Compliance in Microsoft Teams
Is Microsoft Teams Compliant?
Yes, Teams is built upon the same Office 365 services that have been verified across many international, industry and regional standards, and setting up compliance in Microsoft Teams is part of Office 365’s existing compliance and security policies. Compliance verification for Microsoft Teams include:
- ISO 27001
- ISO 27018
- EU Model Clauses (EUMC)
- HIPAA Business Associated Agreement
- SSAE 16 SOC 1 & SOC 2 Reports
- FedRAMP Moderate and High
- Health Information Trust Alliance (HITRUST)
Teams Compliance Capabilities
|Archive||Any content stored in any Teams related workload needs to be preserved immutably.|
|Compliance Content search||Any content stored in any workload can be search through rich filtering capabilities and be exported to a specific container for compliance and litigation support.|
|eDiscovery – Messaging/Files||Rich in-place eDiscovery capabilities including case management, preservation, search, analysis and export to help our customers simplify the eDiscovery process to quickly identify relevant data while decreasing cost and risk.|
|Legal hold||When any team or individual is put on In-Place Hold or litigation hold, the hold is placed on both the primary and the archive messages (No edits or deletes).|
|Auditing and reporting||All Team activities and business events must be captured and available for customer search and export.|
|Conditional Access and Intune MAM||Ensure that access to Microsoft Teams is restricted to devices that are compliant with IT Admin or Corporate Organization set policies and security rules both for the Teams Apps and the services it uses under the hood. Includes MAC Support for Conditional Access as well.|
|Moderator support||The ability to have a moderator (owner of team) of a Team delete data from any user in the team that is inappropriate and mute users in a team/channel.|
|Windows Information Protection||Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps like MS Teams.|
|Allowed List of Apps||An Admin can control the list of 3P apps (bots, connectors, tabs) that can be used by end users within a tenant.|
|Retention / Preservation||Help organizations reduce the liabilities associated with messaging. The Customer can configure their tenant to retain data for a fixed period of time or retain it with unlimited storage for different Teams workloads.|
|eDiscovery – Calling/Meetings||Rich in-place eDiscovery capabilities including case management, preservation, search, analysis and export to help our customers simplify the eDiscovery process to quickly identify relevant data while decreasing cost and risk.|
|Data loss prevention (DLP)||Identify any sensitive data stored being transferred within or outside of Customer Organization in Teams to intercept and prevent leakage for Files and Chat/Channel Messages.|
|Advanced Threat Protection||Support for safe files and safe links in Microsoft Teams to protect your organization from malicious attacks with the power of Office 365 Advanced threat protection|
|Business information Barriers||Prevent exchanges or communication that could lead to conflicts of interest. (a.k.a. Ethical walls)|
|VDI||Virtual Desktop support for Teams to serve requirements of regulated industries and users with virtual desktops|
Note, DLP and ATP features in teams are expected at end of FY18.
How is Microsoft Teams Compliant
Teams is built upon the same information protection architecture as the rest of Microsoft 365’s products. (The Office 365 Substrate) Although it looks like a simple chat application, chat messages are handled by exchange and can be granted all of the same protections and rules as email, and all information is managed by Exchange and Sharepoint. This enables features like Data loss protection, eDiscovery, Legal Holds, compliance content search, archiving, retention policies, and audit logs.
This reliance on a tested and trusted infrastructure not only helps keep Microsoft Teams more secure, it also makes it simple and convenient to apply policies to all of your productivity applications and data, including Outlook, Word, Excel, Powerpoint and Teams from a single location. This information protection can also be applied to hybrid exchange environments with configuration of your on premises environment.
What Licensing Do You Need for Compliance in Teams?
Every Office 365 Business allows auditing and reporting, with an add-on license available for conditional access. However to get full compliance capabilities you will need an E3 or E5 license. You can read more about Microsoft 365 enterprise licensing in our blog.
|Information Protection Capability||Office 365 Business Essentials||Office 365 Business Premium||Office 365 Enterprise E1||Office 365 Enterprise E3/E4||Office 365 Enterprise E5|
|Compliance Content Search||Yes||Yes|
|Auditing and Reporting||Yes||Yes||Yes||Yes||Yes|
|Conditional Access (Additional license needed)||Yes||Yes||Yes||Yes||Yes|
Compliance in Teams User Experience
Compliance policies in Teams has a largely similar user experience to compliance features in Outlook, where non-compliant messages are blocked and the user notified of the options available to them. (Configurable in the Security and Compliance manager.) Some of the pre-configured baseline policies include recognizing and blocking the sending of credit cards, SSN#, Insurance policy numbers, and hundreds more. For each policy you can also configure the action you wish to take; alerting a compliance manager or admin, blocking the send, and you can ever configure if the end users will be able to appeal or override the block. The level of control is informed by your own company’s security and compliance needs.
Administrating Compliance Policies in Teams
Teams compliance is configured in Office 365 Security and Compliance Center (protection.office.com).
Data Loss Protection Policies are configured across all Office 365 services at the same time. Applying polices in the security and compliance center will immediately protect data and communications across Outlook, OneDrive, SharePoint, and Teams, since they are all part of the Office 365 substrate.
For a full demo of setting up policies in Security Center, watch our Cloud App Security Demo.
Performing a Compliance Content Search in Office 365
In security center, Search and Investigation is available in the main right hand menu, and is broken down to allow you to search both by a term as well as by specific locations.
User access is segmented for compliance center. In many cases an global admin should not have the ability to view the results of content searches, but should have the ability to create them for compliance officers. In this case, you can configure group permissions to give specific non-admin users access to compliance tools and content search results. While the admin portal will not show up in their Office 365 portal, they can still access the compliance center by going to protection.office.com.
About Agile IT Tech Talks
Agile IT Tech Talks are weekly sessions where we bring in subject matter experts for short, highly focused educational segments, followed by up to an hour of open Q&A where Agile IT clients can discuss their own environments with our engineers and a group of peers. While we release the demos and sessions on our blog, the Q&A benefit is only available to Agile IT Managed Service and Cloud Service Customers. Agile IT is a four time cloud partner of the year and offers fully managed security as a service. To find out more, schedule a free call with a cloud service advisor.