Managing Compliance in Teams


In this Interactive Guide, you will use the Microsoft 365 Security, Microsoft 365 Compliance, and Microsoft Teams admin centers, as well as Windows PowerShell to manage and configure an Office 365 organization's Microsoft Teams policies and settings. You will perform administrative tasks focused on compliance.

What you will learn

After completing this lab, you will be able to:

  • Create and apply sensitivity labels to Teams
  • Create and monitor a new sensitive info type with Communication Compliance
  • Create a new data loss prevention (DLP) policy
  • Create an information barrier policy

Exercise 1: Create and apply sensitivity labels to Teams

Sensitivity labels allow Teams admins to regulate access to sensitive organizational content created during collaboration within teams. You can define sensitivity labels and their associated policies in the Security & Compliance Center. These labels and policies are automatically applied to teams in your organization.    For this exercise, you will be creating a Mark 9 label for highly confidential communications and content and applying that label to the Mark 9 Project team when you create it

Enable Sensitivity Label support in PowerShell

To apply published sensitivity labels to groups, you must first enable the feature and synchronize sensitivity labels with Azure AD.

NOTE: In this interactive guide, the AzureADPreview PowerShell module has already been installed, for me information on how to install the module, consult this document.

Synchronize sensitivity labels to Azure AD

Create a new sensitivity label for Mark 9 communication and content

Publish your sensitivity label

Note: Microsoft recommends waiting one hour for changes to replicate after creating a new label and then applying that label to a test group prior to publishing broadly.   To learn more about pre-requisites and best practices when using sensitivity labels to protect content in Microsoft Teams, click here.

Apply a sensitivity label during Team creation and verify the experience

Exercise 2: Communication Compliance

Communication Compliance policies in Microsoft 365 allow you to capture employee communications for examination by designated reviewers. You can define specific policies that capture internal and external email, Microsoft Teams, or 3rd-party communications in your organization. Reviewers can then examine the messages to make sure that they are compliant with your organization's message standards and resolve them with classification type.

As more of Contoso's communication and collaboration shifts to Teams, it will become important for you to monitor that communication to ensure compliance with your organization's standards. To begin, you will need to establish a policy to monitor communications regarding the new Mark 9 prototype at Contoso.

Create a custom sensitive info type for the Mark 9 project

Create a communication compliance policy

To learn more about communication compliance policies in Microsoft Teams, click here.

Exercise 3: Create a new DLP policy

Data Loss Prevention in Teams chat and conversations enables you to detect, automatically protect, and screen for sensitive information in chats and channel conversations. By creating DLP policies, admins can help prevent sensitive information from unintentionally being shared or leaked—either inside or outside of the organization. Files in Microsoft Teams are protected by DLP policies applied to OneDrive and SharePoint.

Exercise 4: Establish an Information barrier policy

Information barriers are policies that an admin can configure to prevent individuals or groups from communicating with each other. This is useful if, for example, one department is handling information that should not be shared with other departments.  As an Administrator, you can create these policies using the Security & Compliance Center PowerShell cmdlets.

Note: To define or edit information barrier policies, you must be assigned an appropriate role, such as one of the following:

  • Microsoft 365 Enterprise Global Administrator
  • Office 365 Global Administrator
  • Compliance Administrator
  • IB Compliance Management

Your account is currently assigned to the Global Administrator role, so no additional action is needed.

Enable scoped search and then save the changes to Teams settings

Before you define your organization's first information barrier policy, you must enable scoped directory search in Microsoft Teams.

Provide admin consent for information barriers in Microsoft Teams

Use the following procedure to enable information barrier policies to work as expected in Microsoft Teams.

Define information barrier segments

Defining segments does not affect users; it just sets the stage for information barrier policies to be defined and then applied. You will need to define a segment for the Finance and Engineering departments respectively - based on the Department attribute on the user.

Define an information barrier policy

Contoso must keep their Finance department from communicating directly with Engineering. To do so you will define two policies, one blocking communication from Finance to Engineering and the other blocking the other direction of communication.

Apply the information barrier policies

Information barrier policies are not in effect until you set them to active status, and then apply the policies.

To learn more about information barriers in Microsoft Teams, click here