Securing Microsoft TeamsA focus on data security

David Ferg

System Source Consultant

dferg@syssrc.com

Chris Riley

Director

410-771-5544 x4331

criley@syssrc.com

Agenda

Introductions – Chris Riley

Dave Ferg

• Security concerns

• Identity securityA brief review from a previous webinar and critical for any security

• NIST passwords standards

• MFA and Passwordless login

• Teams data security• Teams data storage

• External access and storage

• DLP, Azure Information Protection, Retention policies

• Recycle bins and backups

Special Offers - Chris Riley

We Hope You are

Enjoying Your

Pizza!!

If you haven’t received your pizza,

then contact Mike Jones:

mjones@syssrc.com

During the Webinar…

Audio – In presentation mode until end

Control Panel

View webinar in full screen mode

In Chat – Tell us what you hope to learn today?

In Questions – Feel free to submit written questions

Presentation & Webinar Recording will be emailed

Evaluation just after webinar finish – Drawing for $25

Amazon Gift Card!

Security ConcernsDave Ferg

The threats we face• The usual threats

• Account compromise and Phishing

• Viruses, malware, and ransomware

• Unauthorized access and use• Incorrect permissions

• Unsafe or unmanaged external sharing

• Not monitoring and controlling sensitive data

• Data loss• Data exfiltration, corruption, or deletion

What can you do?• Security is a shared responsibility

• Microsoft’s platform is robust, fault tolerant, and secure

• We must protect our identities and data

• Security features available depend on licensing• O365 E1 – Email filtering, Anti-malware, DKIM, basic MDM, archiving and

retention

• O365 E3 – Adds DLP, legal/litigation holds, eDiscovery exports

• O365 E5 – Adds O365 Cloud App Security and O365 ATP

• EMS – Enhances capabilities and adds additional services

• M365 plans = O365 + EMS + Win10

Protect Identities

Protect identities• Identity security is inseparable from data security

• In a previous webinar we discussed identity security

• Topics we discussed were:• NIST 800-63 password guidelines

• Azure AD password protection

• MFA

• Passwordless login

• Azure AD SSO (will not review in this webinar)

NIST simpler passwords direction for AD (AAL2)

• No password composition or expiration requirements

• 8 (required) minimum length (AD)

• At least 64 recommended maximum length (AD)

• 2FA without prompting questions (no “name of first pet”)

• Reauthentication every 12 hrs of session and 30 min inactivity (GPO)

• Password creation/reset >= 6 random characters

• Passwords checked against compromised, dictionary, repetitive/sequential and context sensitive words (P1)

• Rate limit failed authentication attempts (AD)

• Force password change if compromised (P2)

Azure AD Password Protection

• Enabled by default in Azure AD• Global banned password list

• Supports local Active Directory with Azure AD P1 licenses • Assumes every on-premises

account has an Azure AD account

Azure AD MFA• Security Defaults replace Baseline Conditional

Access policies• Multi-Factor authentication for administrators

and end-users, required within 14 days of the next sign-in after enablement

• Legacy authentication will be blocked, restricting access from older clients, like Office 2010, IMAP, POP3, SMTP, and ActiveSync clients that don’t support Modern Auth.

• Immediate MFA protection for “privileged” Azure AD actions via the Azure Resource Manager API (such as Azure Portal Access, Azure PowerShell and the Azure CLI).

Azure AD MFA• Office 365 MFA is setup by user for a more

controlled rollout.

• Accessed from Office 365 Admin portal

• Provides App Passwords for software not supporting Modern Authentication• An app password is a code giving an app or device

permission to access your Office 365 account.

• Supports SMS or mobile app for second factor

• Supports “remember for X days”

• Does not support conditional access, so this is an always on feature.

Azure AD MFA• Azure AD MFA with Premium licensing

provides Microsoft full feature set• Policy based

• Conditional access• Users and groups

• Cloud apps and actions

• Conditions

• Sign-in risk

• Device platforms

• Locations (Trusted IPs)

• Grant / Deny

• Trusted IPs

• MFA monitoring

• Support for hardware OATH tokens

Passwordless Login• Passwordless login is MFA that replaces passwords with biometric or PIN plus a second factor.

• Passwords are replaced with 2+ verification factors secured with a cryptographic key pair.

