In this Interactive Guide, you will use the Microsoft 365 Security, Microsoft
365 Compliance, and Microsoft Teams admin centers, as well as Windows
PowerShell to manage and configure an Office 365 organization's
Microsoft Teams policies and settings. You will perform administrative
tasks focused on compliance.
What you will learn
After completing this lab, you will be able to:
Create and apply sensitivity labels to Teams
Create and monitor a new sensitive info type with Communication
Compliance
Create a new data loss prevention (DLP) policy
Create an information barrier policy
Exercise 1: Create and apply sensitivity labels to Teams
Sensitivity labels allow Teams admins to regulate access to sensitive
organizational content created during collaboration within teams. You
can define sensitivity labels and their associated policies in the
Security & Compliance Center. These labels and policies are
automatically applied to teams in your organization.
For this exercise, you will be creating a Mark 9 label for highly
confidential communications and content and applying that label to
the Mark 9 Project team when you create it
Enable Sensitivity Label support in PowerShell
To apply published sensitivity labels to groups, you must first enable the
feature and synchronize sensitivity labels with Azure AD.
NOTE: In this interactive guide, the AzureADPreview PowerShell module has
already been installed, for me information on how to install the module,
consult this document.
Synchronize sensitivity labels to Azure AD
Create a new sensitivity label for Mark 9 communication and content
Publish your sensitivity label
Note: Microsoft recommends waiting one hour for changes to replicate after
creating a new label and then applying that label to a test group prior
to publishing broadly. To learn more about pre-requisites
and best practices when using sensitivity labels to protect content in
Microsoft Teams, click here.
Apply a sensitivity label during Team creation and verify the experience
Exercise 2: Communication Compliance
Communication Compliance policies in Microsoft 365 allow you to capture
employee communications for examination by designated reviewers. You can
define specific policies that capture internal and external email,
Microsoft Teams, or 3rd-party communications in your organization.
Reviewers can then examine the messages to make sure that they are
compliant with your organization's message standards and resolve them
with classification type.
As more of Contoso's communication and collaboration shifts to Teams, it will
become important for you to monitor that communication to ensure
compliance with your organization's standards. To begin, you will need
to establish a policy to monitor communications regarding the new Mark 9
prototype at Contoso.
Create a custom sensitive info type for the Mark 9 project
Create a communication compliance policy
To learn more about communication compliance policies in Microsoft Teams, click here.
Exercise 3: Create a new DLP policy
Data Loss Prevention in Teams chat and conversations enables you to detect,
automatically protect, and screen for sensitive information in chats and
channel conversations. By creating DLP policies, admins can help prevent
sensitive information from unintentionally being shared or
leaked—either inside or outside of the organization. Files in
Microsoft Teams are protected by DLP policies applied to OneDrive and
SharePoint.
Exercise 4: Establish an Information barrier policy
Information barriers are policies that an admin can configure to prevent
individuals or groups from communicating with each other. This is useful
if, for example, one department is handling information that should not
be shared with other departments. As an Administrator, you can
create these policies using the Security & Compliance Center
PowerShell cmdlets.
Note: To define or edit information barrier policies, you must be assigned an
appropriate role, such as one of the following:
Microsoft 365 Enterprise Global Administrator
Office 365 Global Administrator
Compliance Administrator
IB Compliance Management
Your account is currently assigned to the Global Administrator role, so no
additional action is needed.
Enable scoped search and then save the changes to Teams settings
Before you define your organization's first information barrier policy, you
must enable scoped directory search in Microsoft Teams.
Provide admin consent for information barriers in Microsoft Teams
Use the following procedure to enable information barrier policies to work as
expected in Microsoft Teams.
Define information barrier segments
Defining segments does not affect users; it just sets the stage for
information barrier policies to be defined and then applied. You will
need to define a segment for the Finance and Engineering departments
respectively - based on the Department attribute on the user.
Define an information barrier policy
Contoso must keep their Finance department from communicating directly with
Engineering. To do so you will define two policies, one blocking
communication from Finance to Engineering and the other blocking the
other direction of communication.
Apply the information barrier policies
Information barrier policies are not in effect until you set them to active
status, and then apply the policies.
To learn more about information barriers in Microsoft Teams, click here