For this label I recommend the following settings:

Privacy - Set to private
External Access - Leave unchecked, so that its not allowed to invite guests

Optionally you can set these settings:

External sharing to people in your organization to further control sharing in this group. This will override your tenant level setting for the groups that you apply the label to. This can also be useful if you want to have a more open tenant level sharing policy, while still being able to control sharing on specific sites without having to configure it in the SharePoint admin center.
Or any of the other settings, that you desire

The user experience

With the recommend settings users will experience two things:

A tag is being shown when you browse to any channel in the Teams room

Searching for guests, while trying to add them will not show any results (even if the guest is already added to tenant)

Here is what the search will look like:

Teams room that does not allow guests by using a sensitivity label.

In comparison a search in different Teams room (same tenant), where sensitivity labeling allows to invite guests.

Teams room that allows guests.

Interesting to know, if you use document classification

Now, if you use document classification, you will already know about label priority. This even extends if you use both document and group labels. Lets say someone creates a document inside a Teams room and labels it with a priority 4 label. If the Teams room (group) is a label with priority 3 or lower, the last editor of this document will be notified. This is useful because you might have a very sensitive document in a Teams room, which could be public or have guests.

These types of alerts are shown inside the Audit Log as Detected document sensitivity mismatch. The only way to block being able to upload a document with a higher label is to use Microsoft Defender for Cloud Apps. If you don‘t want these notifications, you can put all document labels at lower priorities than all the groups labels.

Caveats

When using these labels you might want to know about this caveat:

Owners have a lot of power within Microsoft 365. That is why they can freely change the sensitivity of the Teams that they own. Technically there should be a pop up when applying a lower priority label, but well… technically.

Alternatively you can look into provisioning solutions that do not use owners specifically, like Teams Center. This tool transfers ownership into its own way and therefore, nobody is an owner in the sense that Microsoft wants it.

Licensing

Almost all of the features above are available with Microsoft 365 E3/F3 licensing. The only feature that is exclusive to E5 or Entra P2 licenses is the connection to Conditional Access.