• The device creates a public and private key when registered

• The private key can only be unlocked using a local gesture such as a biometric or PIN (PIN is device specific)

Passwordless Login• Microsoft supports three

authentication methods• Windows Hello for Business

• Phone sign in with Microsoft Authenticator app

• Security key sign-in with FIDO2 Security keys

• No additional licensing other than what prerequisites require

Teams Data Security

Teams

• Teams provides a single interface for collaboration using ‘backend’ technologies to store data

• Now need to consider several data locations when planning security and data backup

• Easy to share data in Teams, so you need to be concerned about data leaving your control

• Locking down Teams too much may make the tool less productive when communicating with partners or other external entities

• Balance between productivity and security

Teams Data StorageTeams Item Additional Storage Location/Notes

Channel

conversations

A process also saves a copy in hidden Exchange group mailbox for compliance

purposes

Files shared during

channel

conversations

A SharePoint site is created for each team. A document library is created for

each channel and files are stored here

Emails sent to

channels

Any emails sent to the channel email are stored in a folder called “Email

Messages” within the channels document library

1:1 chat messagesIn a hidden folder within user mailbox, only accessible via eDiscovery; each user

maintains separate copy of chat transcript

Group chat

messages

In a hidden folder within user mailbox, only accessible via eDiscovery; each user

maintains separate copy of chat transcript

Files shared during

1:1 and group

chats

Users’ OneDrive for Business, in a folder called “Microsoft Teams Chat Files”

Images shared

during chatsStored in separate media store on Azure

Meeting

recordings

Stored in Stream, in meeting organizer’s account and content automatically

shared with all invited people; videos and meeting recordings in Stream are

stored within the Stream service, itself an Azure-based service on top of Azure

SQL, Blob, and Azure Media Services

Files shared during

a meeting chatUser’s OneDrive for Business, in a folder called “Microsoft Teams Chat Files”

Chat during a

meeting

Hidden folder within users’ mailboxes, only accessible via eDiscovery; each user

maintains separate copy of chat transcript

• Teams uses OneDrive, SharePoint, Exchange, and Stream to store data

• Data can be stored in third-party services such as Citrix files, DropBox, Box, Google Drive, and Egnyte.

• Each storage location has its own recovery capabilities and retention policies.

External and Guest users SharePoint / OneDrive external sharing

• External users receive link to the document or folder shared from a library

• Anyone

• New and existing guests

• Existing guests

• Only people in your organization

• A guest account is created in Azure AD for the external userNote the ability to limit external sharing to members of a specific group

• Inheritance from Org - can be modified at lower levels

External and Guest users Teams external access• Skype and Teams communication

• Open to all (default)

• Allow list / Block list restrictions

• No guest account created in Azure AD

External and Guest users Teams guest access• Allows external users to be members of your

Team

• Guests are invited. When the invitation is accepted, a guest account is created in AAD

External and Guest users Teams guest user permissions• Guest users are managed in Teams admin

center

• Limitations for Guests• OneDrive for Business

• People search outside of Teams

• Calendar, Scheduled Meetings, or Meeting Details

• PSTN

• Organization chart

• Create or revise a team

• Browse for a team

• Upload files to a person-to-person chat

• Currently, Teams supports only State 1 and State 2 types of guest users as defined by Azure B2B

• Team Owners also have some control over Guest access in the Team

Managing Team Creation• By default anyone can create a Team

• Without controls and training, the number of Teams in your organization can become difficult to manage

• Microsoft provides a way to limit who can create Teams. • Information found here:

https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-creation-of-groups?redirectSourcePath=%252fen-ie%252farticle%252fmanage-who-can-create-office-365-groups-4c46c8cb-17d0-44b5-9776-005fced8e618&view=o365-worldwide

• Azure AD Premium licensing required for users granted permissions to create Teams

• This affects group creation in other services as well

Managing Team Creation• Azure AD Portal can control:

• group naming

• expiration for inactive Teams

The Team Owners Role• Three roles

• Owner

• Member

• Guest

• Team Owners are primary day-to-day managers of their Teams

• Team Owners manage features and business purposes of the Team

• Permissions specific to Team Owners are…

Using DLP to protect data• Teams creates SharePoint site with

each new Team. Like any SharePoint site, DLP policies can be applied.• Microsoft 365 and Office 365 E3

includes DLP. DLP protection for Teams Chat requires E5.

• DLP policies monitor email, documents, and chats for defined data types (e.g. financial, PII) and applies pre-configured actions.

Using DLP to protect dataApplying a DLP policy to a Team

• From the Security Center select DLP and create a new policy

• Select all sites or choose the Team site by finding the URL in the SharePoint admin center.

• Test to verify

Using Retention Policies to protect data• Retention policies are for

compliance

• Use retention policies to keep data a minimum length of time or to remove older data

• Retention policies can be applied to specific locations (OneDrive or SharePoint sites) or you can choose Office 365 Groups and cover the group’s mailbox, site, files, OneNote, etc.

