Protecting Against/Preventing Sensitive Information in Microsoft Teams

The growth of Microsoft Teams has been well documented during the “Work from Home” mode that a majority of corporations are in for the foreseeable future. As part of this fast adoption security & compliance concerns have arisen with enterprises in regulated industries. Last year, Craig Eidelman, with Microsoft, wrote a post “Getting Started with Securing Microsoft Teams” that establishes the security baseline that most organizations should be considering when adopting Microsoft Teams.

However, what if your organization has company policy or regulation requirement(s) that prohibit the posting/sharing of “sensitive information” in online tools. This can be a challenging requirement to meet for online collaboration tools but fortunately Microsoft 365 security tools allow organizations the flexibility to implement the needed control policies. Provided below are examples of different tools and policies that can be implemented to protect sensitive data from being posted in Microsoft Teams.

Let’s Start with Teams Chats

Within Microsoft Teams there are 2 types of chats: 1×1 chat and Channel Chat. In both of these scenarios it provides employees with the opportunity to post sensitive data for others to see. To tackle this scenario we will leverage O365 Data Loss Prevention functionality to build out a policy to prevent sensitive data from being posted. In my scenario, that I am keeping simple, I have built out a policy to prevent the posting of social security numbers.

Select Data Loss Prevention in the Compliance Center, Create a New Policy and Select Teams Chat & Channel Messages.
Select the Sensitive Info Types to be included in the policy and select Block under Restrict Access
This results in the message being blocked in a 1 x 1 chat.
This results in the message being blocked in a Channel chat.

More details on Microsoft Teams DLP can be found here.

But What About Uploading of Sensitive Documents….MCAS saves the Day

Just like the scenario above where employees may try to post sensitive text in a chat they may try to upload a document containing sensitive data. To help control this scenario I have built out a policy in Microsoft Cloud App Security (MCAS) that will quarantine the file from being shared with other employees due to the sensitive content.

In MCAS, create a “FILE policy” with the settings in this screenshot. Under File Type make sure to select all the options listed.
For this example, I am putting the file in quarantine for SharePoint Online since this is where Channel Chat messages are stored.
The session of Teams on the left shows that Kellen posted the sensitive document to a Channel Chat. The session of Teams on the right shows that it has been removed when Jeremy went to access it.

With the MCAS policies an IT/Security admin can get detailed information on why the file was quarantined.

More information on MCAS File Policies can be found here.

There you have it!!

A few simple policies to control sensitive data from being shared in Microsoft Teams if this is a requirement for your organization. While I kept the policies simple and straightforward for this post, you could build out additional polices or add to what are above to meet your organizations needs. As I wrap this up, I can think probably 5-6 other scenarios where I could create other policies to prevent the posting of sensitive data in Microsoft Teams.