Compliance in Microsoft Teams (VIDEO)

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Compliance in Microsoft Teams

 

Is Microsoft Teams Compliant?

Yes, Teams is built upon the same Office 365 services that have been verified across many international, industry and regional standards, and setting up compliance in Microsoft Teams is part of Office 365’s existing compliance and security policies. Compliance verification for Microsoft Teams include:

  • ISO 27001
  • ISO 27018
  • EU Model Clauses (EUMC)
  • GDPR
  • FINRA
  • HIPAA Business Associated Agreement
  • SSAE 16 SOC 1 & SOC 2 Reports
  • FedRAMP Moderate and High
  • Health Information Trust Alliance (HITRUST)

View Microsoft compliance audit reports Download Microsoft compliance standards information

Teams Compliance Capabilities

CapabilityDescription
ArchiveAny content stored in any Teams related workload needs to be preserved immutably.
Compliance Content searchAny content stored in any workload can be search through rich filtering capabilities and be exported to a specific container for compliance and litigation support​.
eDiscovery – Messaging/FilesRich in-place eDiscovery capabilities including case management, preservation, search, analysis and export to help our customers simplify the eDiscovery process to quickly identify relevant data while decreasing cost and risk.
Legal holdWhen any team or individual is put on In-Place Hold or litigation hold, the hold is placed on both the primary and the archive messages (No edits or deletes).
Auditing and reportingAll Team activities and business events must be captured and available for customer search and export.
Conditional Access and Intune MAMEnsure that access to Microsoft Teams is restricted to devices that are compliant with IT Admin or Corporate Organization set policies and security rules both for the Teams Apps and the services it uses under the hood. Includes MAC Support for Conditional Access as well.
Moderator supportThe ability to have a moderator (owner of team) of a Team delete data from any user in the team that is inappropriate and mute users in a team/channel.
Windows Information ProtectionWindows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps like MS Teams.
Allowed List of AppsAn Admin can control the list of 3P apps (bots, connectors, tabs) that can be used by end users within a tenant.
Retention / PreservationHelp organizations reduce the liabilities associated with messaging. The Customer can configure their tenant to retain data for a fixed period of time or retain it with unlimited storage for different Teams workloads.
eDiscovery – Calling/MeetingsRich in-place eDiscovery capabilities including case management, preservation, search, analysis and export to help our customers simplify the eDiscovery process to quickly identify relevant data while decreasing cost and risk.
Data loss prevention (DLP)Identify any sensitive data stored being transferred within or outside of Customer Organization in Teams to intercept and prevent leakage​ for Files and Chat/Channel Messages.
Advanced Threat ProtectionSupport for safe files and safe links in Microsoft Teams to protect your organization from malicious attacks with the power of Office 365 Advanced threat protection
Business information BarriersPrevent exchanges or communication that could lead to conflicts of interest. (a.k.a. Ethical walls)
VDIVirtual Desktop support for Teams to serve requirements of regulated industries and users with virtual desktops

Note, DLP and ATP features in teams are expected at end of FY18.

How is Microsoft Teams Compliant

Compliance in Microsoft Teams - Office 365 SubstrateTeams is built upon the same information protection architecture as the rest of Microsoft 365’s products. (The Office 365 Substrate) Although it looks like a simple chat application, chat messages are handled by exchange and can be granted all of the same protections and rules as email, and all information is managed by Exchange and Sharepoint. This enables features like Data loss protection, eDiscovery, Legal Holds, compliance content search, archiving, retention policies, and audit logs.

This reliance on a tested and trusted infrastructure not only helps keep Microsoft Teams more secure, it also makes it simple and convenient to apply policies to all of your productivity applications and data, including Outlook, Word, Excel, Powerpoint and Teams from a single location. This information protection can also be applied to hybrid exchange environments with configuration of your on premises environment.

What Licensing Do You Need for Compliance in Teams?

Every Office 365 Business allows auditing and reporting, with an add-on license available for conditional access. However to get full compliance capabilities you will need an E3 or E5 license. You can read more about Microsoft 365 enterprise licensing in our blog.

Information Protection CapabilityOffice 365 Business EssentialsOffice 365 Business PremiumOffice 365 Enterprise E1Office 365 Enterprise E3/E4Office 365 Enterprise E5
ArchiveYesYes
In-Place eDiscoveryYesYes
Advanced eDiscoveryYes
Legal HoldYesYes
Compliance Content SearchYesYes
Auditing and ReportingYesYesYesYesYes
Conditional Access (Additional license needed)YesYesYesYesYes

Compliance in Teams User Experience

Compliance policies in Teams has a largely similar user experience to compliance features in Outlook, where non-compliant messages are blocked and the user notified of the options available to them. (Configurable in the Security and Compliance manager.) Some of the pre-configured baseline policies include recognizing and blocking the sending of credit cards, SSN#, Insurance policy numbers, and hundreds more. For each policy you can also configure the action you wish to take; alerting a compliance manager or admin, blocking the send, and you can ever configure if the end users will be able to appeal or override the block. The level of control is informed by your own company’s security and compliance needs.

Administrating Compliance Policies in Teams

Teams compliance is configured in Office 365 Security and Compliance Center (protection.office.com).

Data Loss Protection Policies are configured across all Office 365 services at the same time. Applying polices in the security and compliance center will immediately protect data and communications across Outlook, OneDrive, SharePoint, and Teams, since they are all part of the Office 365 substrate.

For a full demo of setting up policies in Security Center, watch our Cloud App Security Demo.

Performing a Compliance Content Search in Office 365

In security center, Search and Investigation is available in the main right hand menu, and is broken down to allow you to search both by a term as well as by specific locations.

User access is segmented for compliance center. In many cases an global admin should not have the ability to view the results of content searches, but should have the ability to create them for compliance officers. In this case, you can configure group permissions to give specific non-admin users access to compliance tools and content search results. While the admin portal will not show up in their Office 365 portal, they can still access the compliance center by going to protection.office.com.  

About Agile IT Tech Talks

Agile IT Tech Talks are weekly sessions where we bring in subject matter experts for short, highly focused educational segments, followed by up to an hour of open Q&A where Agile IT clients can discuss their own environments with our engineers and a group of peers. While we release the demos and sessions on our blog, the Q&A benefit is only available to Agile IT Managed Service and Cloud Service Customers. Agile IT is a four time cloud partner of the year and offers fully managed security as a service. To find out more, schedule a free call with a cloud service advisor.