Using Azure Information Protection (AIP) to protect data• AIP attaches security metadata to

document

• Protection travels with data

• AIP is available with • EMS E3 & E5

• M365 E3 & E5

• AIP uses labels to classify data• Manually or by content

• Labels have security settings pre-defined

Using AIP to protect data• Labels classify data

• Labels can be assigned manually by the document creator or through policy

• A document’s classification determines protection

• Azure Rights Management applies the security

Note – The Azure Information Protection client software needs to be installed for labels to be visible for user selection.

X

Azure Information Protection

Teams Data Recovery

• Microsoft uses Recycle Bins for data recovery• SharePoint and OneDrive have 93-day retention

• Exchange Online has 14-day (up to 30-day) retention

• Stream has 30-day retention

• Recycle Bins are designed for single item recovery

• Recycle Bins do not protect active data

• Cloud backup solutions (i.e. Barracuda) protect active data

• Third-party storage needs backing up separately

What we discussed today

• Secure data by:• Using good identity security (use MFA!)

• Managing Teams membership (internal and guest users)

• Training Team owners to manage and monitor their Teams

• Controlling external sharing and use of third-party storage

• Using technologies such as DLP, AIP, and retention policies

• Using cloud backup services

Special OffersChris Riley

Governance within Microsoft Teams

Goal: To provide guidance for data management and security options and capabilities within Microsoft

Teams

Consultation: System Source will meet with your IT staff to review the various configuration and security

options within Microsoft Teams. The goal of the consultation is to provide guidance on where and how

Teams data can be managed and secured so you can create and maintain the settings and policies that best

fit your environment. This engagement does not provide training on how to use Teams, instead it is focused

on governing your Teams environment. Within this engagement, System Source will review and provide

guidance in the following areas:

Governance within Microsoft Teams Where Teams stores your data

o Microsoft and third-party storage Who can access your data

o Securing external and guest access Securing document sharing with policies, DLP, and/or AIP Using retention policies for compliance Who can create and manage Teams

o The role of the Team Ownero Archiving Teams

Policies controlling Team naming, expiration, and functionality Policies controlling Team meetings and Live events Use of Apps, Bots, and Connectors in Teams

o Who can add Apps, Bots, and Connectors to a Team or Channel Monitoring Teams activity, OneDrive and SharePoint Data backup

Fee: $1,348 for half-day session

Microsoft Teams Adoption TrainingUse Microsoft Teams to communicate and collaborate on teamwork

Step 1: Discovery: System Source will meet with you to understand your desired outcomes for your

implementation of Microsoft Teams. The goal of discovery is to understand your intended use of Teams

and internal policies that may dictate the topics we teach in class. We’ll review:

Policies for external and guest access

Where Teams stores your data

Document sharing policies

Calling capabilities

Policies regarding Team creation, Meetings and Live Events

Use of Apps, Bots, and connectors in Teams

Monitoring Teams activity, OneDrive and SharePoint

Step 2 Team Owner Training: System Source train Team Owners to:

Configure Teams and manage membership Set permissions Configure channels and tabs Use apps, bots, and connectors

Step 3 User Training: Using best practices, System Source will train your users to:

Keep everyone in the know with chat Tailor your workspace to include everyday content Access, collaborate on and post files Manage calls and meetings Communicate in the moment, comment and “like” posts Use the Wiki View individual and team activity

Microsoft Teams Adoption Training

Step 4 Administrator Training: System Source will train one administrator using 5-day course,

MS-700T00: Managing Microsoft Teams to:

Overview of Microsoft Teams

Overview of security and compliance in Teams

Implement Governance, Lifecycle Management, Security and Compliance

Upgrade from Skype for Business to Microsoft Teams

Plan and configure network settings

Deploy and Manage Teams endpoints

Create and manage teams including membership and access for external users

Manage chat, collaboration, live event and meetings experiences

Manage settings for Teams apps

Manage phone numbers and Phone System for Microsoft Teams

Troubleshoot audio, video, and client issues

Microsoft Teams Adoption Training

Steps 1-3: $2280 – Up to 25 Users, $4500 – Up to 100 Users

Optional Step 4: Administrator training: $2,476, a savings of $619

For registration or more information call 410.771.5544 x5

or email training@syssrc.com

Microsoft Teams Adoption Training

Q & A

Kindly complete the survey at the end of this webinar. We will use your feedback to help us improve.

A random winner will be picked from the completed surveys to received a $25.00 Amazon gift card!

THANK YOU!